How to Authenticate to .NET Core 2.1 API using Azure AD Access Token

Question

I have a .NET Core 2.1 Web MVC API app running that is using Azure AD to authenticate. Works great, I can log in using a Azure AD account with no issues. I have another .NET application that I want to be able to make API calls to this app. I have a working class, using Oauth2 Client Credentials to AD I get a Access Token. I have tried passing the Access Token via Postman several different ways with no luck. I tried making a class to pass it:

        public string GetProjects()
       {
           string token = GetToken();
           HttpClient client = new HttpClient();
           client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
           var response = client.GetAsync("https://localhost:5001/Jira/GetAllProjects").Result;
           string result = string.Empty;

           if (response.IsSuccessStatusCode)
           {

               result = response.Content.ReadAsStringAsync().Result;
           }
           return result;
       }

However it always just forwards me to the login page. Here is the Startup of the hosting API app:

using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.AzureAD.UI;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.OAuth.Claims;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Authorization;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using System.Security.Claims;

namespace CIM
{
    public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            services.Configure<CookiePolicyOptions>(options =>
            {
                // This lambda determines whether user consent for non-essential cookies is needed for a given request.
                options.CheckConsentNeeded = context => true;
                options.MinimumSameSitePolicy = SameSiteMode.None;
            });

            services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
                .AddAzureAD(options => Configuration.Bind("AzureAd", options));


            services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
            {
                options.Authority = options.Authority + "/v2.0/";

                               options.TokenValidationParameters.ValidateIssuer = false;
            });



            services.AddMvc(options =>
            {
                var policy = new AuthorizationPolicyBuilder()
                    .RequireAuthenticatedUser()
                    .Build();
                options.Filters.Add(new AuthorizeFilter(policy));
            })
            .SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            else
            {
                app.UseExceptionHandler("/Home/Error");
                app.UseHsts();
            }

            app.UseHttpsRedirection();
            app.UseStaticFiles();
            app.UseCookiePolicy();

            app.UseAuthentication();

            app.UseMvc(routes =>
            {
                routes.MapRoute(
                    name: "default",
                    template: "{controller=Home}/{action=Index}/{id?}");
            });
        }
    }
}

What am I missing to enable me to log into the .NET API using the Access Token?

Answer 1

As junnas said, you need to configure the API to use bearer token authentication.

You could add this configuration for the middleware needed to validate the tokens :

app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
    Authority = "resource_uri",
    RequireHttpsMetadata = false,
    ApiName = "xxxxxx"
});

For the code sample, you could refer to: ASP.NET Core WebAPI secured using OAuth2 Client Credentials .

Answer 2

You can use the AddJwtBearer to validate the access token in your web api :

 services
.AddAuthentication(o =>
{
    o.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(o =>
{
    o.Authority = Configuration["Authentication:Authority"];
    o.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
    {
        // Both App ID URI and client id are valid audiences in the access token
        ValidAudiences = new List<string>
        {
            Configuration["Authentication:AppIdUri"],
            Configuration["Authentication:ClientId"]
        }
    };
});

And don't forget to add:

app.UseAuthentication();

Another way is to use the Azure AD Web API template : New ASP.NET Core application -->Choose API template -->change authentication-->Work or School Account -->choose your tenant and the template will help config your application .