Search code examples
c#owinkatanaadal

How can I get WindowsAzureActiveDirectoryBearerAuthenticationOptions to accept an audience with an asterisk

My Azure Active Directory application URI contains an asterisk, something like https://*.mywebapp.com". AAD can successfully acquire a token for the https://test.mywebapp.com resource for this app.

On the service side I'm using OWIN and WindowsAzureActiveDirectoryBearerAuthenticationOptions to validate the token. The problem is that specifying an audience with an asterisk is not supported.

With the following code, token validation returns false for a token with audience https://test.mywebapp.com

app.UseWindowsAzureActiveDirectoryBearerAuthentication(
                new WindowsAzureActiveDirectoryBearerAuthenticationOptions
                {
                    Tenant = c_azureActiveDirectoryTenant,
                    TokenValidationParameters = new TokenValidationParameters
                    {
                        ValidAudiences = new[] { "https://*.mywebapp.com" },
                        SaveSigninToken = true,
                    },                       
                });

Looking at the AudienceValidator and IssuerValidator code on GitHub, I can easily understand the reason - The code compares exact strings. I would expect the code to respect wildcards, is this by design or a just a bug? Any workaround?

Solution

  • You can take control of the AudienceValidation by setting TokenValidationParameters.AudienceValidator delegate. You can then do whatever you need to do.