Menu
I am using Azure Ad and have setup my Startup.Auth.cs file as follows
I am able to connect to and use Azure, Google, MS and Linked in to successfully authenticate and I received an id_token back but I want to be able to validate this token that I receive back from Azure but I am unsure of how to. Does the SecurityTokenValidated event raised mean that the token has already been validated against the TokenValidationParameters I defined and I do not need to validate the token? if this is the case what should I put in the TokenValidationParameters?
The id_token I receive back does not contain a encrypted signature to validate
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
SlidingExpiration = true,
LoginPath = new PathString("/"),
CookieSecure = CookieSecureOption.Always,
});
var options = new OpenIdConnectAuthenticationOptions
{
Authority = "https://login.windows.net/common",
ClientId = clientId,
RedirectUri = redirectUri,
PostLogoutRedirectUri = postLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = AuthenticationFailed,
RedirectToIdentityProvider = OnRedirectToIdentityProvider,
SecurityTokenReceived = OnSecurityTokenReceived,
AuthorizationCodeReceived = OnAuthorizationCodeReceived,
SecurityTokenValidated = OnSecurityTokenValidated,
MessageReceived = OnMessageReceived
},
Scope = "openid",
ResponseType = "id_token",
Description = new AuthenticationDescription
{
AuthenticationType = "OpenIdConnect",
},
ConfigurationManager = new PolicyConfigurationManager(
string.Format(CultureInfo.InvariantCulture, aadInstance, tenant, "/v2.0", OidcMetadataSuffix),
new[] { SisuGoogle, SisuLinkedIn, SisuMicrosoft, SisuLocal, ResetPasswordLocalPolicyId }),
TokenValidationParameters = new TokenValidationParameters
{
ValidAudiences = new string[]
{
"http://localhost:44330/",
},
IssuerSigningKey = GetSecurityKey(),
// If you don't add this, you get IDX10205
//ValidateIssuer = false,
},
};
app.UseOpenIdConnectAuthentication(options);
private SecurityKey GetSecurityKey()
{
var securityKey = "secure key";
var signingKey = new InMemorySymmetricSecurityKey(Encoding.UTF8.GetBytes(securityKey));
var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.RsaSha256Signature,SecurityAlgorithms.Sha256Digest);
return signingCredentials.SigningKey;
}
private Task OnSecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> arg)
{
//do I need to validate the token here or has it already been validated??
//if I have to validate it then how do I? I've tried the following but does not work
var tokenValidationParameters = new TokenValidationParameters
{
IssuerSigningKey = GetSecurityKey()
};
SecurityToken validatedToken;
var jwtHandler = new JwtSecurityTokenHandler();
//crashes at this point
jwtHandler.ValidateToken(arg.ProtocolMessage.IdToken, tokenValidationParameters, out validatedToken);
return Task.FromResult(0);
}
950
You can follow this sample: https://github.com/Azure/azure-content/blob/master/articles/active-directory-b2c/active-directory-b2c-devquickstarts-api-dotnet.md
Or take a look at this similar question: https://social.msdn.microsoft.com/Forums/en-US/893a6142-1508-4aa2-9da3-dab3b1f1a6b9/b2c-jwt-token-signature-validation?forum=WindowsAzureAD
If you use the similar configuration in the sample, then OWIN will handle the token validation with the key fetched from the metadata endpoint.
77
answered Dec 05 '25 00:12
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
