Search code examples
c#asp.net-coreazure-active-directoryswaggerswashbuckle

How to integrate swagger with Azure Active Directory OAuth


I'm trying to setup Swagger in my AspNetCore 2.1 application using Azure Active Directory V2 but I cannot seem to get it right. I am able to configure the setup so that swagger prompts, redirects and successfully authenticates my client/user but when passing the bearer token to the server results in the error Bearer error="invalid_token", error_description="The signature is invalid". I have created a GitHub repository with the project I am trying to get work with all its configuration (https://github.com/alucard112/auth-problem)

I have managed to get the V1 endpoint working, by setting the resource to the Client Id of the AAD app, which results in the JWT token having the 'aud' set to the app client Id. In the V2 endpoint the 'aud' is being set to what I think is the Graph API resource '00000003-0000-0000-c000-000000000000'. I believe this is my problem at the moment, although am not 100 % sure. The V2 endpoints don't seem to have a way to define the audience like the V1 did unless of course there is some oversight from my side.

My Startup file is structured as follows:

The authentication is setup as the following:

services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
                .AddAzureADBearer(options => Configuration.Bind("AzureAd", options));


            services.Configure<JwtBearerOptions>(AzureADDefaults.JwtBearerAuthenticationScheme, options =>
            {
                options.Authority = $"https://login.microsoftonline.com/{tenantId}";
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    // In multi-tenant apps you should disable issuer validation:
                    ValidateIssuer = false,
                    // In case you want to allow only specific tenants,
                    // you can set the ValidIssuers property to a list of valid issuer ids
                    // or specify a delegate for the IssuerValidator property, e.g.
                    // IssuerValidator = (issuer, token, parameters) => {}
                    // the validator should return the issuer string
                    // if it is valid and throw an exception if not
                };
            });

And the swagger is setup as follows:

 services.AddSwaggerGen(c =>
            {
                c.SwaggerDoc("v1", new Info
                {
                    Title = "Protected Api",
                });

                c.OperationFilter<SecurityRequirementsOperationFilter>();

                //IMATE - StevensW
                // Define the OAuth2.0 scheme that's in use (i.e. Implicit Flow)
                c.AddSecurityDefinition("oauth2", new OAuth2Scheme
                {
                    Type = "oauth2",
                    Flow = "implicit",
                    AuthorizationUrl = $"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize",
                    TokenUrl = $"https://login.microsoftonline.com/common/{tenantId}/v2.0/token",
                    Scopes = new Dictionary<string, string>
                   {
                       { "openid", "Unsure" },
                       { "profile", "Also Unsure" }
                   }
                });
            });
 app.UseSwagger();
            app.UseSwaggerUI(c =>
            {
                c.SwaggerEndpoint("/swagger/v1/swagger.json", "My API V1");
                c.OAuthClientId(Configuration.GetValue<string>("AzureAd:ClientId"));
                c.OAuthAppName("Protected API");

                // c.OAuthUseBasicAuthenticationWithAccessCodeGrant();
                // NEVER set the client secret here. It will ve exposed in the html of the swagger page if you "view source" and its not needed for OpenID Auth
                // c.OAuthClientSecret(Configuration.GetValue<string>("AzureAd:ClientId"));
            });

I am hoping to configure the swagger UI to use AAD's V2 endpoint and allow for a multi-tenant login that allows successfully authenticated API calls to be executed. Any help or direction would be greatly appreciated.


Solution

  • I ended up fixing the problem I was having. Working through this post helped me understand my mistakes.

    The first mistake was my actual AAD app registration. I had not set a scope for the application under "Expose an API". Because they deprecated the resource property in V2, the way you would set the resource was to create a scope with the format api"//{application ID}/{scope_name}. After I made this change my AAD application was now correctly configured.

    After that, I needed to add an additional section to my startup file:

    return services.Configure<JwtBearerOptions>(AzureADDefaults.JwtBearerAuthenticationScheme, options =>
                 {
                     // This is an Azure AD v2.0 Web API
                     options.Authority += "/v2.0";
    
                     // The valid audiences are both the Client ID (options.Audience) and api://{ClientID}
                     options.TokenValidationParameters.ValidAudiences = new string[] { options.Audience, $"api://{options.Audience}" };
    
    
                     options.TokenValidationParameters.ValidateIssuer = false;
                 });
    

    Note: the link above provided an alternative solution to turning off the validation of the issuer if anyone is interested.

    My AppSettings file was also simplified by only needing to define the Instance, TenantId, and ClientId.

    Then from a swagger perspective, I just needed to add an additional scope to the security definition matching the one I created in my AAD application.

              c.AddSecurityDefinition("oauth2", new OAuth2Scheme
                    {
                        Type = "oauth2",
                        Flow = "implicit",
                        AuthorizationUrl = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
                        TokenUrl = "https://login.microsoftonline.com/common/oauth2/v2.0/token",
                        Scopes = new Dictionary<string, string>
                       {
                           { "openid", "Sign In Permissions" },
                           { "profile", "User Profile Permissions" },
                           { $"api://{clientId}/access_as_user", "Application API Permissions" }
                       }
                    });
    

    After these changes my application is now working as expected.