Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Validating B2C JWT tokens in Asp.Net Core Web Api

Tags:

asp.net-core

azure-ad-b2c

I am using B2C to protect a WebApi in Asp.Net Core. My code is below. Do I need to validate the tokens or is the middleware doing it for me? I would think if everyone had to do this, it'd be easier for me to find some sample code, but I can't seem to get any real direction on this.

Yet, this B2C documentation states that my api do the validation.

I found a sample but it's not for Core and they're using CertificateValidator = X509CertificateValidator.None. Doesn't that defeat the purpose? And another sample here where they are doing it.

Don't I have to have the signing key from B2C and all that?

I can cobble together a solution from those, but do I actually need to do this?

Thanks in advance.

        app.UseJwtBearerAuthentication(new JwtBearerOptions()
        {
            AuthenticationScheme = Constants.B2CAuthenticationSchemeName,
            AutomaticAuthenticate = false,
            MetadataAddress = string.Format(
                _identityConfig.B2CInfo.AadInstance,
                _identityConfig.B2CInfo.Tenant,
                _identityConfig.B2CInfo.Policies
                    .Where(p => p.IsDefaultSignUpSignInPolicy == true)
                    .First()
                    .Name),
            Audience = _identityConfig.B2CInfo.ClientId,
            TokenValidationParameters = new TokenValidationParameters
            {
                ValidateLifetime = true,
                RequireExpirationTime = true,
                RequireSignedTokens = true,
            },
            Events = new JwtBearerEvents
            {
                OnAuthenticationFailed = B2CAuthenticationFailed
            }
        });
like image 801
Bill Noel Avatar asked Apr 14 '17 19:04

Bill Noel

1 Answers

Do I need to validate the tokens or is the middleware doing it for me?

The JWT bearer middleware does it for you (by default, it will automatically reject unsigned or counterfeit tokens, so you don't need to explicitly set RequireSignedTokens to true).

Doesn't that defeat the purpose?

There's a difference between validating a signature using a public asymmetric key (e.g RSA or ECDSA) embedded in a certificate and validating the certificate itself (and specially its chain). Signature validation is fully supported in ASP.NET Core, but certificate validation is not supported yet.

Don't I have to have the signing key from B2C and all that?

The JWT bearer middleware automatically retrieves it from B2C's discovery endpoint, so there's no need to do that manually. For more information, don't hesitate to read the OIDC discovery specification: https://openid.net/specs/openid-connect-discovery-1_0.html

like image 75
Kévin Chalet Avatar answered Nov 09 '22 06:11

Kévin Chalet
Sign in to Comment

Related questions

How to get information about runtime .Net Core
Change Global Settings Config in SignalR Core
AKKA.NET in ASP.NET or in console app?
F# syntax for async controller methods in ASP.NET Core
ASP.NET Core OpenIdConnectServer data protection keys location
How to display an not authorize page on ASP.NET Core
Any way to run the scripts in project.json just like in package.json?
File Upload with Form data in asp.net core
Visual Studio for Mac- Error CS1902
How to setup WebHookReceiver manually for .Net Core?
Can't run .Net Core based on project.json after VS 2017 installation
How to read and change body of Response into overided OnActionExecuted method of Controller
How to write Integration Test for Identity Server 4 in asp.net mvc core
How do I issue the corresponding Bearer and Cookie identity in ASP.NET with multiple Authorization schemes?
ASP.NET MVC - Create action link preserve query string
How to specify the expiry time of a Redis object in .NET Core?
What is the state of websockets on asp.net core
What's the difference between Response.WriteAsync and returning a string
Invoke method/Do action before every POST/GET request .NET Core
ASP.NET Core 6 how to access Configuration during setup

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!