0

I have working middleware using deprecated Azure AD authentication. It looks like this.

app.UseWindowsAzureActiveDirectoryBearerAuthentication(
    new WindowsAzureActiveDirectoryBearerAuthenticationOptions
    {
        Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
        TokenValidationParameters = new TokenValidationParameters
        {
            ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
        },
    });

However, I switched to use OAuthBearerAuthenticationOptions

app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
{
    AccessTokenFormat = new JwtFormat(new Microsoft.IdentityModel.Tokens.TokenValidationParameters
    {
        ValidAudience = ConfigurationManager.AppSettings["ida:Audience"],
        ValidIssuer = ConfigurationManager.AppSettings["ida:Tenant"], 
    })
});

When I try to call my API from Postman, secured with a valid Azure AD client credential flow bearer token, I get this error in the console window. Same everything apart from the 2 differing code blocks using slightly different middleware. The Azure AD version works, the standard OWIN one complains.

Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware Error: 0 : Authentication failed
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match keys: 
kid: '[PII is hidden]', 
token: '[PII is hidden]'.
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.Owin.Security.Jwt.JwtFormat.Unprotect(String protectedText)
   at Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationHandler.<AuthenticateCoreAsync>d__3.MoveNext()

It feels like the OWIN middleware cannot obtain the public signing key? I can't be sure. Do I have to grab it from somewhere and supply it directly or something? If so how and where to find?

The audience and tenant look like this (actual guids replaced with random guids for this example)

<add key="ida:Audience" value="https://sslwebb2c.onmicrosoft.com/5016003D-29FE-4782-9041-49914444D94E"/>
<add key="ida:Tenant" value="C0B2D865-031C-4C85-9A5E-367D83F578D3"/>

I added this to the web.config to debug output in the console window.

<system.diagnostics>
  <sources>
    <source name="Microsoft.Owin.Security" switchValue="Verbose">
      <listeners>
        <add name="console" />
      </listeners>
    </source>
    <source name="Microsoft.IdentityModel" switchValue="Verbose">
      <listeners>
        <add name="console" />
      </listeners>
    </source>
  </sources>
  <sharedListeners>
    <add name="console" type="System.Diagnostics.ConsoleTraceListener" initializeData="false" />
  </sharedListeners>
  <switches>
    <add name="Microsoft.IdentityModel" value="Verbose" />
    <add name="Microsoft.Owin.Security" value="Verbose" />
  </switches>
</system.diagnostics>
Dave D
  • 8,472
  • 4
  • 33
  • 45
SeanK
  • 15
  • 1
  • 3
  • Seems to be configuration issue but there isn't enough information in the question to answer your problem without a lot of assumptions. My guess is your token is issued with https://contoso.b2clogin.com/contoso.onmicrosoft.com/ and it's trying to get the signature keys from the underlying AAD tenant https://login.microsoftonline.com/contoso.onmicrosoft.com Try to follow this SO post that had a [similar issue](https://stackoverflow.com/questions/57014018/how-to-setup-app-useoauthbearerauthentication-for-handling-different-azure-b2c-c) – bolt-io Sep 01 '23 at 15:23

0 Answers0