Geek Answers Handbook

How does the UseWindowsAzureActiveDirectoryBearerAuthentication function work when checking a token?

I follow the following GitHub sample to implement authentication mechanism through WebApp and WebApi.

https://github.com/AzureADSamples/WebApp-WebAPI-OpenIDConnect-DotNet

I use one application registration for WebApp and WebApi, get the access token for " https://abc.onmicrosoft.com/App and pass it to WebApi. I attach the token to the HTTPS headers with the name" Bearer ". I have the following in the class launch WebApi Owin to check the token for the Audience and Tenant, but does not actually check the token for them, as expected.

A few questions: 1. What causes the handler below to check the token for the tenant and audience? Is this the [Authorize] attribute in the Controller class? 2. How to find a marker to execute a handler? 3. Setting SaveSigninToken to true saves the token. How can I get a token, as well as purchase an access token for the Graph API from this token?

app.UseWindowsAzureActiveDirectoryBearerAuthentication( new WindowsAzureActiveDirectoryBearerAuthenticationOptions { Tenant = "abc.onmicrosoft.com", TokenValidationParameters = new TokenValidationParameters { ValidAudience = "https://abc.onmicrosoft.com/App", SaveSigninToken = true, } });

Please inform. Thanks in advance!

+6
source share
2 answers

What causes the handler below to check the token for the tenant and audience?

By default, middleware runs in Active mode, so it will try to find a token in every request. If he finds one, he will try to check it. If it discovers that it is valid, a ClaimsPrincipal is created, available in the OWIN middleware and web API add-ons.

It also downloads the public keys, with which it verifies the signature of the token when starting the application from Azure AD. You can see this if you use a tool like Fiddler.

How to do this to find a token to execute a handler?

I am not sure if I understand this question, I hope that my answer above clarified this process.

Setting SaveSigninToken to true saves the token. How can I get a token, as well as purchase an access token for the Graph API from this token?

What you are trying to do is call the API using the on-behalf-of stream. Here you can find an example application: https://github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof . More specifically, this part should interest you: https://github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof/blob/master/TodoListService/Controllers/TodoListController.cs#L133 .

  ClientCredential clientCred = new ClientCredential(clientId, appKey); var bootstrapContext = ClaimsPrincipal.Current.Identities.First().BootstrapContext as System.IdentityModel.Tokens.BootstrapContext; string userName = ClaimsPrincipal.Current.FindFirst(ClaimTypes.Upn) != null ? ClaimsPrincipal.Current.FindFirst(ClaimTypes.Upn).Value : ClaimsPrincipal.Current.FindFirst(ClaimTypes.Email).Value; string userAccessToken = bootstrapContext.Token; UserAssertion userAssertion = new UserAssertion(bootstrapContext.Token, "urn:ietf:params:oauth:grant-type:jwt-bearer", userName); string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant); string userId = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value; AuthenticationContext authContext = new AuthenticationContext(authority, new DbTokenCache(userId)); // In the case of a transient error, retry once after 1 second, then abandon. // Retrying is optional. It may be better, for your application, to return an error immediately to the user and have the user initiate the retry. bool retry = false; int retryCount = 0; do { retry = false; try { result = await authContext.AcquireTokenAsync(graphResourceId, clientCred, userAssertion); accessToken = result.AccessToken; } catch (AdalException ex) { if (ex.ErrorCode == "temporarily_unavailable") { // Transient error, OK to retry. retry = true; retryCount++; Thread.Sleep(1000); } } } while ((retry == true) && (retryCount < 1));
+1
source

Decorating [Authorize] in the controller or some method that we specify starts the Owin security handler to verify the token and generates claims.

0
source

More articles:


All Articles