Search code examples
jwtazure-active-directorybearer-token.net-core-3.0

System.InvalidOperationException: IDX20803 when validating Azure AD token

I have a SPA client in Angular which logs into Azure AD successfully and generates a token which I then pass it to the .Net Core(3.0) API via Authorization: Bearer ${token} I then try to validate the token with [Authorize] to check and then allow access to the REST Api calls, we are still using "ver": "1.0" and there is no nonce in the JWT header. I have the below code in ConfigureServices method:

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
               .AddJwtBearer(options =>
               {
                   options.Authority = "https://login.microsoftonline.com/common";
                   options.RequireHttpsMetadata = false;
                   options.TokenValidationParameters = new TokenValidationParameters
                   {
                       ValidateIssuer = true,
                       ValidIssuer = options.Authority,
                       ValidateLifetime = true,
                       ValidateAudience = true,
                       ValidAudience = "{myClientID}",
                       IssuerValidator = (issuer, token, parameter) => "https://sts.windows.net/{MyIssuer}/"
                   };
               });

            services.AddAuthorization(options =>
            {
                options.DefaultPolicy =
                     new AuthorizationPolicyBuilder(JwtBearerDefaults.AuthenticationScheme)
                    .RequireAuthenticatedUser()
                    .Build();
            });

When I run the project with locahost, it works fine, but I deploy the code to a server, I got the below error message :

Exception occurred while processing message.

Exception: 
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://login.microsoftonline.com/common/.well-known/openid-configuration'.
 ---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'https://login.microsoftonline.com/common/.well-known/openid-configuration'.
 ---> System.Net.Http.HttpRequestException: No connection could be made because the target machine actively refused it.
 ---> System.Net.Sockets.SocketException (10061): No connection could be made because the target machine actively refused it.
   at System.Net.Http.ConnectHelper.ConnectAsync(String host, Int32 port, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---

The above message indicates that something is not allowing me to connect to the site to validate, are my parameters correct? I used jwt.io to check the token and it says the Signature is valid and on the body I get to see the values I expect for "aud:","iss:" "amr":["pwd"] etc. I am new to Azure AD and token validation, so please bear with me. Is there anything I am missing? Thank you

Solution

  • That error is caused by the app being unable to connect to the Azure AD metadata endpoint. It needs to load configuration from there at the start, including public keys that the app can use to verify token signatures.

    Either something is blocking the connection (like a firewall), or Azure AD is down (extremely unlikely).