1

I am building an aspenet core application that uses AAD (B2c later on) to authenticate users.

I understand that OAuth2 and OpenID Connect JWT tokens must be validated. It is very important.

I am going through this code example:

https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-3-AnyOrg/TodoListService/Startup.cs#L34

The example uses this Microsoft.Identity.Web's middleware for authentication.

            services.AddMicrosoftIdentityWebApiAuthentication(Configuration)
                    .EnableTokenAcquisitionToCallDownstreamApi()
                    .AddInMemoryTokenCaches();

Which of the following validations is done by the above middleware?

  1. Validate JWT's signature
  2. Validate not before and expiration time
  3. Validate nonce

Is there any documentation that confirms what exact validations are done automatically by Microsoft.Identity.Web and what type of validation I need to do manually (I think issuer claim is a manual code)

Allan Xu
  • 7,998
  • 11
  • 51
  • 122
  • https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-app-configuration#token-validation – rbrayb Feb 12 '22 at 00:44

1 Answers1

2

Microsoft.Identity.Web - The main package. Required by all apps that use Microsoft Identity Web

Microsoft recommends you use the Microsoft.Identity.Web NuGet package when developing a web API with ASP.NET Core.

It has lot of dependecies you can check the detailse from this Link

One of Dependecies is for .NetCoreApp3.1 is Microsoft.AspNetCore.Authentication.JwtBearer (>= 3.1.18)

The JwtBearer middleware, like the OpenID Connect middleware in web apps, validates the token based on the value of TokenValidationParameters. The token is decrypted as needed, the claims are extracted, and the signature is verified. The middleware then validates the token by checking for this data:

Audience: The token is targeted for the web API.

Sub: It was issued for an app that's allowed to call the web API.

Issuer: It was issued by a trusted security token service (STS).

Expiry: Its lifetime is in range.

Signature: It wasn't tampered with.

for more information you can follow this MS documention.

RahulKumarShaw
  • 4,192
  • 2
  • 5
  • 11
  • Hi @Rahul - Does this mean that when using Microsoft.Identity.Web we don't need to write any custom token validator or define dependencies in ConfigureServices method. Does this middleware automatically take cares of all default TokenValidationParameters as define above ? – semwal Sep 21 '22 at 07:36