Search code examples
adfs.net-framework-version

ADFS - Client credential Grant flow - resource server doesn't validate jwt

I've created an application group in ADFS, with 1 client and 1 resource server. I've managed to implement the flow on the client side (i get the access token), but when passing to the resource server api, it doesn't validate access token. What am i missing?

My code in the startup.cs of the resource server is the following :

public partial class Startup
{
    public void Configuration(IAppBuilder app)
    {           
        app.UseCors(CorsOptions.AllowAll);
        ConfigureOAuth(app);

        // more code here
    }
    public void ConfigureOAuth(IAppBuilder app)
    {         

        var issuer = "http://adfserver/adfs/services/trust";
        var audience = "https://client";


        // Api controllers with an [Authorize] attribute will be validated with JWT

        app.UseJwtBearerAuthentication(
            new JwtBearerAuthenticationOptions
            {
                AuthenticationMode = AuthenticationMode.Active,
                AllowedAudiences = new[] { audience },
                TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuer = true,
                    ValidIssuer = issuer,
                    ValidateAudience = true,
                    ValidAudience = audience,
                    RequireSignedTokens = true,
                    ValidateIssuerSigningKey = true,
                    ValidateLifetime = true
                },

            });

    }
Solution

  • Managed to fix the issue. I had to get the sign-in keys from the ADFS server. Below is an working code :

     public void ConfigureOAuth(IAppBuilder app) {   

     var issuer = $"http://{myAdfSserver}/adfs/services/trust";
     var audience = "audience";

     ConfigurationManager<OpenIdConnectConfiguration> configurationManager =  
     new ConfigurationManager<OpenIdConnectConfiguration>( 
     $"https://{myAdfSserver}/adfs/.well-known/openid-configuration", 
     new OpenIdConnectConfigurationRetriever());

     var openIdConfig = await configurationManager.GetConfigurationAsync();

     TokenValidationParameters validationParameters =new TokenValidationParameters
     {
         ValidateIssuer = true,
         ValidIssuer = issuer,
         ValidateAudience = true,
         ValidAudience = audience,
         RequireSignedTokens = true,
         ValidateIssuerSigningKey = true,
         IssuerSigningKeys = openIdConfig.SigningKeys,
         ValidateLifetime = true 
     };

    app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
    {
        AuthenticationMode = AuthenticationMode.Active,
        AllowedAudiences = new string[] { audience },
        TokenValidationParameters = validationParameters
    });
}

    Also, be sure your your web requests are using TLS12(from .net framework 4.6.1 is used by default). I've set up this in my Startup.cs class.

    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;