ASP.NET Core MVC Authenticate User to Azure AD then create JWT Bearer Token to call Web API

Question

I am building an ASP.NET Core Web API that will be secured by Azure AD (secured via app.UseJwtBearerAuthentication )

I am building an ASP.NET Core MVC controller (secured by app.UseOpenIdConnectAuthentication ) which calls that WebAPI .

I am trying to implement the authentication flow as described in the OpenID Connect Basic Client Implementer ’s guide.

The sample code I find for this pattern.

one example is here:

/active-directory-dotnet-webapp-webapi-openidconnect/blob/master/TodoListWebApp/App_Start/Startup.Auth.cs)

is using .NET (not .NET Core ) with OWIN .

You use the OnAuthorizationCodeReceived method and call AcquireTokenByAuthorizationCodeAsynch to get the token you'll use in your request to the WebAPI.

When I try to build the analogous pattern in ASP.NET Core MVC , I see the following:

1. When I configure MVC's app. UseOpenIdConnectAuthentication with defaults, then I can log into the system, but I don't get an authorization code back. The Event that fires for me is the OnTokenValidated event instead of the AuthorizationCodeReceived event shown above. It has an identity and a token, which is great.
2. When I configure MVC's app. UseOpenIdConnectAuthentication response-type = “code” , then I get a code back, the OnAuthorizationCodeReceived event fires, but I get no identity back.

[My azure application manifest was set up for oauth2AllowImplicitFlow: true . In this case, the user authentication and token generation are compressed into a single step, which is not as secure as I need, so I set to false.]

After further investigation, I learned that the Asp.Net Core infrastructure is designed to handle multiple separate authentication middleware entries, and that

Microsoft.AspNetCore.Authentication.JwtBearer / JwtBearerHandler.cs

is coded to throw a 'not allowed' error if you try to use the SignIn workflow with a JwtBearer configuration.

Therefore, it looks like I will have to follow that multiple middle ware approach. One cookie-based middleware for the login, and one bearer-token-based middleware for the bearer token to access services linked to this App. (instead of the model from the OWIN sample where the call the to service is done after receiving the authentication code)

This feature (multiple authentication middlewares) is described in https://docs.asp.net/en/latest/security/authorization/limitingidentitybyscheme.html

Does anyone have an example for this? Or am I still thinking about this wrong?

Answer 1

If you need to obtain also identity along with code you should specify this with your request => response_type=code+id_token .

After retrieving both I hope you are going to be able to set cookie for your user and also to request client authentication and token.

I am pretty sure exact scenario is described in Authorize access to web applications using OpenID Connect and Azure Active Directory .