I have two Apps one Web App (Web-UI) and a web api. First I implemented into the Web-UI an Authentication with Azure AD. Both apps are registered in Azure and thrusting each other.--
First my Config
tenant: '99c7da52-56fc-49ca-aa95-111111111111',
clientId: '6b0a79eb-0e0d-4a00-9652-111111111111
The Login works like a charme I get successfully a Token. In this it looks like the following:
Header
{
"typ": "JWT",
"nonce": "AQABAAAAAABHh4kmS_aKT5XrjzxRAtHzn-GbcsmT8MupNislUn7vudKeuWR-HgBEd2ceWxQ7UulHr-uachkZA9cWVIj5ah3yzI68oYKyzc-QdynAf3a5DSAA",
"alg": "RS256",
"x5t": "z44wMdHu8wKsumrbfaK98qxs5YI",
"kid": "z44wMdHu8wKsumrbfaK98qxs5YI"
}
Payload
{
"aud": "00000003-0000-0000-c000-000000000000",
"iss": "https://sts.windows.net/99c7da52-56fc-49ca-aa95-8f7fb09c995e/",
"iat": 1517145610,
"nbf": 1517145610,
"exp": 1517149510,
"acr": "1",
"aio": "ATQAy/8GAAAAYOQzoNWpu5XcyTPibpz9lnb/bMGY3H4iTdEdz/zvWwrTt1mvvWiLToaNPYZwHsBD",
"amr": [
"pwd",
"mfa"
],
"app_displayname": "My Project",
"appid": "6b0a79eb-0e0d-4a00-9652-3098cc95804f",
"appidacr": "0",
"e_exp": 262800,
"family_name": "XXXXXXXXX",
"given_name": "XXXXXXXXXX",
"ipaddr": "93.245.65.135",
"name": "Myname, Firstname",
"oid": "1a4d0d0f-8137-4c1d-aa34-2cccf10f8206",
"platf": "3",
"puid": "100300008AAF747A",
"scp": "Directory.Read.All email Group.Read.All profile User.Read User.Read.All User.ReadBasic.All",
"sub": "IBv63_IIq4zpkv_UlVwaxmAm0RP3d17xq4hKil4HRD0",
"tid": "89c7da52-56fc-49ca-aa95-8f7fb09c995e",
"unique_name": "XXXXXXXXXXXXXXX",
"upn": "XXXXXXXXXXXXXXX",
"uti": "LVVtGIEcXUuEofBatBYVAA",
"ver": "1.0"
}
I removed the persnal information. So now I use the Token against my Web.Api this contains the following Setting:
"AzureAdB2C": {
"Instance": "https://login.microsoftonline.com/common",
"ClientId": "f5afed6b-e09c-4c7d-90cc-222222222222",
"Domain": "myhost.de"
}
My Startup File looks:
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddAzureAdBearer(options => Configuration.Bind("AzureAdB2C", options));
services.AddMvc();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseAuthentication();
app.UseMvc();
}
}
No when I make a call to the api with Postman with the same token above as "Bearer {tokenstring}". It tells me the 401 not Authorized.
In the Debug log on the console comes this up:
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey , KeyId: z44wMdHu8wKsumrbfaK98qxs5YI
'.
Exceptions caught:
''.
token: '{"alg":"RS256","typ":"JWT","nonce":"AQABAAAAAABHh4kmS_aKT5XrjzxRAtHzn-GbcsmT8MupNislUn7vudKeuWR-HgBEd2ceWxQ7UulHr-uachkZA9cWVIj5ah3yzI68oYKyzc-QdynAf3a5DSAA","x5t":"z44wMdHu8wKsumrbfaK98qxs5YI","kid":"z44wMdHu8wKsumrbfaK98qxs5YI"}.{"aud":"00000003-0000-0000-c000-000000000000","iss":"https://sts.windows.net/99c7da52-56fc-49ca-aa95-8f7fb09c995e/","iat":1517145610,"nbf":1517145610,"exp":1517149510,"acr":"1","aio":"ATQAy/8GAAAAYOQzoNWpu5XcyTPibpz9lnb/bMGY3H4iTdEdz/zvWwrTt1mvvWiLToaNPYZwHsBD","amr":["pwd","mfa"],"app_displayname":"Project Avalon Dev","appid":"6b0a79eb-0e0d-4a00-9652-3098cc95804f","appidacr":"0","e_exp":262800,"family_name":"XXXXX","given_name":"Sascha Peter","ipaddr":"93.245.65.135","name":"XXXX","oid":"da4d0d0f-8137-4c1d-aa34-2cccf10f8206","platf":"3","puid":"100300008AAF747A","scp":"Directory.Read.All email Group.Read.All profile User.Read User.Read.All User.ReadBasic.All","sub":"IBv63_IIq4zpkv_UlVwaxmAm0RP3d17xq4hKil4HRD0","tid":"99c7da52-56fc-49ca-aa95-8f7fb09c995e","unique_name":"XXXXX","upn":"xxxxxxx","uti":"LVVtGIEcXUuEofBatBYVAA","ver":"1.0"}'.
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__6.MoveNext()
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[7]
Bearer was not authenticated. Failure message: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey , KeyId: z44wMdHu8wKsumrbfaK98qxs5YI
'.
Exceptions caught:
''.
token: '{"alg":"RS256","typ":"JWT","nonce":"AQABAAAAAABHh4kmS_aKT5XrjzxRAtHzn-GbcsmT8MupNislUn7vudKeuWR-HgBEd2ceWxQ7UulHr-uachkZA9cWVIj5ah3yzI68oYKyzc-QdynAf3a5DSAA","x5t":"z44wMdHu8wKsumrbfaK98qxs5YI...........
My Projectfile for the webapi project like this:
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<TargetFramework>netcoreapp2.0</TargetFramework>
<UserSecretsId>aspnet-Portal.Api-B6631B80-5958-40CC-A783-2E86D5ADA6B5</UserSecretsId>
</PropertyGroup>
<ItemGroup>
<Folder Include="wwwroot\" />
</ItemGroup>
<ItemGroup>
<PackageReference Include="Microsoft.AspNetCore.All" Version="2.0.5" />
</ItemGroup>
<ItemGroup>
<DotNetCliToolReference Include="Microsoft.Extensions.SecretManager.Tools" Version="2.0.0" />
<DotNetCliToolReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Tools" Version="2.0.2" />
</ItemGroup>
</Project>
I don't know what's the problem with this ist. Do I missing something? Is there a Bug in my Code?
the aspnetcore jwt bearer implementation cannot validate tokens with a nonce in the header while this needs special processing. The token you are trying to validate is for the microsoft graph api, not for your application.
you can obtain tokens for your app if you request https://login.microsoftonline.com/common/oauth2/authorize?resource={APPID}
i was also able to validate tokens for resource/api https://graph.windows.net (instead of https://graph.microsoft.com) as this tokens does not contain nonces, but this api is according to microsoft outdated and should not be used (https://dev.office.com/blogs/microsoft-graph-or-azure-ad-graph).
read more: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/609