Validating Issuer Using issuer 2 or Issuer 1?

Question

I'm trying to follow the example validation code in https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapi-manual-jwt-validation/ which states to use Issuer 1.

(REALLY the code in https://github.com/Azure-Samples/active-directory-dotnet-webapi-manual-jwt-validation/blob/master/TodoListService-ManualJwt/Global.asax.cs#L136)

• I fetch the issuer/signing keys from: https://login.microsoftonline.com/efa3038a-575b-42ea-8ba1-483cf7f0bdb6/.well-known/openid-configuration

  • getting issuer: "issuer":"https://sts.windows.net/efa3038a-575b-42ea-8ba1-483cf7f0bdb6/"

• I fetched my AUTH token with: https://login.microsoftonline.com/efa3038a-575b-42ea-8ba1-483cf7f0bdb6/oauth2/v2.0/authorize?client_id=463f8472-dff3-40d0-8ec5-da2d9ba9c348&response_type=id_token&redirect_uri=http%3A%2F%2Flocalhost:30662&scope=openid%20profile&response_mode=fragment&state=12345&nonce=678910

  • which produces a valid token: eyJ0eX...De0GVw

  • which decodes (via var jwt = new Microsoft.IdentityModel.JsonWebTokens.JsonWebToken(authorizationHeader.Substring(kBearer_.Length))) to: ....

    Issuer: "https://login.microsoftonline.com/efa3038a-575b-42ea-8ba1-483cf7f0bdb6/v2.0"

I then attempt to validate using:

TokenValidationParameters validationParams = new TokenValidationParameters
{
    // We accept both the App Id URI and the AppId of this service application
    ValidAudiences = new[] { kADConfiguration_.Audience, kADConfiguration_.ClientId },

    // Supports both the Azure AD V1 and V2 endpoint
    ValidIssuers = new[] { _issuer, $"{_issuer}/v2.0" },
    ValidateIssuer = true,  // set to false and works, set to true it fails

    IssuerSigningKeys = validationInfo.Item2
};
Microsoft.IdentityModel.Tokens.SecurityToken v;
System.Security.Claims.ClaimsPrincipal answer = handler.ValidateToken(authorizationHeader.Substring(kBearer_.Length), validationParams, out v);

I can see that the issuer in the token differs (just the hostname part) from the issuer in the https://login.microsoftonline.com/efa3038a-575b-42ea-8ba1-483cf7f0bdb6/.well-known/openid-configuration

But I cannot tell why, or what I'm doing wrong.

I haven't yet found any useful documentation on what parameters to pass to the validation process (for example https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler.validatetoken?view=azure-dotnet just says "validationParameters Contains validation parameters", and https://learn.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters.validissuers?view=azure-dotnet#Microsoft_IdentityModel_Tokens_TokenValidationParameters_ValidIssuers which says "contains valid issuers that will be used to check against the token's issuer."

Answer 1

The sample you're currently looking at is a little old and explaining with Azure AD v1.0 endpoint as reference. The issuer value you are seeing in token is correct, because you have acquired that token from Azure AD v2.0 endpoint. The OpenID discovery document URL you're using to find the valid issuer is not correct. More explanation in further sections.

I should also briefly mention that in most cases, explicitly validating the token manually like the sample you're following explains is a bit of heavy lifting which isn't really needed. I don't want to stray off from your orginal question hence I'm just keeping some pointers on this part at the end of my answer, but do take a look to see if it makes sense for your case.

More details on Access Tokens acquired from Azure AD v1.0 and v2.0 endpoints

Please look at this Microsoft Documentation - Access Tokens Reference - Sample Tokens

• Sample v2.0 Token - Decoded at jwt.ms -

  Notice this one has issuer format

  https://login.microsoftonline.com/<Azure AD Tenant GUID>/v2.0 
  

• Sample v1.0 Token - Decoded at jwt.ms -

  Notice this one has issuer format

   https://sts.windows.net/<Azure AD Tenant GUID>/ 
  

OpenID Discovery Document URL for your tenant

For openid configuration you should be looking at Azure AD v2.0 endpoint, and you will see the correct issuer value there. Specifically for your tenant (as shared in question) correct URL to use will be

https://login.microsoftonline.com/efa3038a-575b-42ea-8ba1-483cf7f0bdb6/v2.0/.well-known/openid-configuration

The value for OpenID Discovery document that you're currently looking at, is only applicable for tokens acquired from v1.0 endpoint.

How to find the correct OpenID Discovery Document URL from Azure Portal

For v2.0 Endpoint, go the preview experience, as shown below. Azure Portal > Azure Active Directory > App Registrations (Preview) > Endpoints

For v1.0 Endpoint, go to old experience (about to go away). Azure Portal > Azure Active Directory > App Registrations > Endpoints

---

Like I said initially, for most applications manual token validation is generally not needed.

In case of single tenant applications, generally you just keep ValidateIssuer = truefor theTokenValidationParameters`

In case of Multi-Tenant applications, there can be a few cases..

• If you know your issuers before hand, you can still set ValidateIssuer=True and set the list of ValidIssuers.. ValidIssuers = new List<string>()...

• If valid issuers for your application are dynamic or if you want to write some logic to gather that list, you can write an implementation for TokenValidationParameters.IssuerValidator which has your custom logic. You just need to set a delegate that will be used to validate the issuer.

• In other cases, where you still want to write your own custom logic, then explicit validation like the sample you're following makes sense.

Please see a related SO Thread here.