Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to validate Azure AD security token?

The following code gives me Azure AD security token, I need to validate that token is valid or not. How to achieve this?

// Get OAuth token using client credentials  string tenantName = "mytest.onmicrosoft.com"; string authString = "https://login.microsoftonline.com/" + tenantName;  AuthenticationContext authenticationContext = new AuthenticationContext(authString, false);  // Config for OAuth client credentials   string clientId = "fffff33-6666-4888-a4tt-fbttt44444"; string key = "123v47o="; ClientCredential clientCred = new ClientCredential(clientId, key); string resource = "http://mytest.westus.cloudapp.azure.com"; string token;  Task<AuthenticationResult> authenticationResult = authenticationContext.AcquireTokenAsync(resource, clientCred); token = authenticationResult.Result.AccessToken; Console.WriteLine(token); // How can I validate this token inside my service?                 
like image 300
Neo Avatar asked Oct 05 '16 06:10

Neo


People also ask

How do I validate tokens?

You can validate your tokens locally by parsing the token, verifying the token signature, and validating the claims that are stored in the token. Parse the tokens. The JSON Web Token (JWT) is a standard way of securely passing information. It consists of three main parts: Header, Payload, and Signature.

How long is Azure AD token valid for?

Azure allows an access-token to be refreshed using the refresh-token for a maximum period of time of 90 days (from the initial date of issuing the token). This means after 90 days, Azure will authenticate the user to login again.


1 Answers

There are two steps to verify the token. First, verify the signature of the token to ensure the token was issued by Azure Active Directory. Second, verify the claims in the token based on the business logic.

For example, we need to verify the iss and aud claim if you were developing a single tenant app. And you also need to verify the nbf to ensure the token is not expired. For more claims you can refer here.

Below description is from here about the detail of signature verifying. (Note: The example below uses the Azure AD v2 endpoint. You should use the endpoint that corresponds to the endpoint the client app is using.)

The access token from the Azure AD is a JSON Web Token(JWT) which is signed by Security Token Service in private key.

The JWT includes 3 parts: header, data, and signature. Technically, we can use the public key to validate the access token.

First step – retrieve and cache the signing tokens (public key)

Endpoint: https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

Then we can use the JwtSecurityTokenHandler to verify the token using the sample code below:

 public JwtSecurityToken Validate(string token)  {      string stsDiscoveryEndpoint = "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration";       ConfigurationManager<OpenIdConnectConfiguration> configManager = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndpoint);       OpenIdConnectConfiguration config = configManager.GetConfigurationAsync().Result;       TokenValidationParameters validationParameters = new TokenValidationParameters      {          ValidateAudience = false,          ValidateIssuer = false,          IssuerSigningTokens = config.SigningTokens,          ValidateLifetime = false      };       JwtSecurityTokenHandler tokendHandler = new JwtSecurityTokenHandler();       SecurityToken jwt;       var result = tokendHandler.ValidateToken(token, validationParameters, out jwt);       return jwt as JwtSecurityToken;  } 

And if you were using the OWIN components in your project, it is more easy to verify the token. We can use the code below to verify the token:

app.UseWindowsAzureActiveDirectoryBearerAuthentication(             new WindowsAzureActiveDirectoryBearerAuthenticationOptions             {                 Audience = ConfigurationManager.AppSettings["ida:Audience"],                 Tenant = ConfigurationManager.AppSettings["ida:Tenant"]             }); 

Then we can use the code below to verify the ‘scope’ in the token:

public IEnumerable<TodoItem> Get() {     // user_impersonation is the default permission exposed by applications in AAD     if (ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/scope").Value != "user_impersonation")     {         throw new HttpResponseException(new HttpResponseMessage {           StatusCode = HttpStatusCode.Unauthorized,           ReasonPhrase = "The Scope claim does not contain 'user_impersonation' or scope claim not found"         });     }     ... } 

And here is a code sample which protected the web API with Azure AD:

Protect a Web API using Bearer tokens from Azure AD

like image 190
Fei Xue - MSFT Avatar answered Sep 22 '22 05:09

Fei Xue - MSFT