I'm converting a simple web application and associated web API that's secured using an on premise ADFS using open id from .Net Framework 4.6.2 to .Net Core 2.0 but running in to a problem with authentication in the web API.
I have successfully converted the front-end web application to .Net Core and it's calling the old API without any issues. However I'm unsure how to configure the the new API for bearer authentication.
Authentication in the existing API is configured like this:
public void ConfigureAuth(IAppBuilder app)
{
JwtSecurityTokenHandler.InboundClaimTypeMap.Clear();
app.UseActiveDirectoryFederationServicesBearerAuthentication(
new ActiveDirectoryFederationServicesBearerAuthenticationOptions
{
MetadataEndpoint = ConfigurationManager.AppSettings["ida:AdfsMetadataEndpoint"],
TokenValidationParameters = new TokenValidationParameters() {
SaveSigninToken = true,
ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
}
});
}
And I have attempted to configure authentication in the new API like this:
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
services.AddAuthentication(options =>
{
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.MetadataAddress = "xxx/adfs/.well-known/openid-configuration";
options.Authority = "xxx/adfs/";
options.TokenValidationParameters = new TokenValidationParameters
{
SaveSigninToken = true,
ValidAudiences = new List<string>
{
Configuration["http://localhost:64766/"],
Configuration["http://localhost:53797/"]
}
};
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseMvc();
app.UseAuthentication();
}
When calling the old API the bearer token is successfully parsed and access is granted without any issues. However when calling the new API I'm just getting a 401 error. If I remove the [Authorize] attribute from the API controller the request is successful but there is no user associated with the request, though I can see the bearer token in the authorization header. Any idea what I'm missing?
Edit
I've now hooked in to the JwtBearer events so I could see what's going wrong and it turns out that there are a couple of errors in my configuration and it was failing to validate the audience and issuer of my token. Updating the code to the below fixed that issue.
options.TokenValidationParameters = new TokenValidationParameters
{
SaveSigninToken = true,
ValidIssuer = "xxx/adfs/services/trust",
ValidAudiences = new List<string>
{
"http://localhost:64766/",
"http://localhost:53797/"
},
};
Now when I call the API I can see that the OnTokenValidated event is being raised and that the user principal is correct and authenticated, however I'm still getting a 401 unauthorized error when calling the API. If I remove the [Authorize] attribute from the API it works, but there's no user principal.
