How to specify a different AADInstance for a Web API?

Question

I’m working on integrating a Web Api with azure China active directory and deploying to azure china environment. The endpoints are completely different for azure China than the regular azure environment. I want to know how to specify AADInstance https://login.chinacloudapi.cn/ for a Web API?

Web Api Startup.Auth.cs

app.UseWindowsAzureActiveDirectoryBearerAuthentication(
    new WindowsAzureActiveDirectoryBearerAuthenticationOptions
    {
        Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
        TokenValidationParameters = new TokenValidationParameters
        {
            ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
        },
    });

Web Api Web.Config

<add key="ida:Tenant" value="directoryname.partner.onmschina.cn" />
<add key="ida:Audience" value="https://directoryname.partner.onmschina.cn/AppName" />
<add key="ida:ClientID" value="…" />
<add key="ida:Password" value="…" />

This can be done for a MVC application

MVC Startup.Auth.cs

ApplicationDbContext db = new ApplicationDbContext();

app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

app.UseCookieAuthentication(new CookieAuthenticationOptions());

app.UseOpenIdConnectAuthentication(
    new OpenIdConnectAuthenticationOptions
    {
        ClientId = clientId,
        Authority = Authority,
        PostLogoutRedirectUri = postLogoutRedirectUri,

        Notifications = new OpenIdConnectAuthenticationNotifications()
        {
            // If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away.
            AuthorizationCodeReceived = (context) => 
            {
                var code = context.Code;
                ClientCredential credential = new ClientCredential(clientId, appKey);
                string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
                AuthenticationContext authContext = new AuthenticationContext(Authority, new ADALTokenCache(signedInUserID));
                AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(
                code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId);

                return Task.FromResult(0);
            }
        }
    });

MVC Web.Config

<add key="ida:ClientId" value="…" />
<add key="ida:AADInstance" value="https://login.chinacloudapi.cn/" />
<add key="ida:ClientSecret" value="…" />
<add key="ida:Domain" value="directoryname.partner.onmschina.cn" />
<add key="ida:TenantId" value="…" />
<add key="ida:PostLogoutRedirectUri" value="https://localhost:44300/" />

Ahhh, I see what you are asking now. You are using 2 very different packages in the example you show; one is for creating tokens (in Web Api) and the other is for verifying tokens (MVC) — Camilo Terevinto, Jan 11 '17 at 19:49

score 3 · Answer 1 · edited Apr 20 '18 at 02:33

3

Yes we have to set metadata endpoint. As explained in WindowsAzureActiveDirectoryBearerAuthenticationExtensions.cs

I added an entry in web.config

<add key="ida:AADInstance" value="login.microsoftonline.com" />

and then set the MetadataAddress in Startup.Auth.cs

MetadataAddress = $"https://{ConfigurationManager.AppSettings["ida:AADInstance"]}/{ConfigurationManager.AppSettings["ida:Tenant"]}/federationmetadata/2007-06/federationmetadata.xml".

Now it works.

edited Apr 20 '18 at 02:33

Shawn Tabrizi

12,206
1
38
69

answered Jan 12 '17 at 18:36

Venky

177
3
13

To access Azure AD in China we have to use – Vijai Jul 18 '18 at 15:56

score 2 · Answer 2 · answered Jan 11 '17 at 22:28

Few things to note here about applications that use different sovereign clouds:

Each Sovereign Cloud (China, US Gov, Germany, Worldwide) is its own instance of AAD. In order for you to authenticate with an application to its token endpoint, you must have a separately registered application for that environment. An application registered in worldwide, that can call "https://login.microsoftonline.com" will generally not be able to authenticate to the other endpoints like "https://login.chinacloudapi.cn".
As a client application, you must make sure to request a token using all the correct parameters for the environment you are looking to authenticate to. If you want to get a token to the AAD Graph API in China, so that you may access directory information for a tenant based in the China Cloud AAD environment, you must ensure that:
- You use the correct login endpoint (https://login.chinacloudapi.net)
- You use the correct resource identifier for that environment (https://graph.chinacloudapi.cn/)
- You use the correct client id, which is registered for that environment
- You use the correct reply url, and other configurations registered for that environment
As a web api, you must verify that the access token you are receiving is signed by the signing key which corresponds to that AAD environment. Each AAD environment will have its own signing key, and if you are using libraries like OWIN to help you verify the contents of the token, you must also update the OWIN settings to point to the correct metadata endpoint.

I hope this helps address your question, which was a little broad to begin with. If you have more specific follow up questions, please comment below.

Thank you very much. I appreciate your help. – Venky Jan 12 '17 at 18:38 — Venky, Jan 12 '17 at 18:38

How to specify a different AADInstance for a Web API?

2 Answers2

Linked