How to validate Azure AD security token?

by

There are two steps to verify the token. First, verify the signature of the token to ensure the token was issued by Azure Active Directory. Second, verify the claims in the token based on the business logic.

For example, we need to verify the iss and aud claim if you were developing a single tenant app. And you also need to verify the nbf to ensure the token is not expired. For more claims you can refer here.

Below description is from here about the detail of signature verifying. (Note: The example below uses the Azure AD v2 endpoint. You should use the endpoint that corresponds to the endpoint the client app is using.)

The access token from the Azure AD is a JSON Web Token(JWT) which is signed by Security Token Service in private key.

The JWT includes 3 parts: header, data, and signature. Technically, we can use the public key to validate the access token.

First step – retrieve and cache the signing tokens (public key)

Endpoint: https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

Then we can use the JwtSecurityTokenHandler to verify the token using the sample code below:

 public JwtSecurityToken Validate(string token)
 {
     string stsDiscoveryEndpoint = "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration";

     ConfigurationManager<OpenIdConnectConfiguration> configManager = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndpoint);

     OpenIdConnectConfiguration config = configManager.GetConfigurationAsync().Result;

     TokenValidationParameters validationParameters = new TokenValidationParameters
     {
         ValidateAudience = false,
         ValidateIssuer = false,
         IssuerSigningTokens = config.SigningTokens,
         ValidateLifetime = false
     };

     JwtSecurityTokenHandler tokendHandler = new JwtSecurityTokenHandler();

     SecurityToken jwt;

     var result = tokendHandler.ValidateToken(token, validationParameters, out jwt);

     return jwt as JwtSecurityToken;
 }

And if you were using the OWIN components in your project, it is more easy to verify the token. We can use the code below to verify the token:

app.UseWindowsAzureActiveDirectoryBearerAuthentication(
            new WindowsAzureActiveDirectoryBearerAuthenticationOptions
            {
                Audience = ConfigurationManager.AppSettings["ida:Audience"],
                Tenant = ConfigurationManager.AppSettings["ida:Tenant"]
            });

Then we can use the code below to verify the ‘scope’ in the token:

public IEnumerable<TodoItem> Get()
{
    // user_impersonation is the default permission exposed by applications in AAD
    if (ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/scope").Value != "user_impersonation")
    {
        throw new HttpResponseException(new HttpResponseMessage {
          StatusCode = HttpStatusCode.Unauthorized,
          ReasonPhrase = "The Scope claim does not contain 'user_impersonation' or scope claim not found"
        });
    }
    ...
}

And here is a code sample which protected the web API with Azure AD:

Protect a Web API using Bearer tokens from Azure AD

More Related Contents:

  1. How to authenticate user with Azure Active Directory using OAuth 2.0?
  2. Is there any JSON Web Token (JWT) example in C#?
  3. Error making Azure Management Library API call when authenticating with azure active directory
  4. Azure Function with AD auth results in 401 Unauthorized when using Bearer tokens
  5. Azure Bot C# : Webchat Open url in same Tab of Browser, Its opening in new tab
  6. How can I use NuGet packages in my Azure Functions?
  7. Configure the authorization server endpoint
  8. Authorize By Group in Azure Active Directory B2C
  9. How do I get an OAuth 2.0 authentication token in C#
  10. Microsoft Azure: How to create sub directory in a blob container
  11. Dependency injection using Azure WebJobs SDK?
  12. SMTP and OAuth 2
  13. HttpClient single instance with different authentication headers
  14. Recommend a C# Task Scheduling Library [closed]
  15. Copying one Azure blob to another blob in Azure Storage Client 2.0
  16. Run .exe executable file in Azure Function
  17. Login using Google OAuth 2.0 with C#
  18. Correlation failed in net.core / asp.net identity / openid connect
  19. How to serialize and deserialize a PFX certificate in Azure Key Vault?
  20. ASP.NET Core 1.1 runs fine locally but when publishing to Azure says “An error occurred while starting the application.”
  21. IDX10501: Signature validation failed. Unable to match keys
  22. IDX21323 OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocolValidatedIdToken.Payload.Nonce was not null
  23. Azure Blob Storage | AcquireLeaseAsync, synchronously wait until lock is released
  24. Azure Functions – using appsettings.json
  25. How do I set return_uri for GoogleWebAuthorizationBroker.AuthorizeAsync?
  26. How to get hold of all the blobs in a Blob container which has sub directories levels(n levels)?
  27. Authentication with Azure Active Directory – how to accept user credentials programmatically
  28. generate a Zip file from azure blob storage files
  29. Publish error: Found multiple publish output files with the same relative path
  30. Azure Functions Database Connection String

Leave a Comment