Validating Azure AD B2C JWT in a .NET MVC application

Question

I am having trouble fully understanding if my application login feature is performing as expected. The main problem I have is that I cannot verify if the token coming from Azure AD B2C is being validated. I can log in just fine, and the application will show me the contents of the token through looping ClaimsPrincipal.Current.Claims, but I have not been able to figure out how to capture anything between logging in through my Azure AD B2C endpoint, and my MVC application accepting the token and logging me in to my MVC app.

I started by going to Create New Project > ASP.NET Web Application (.NET) > .NET Framework 4.7.2 > Use Authentication. In the settings for authentication, used the following options:

• Work or School accounts
• Cloud - Single Organization
• Domain: My omnimicrosoft.com domain

My Startup.Auth.cs has been modified a bit to look like this:

private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
    private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];
    private static string wellKnownMetadata = ConfigurationManager.AppSettings["ida:WellKnownMetadataUrl"];
    private static string issuer = ConfigurationManager.AppSettings["ida:Issuer"];

    public void ConfigureAuth(IAppBuilder app)
    {         
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        app.UseCookieAuthentication(new CookieAuthenticationOptions());
        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                MetadataAddress = wellKnownMetadata,
                ResponseType = OpenIdConnectResponseType.IdToken,
                ClientId = clientId,
                RedirectUri = postLogoutRedirectUri,
                PostLogoutRedirectUri = postLogoutRedirectUri,
                TokenValidationParameters = new TokenValidationParameters
                {
                    NameClaimType = "name",                        
                    ValidateLifetime = true,
                    ValidateTokenReplay = true,
                    RequireSignedTokens = true,
                    ValidIssuer = issuer,
                    ValidAudience = clientId,
                    ValidateIssuer = true,
                    ValidateAudience = true
                }                               
            });
    }

The Sign In button code is:

 public void SignIn()
    {
        // Send an OpenID Connect sign-in request.
        if (!Request.IsAuthenticated)
        {
            HttpContext.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/" },
                OpenIdConnectAuthenticationDefaults.AuthenticationType);
        }
    }  

When I check the requests after logging in to my B2C endpoint, I see two entries. One is a 302 POST to my post logout redirect URI with the id_token that I am trying to validate, and the other is a 200 response to my homepage courtesy of { RedirectUri = "/" }. The 302 response contains the token, but the 200 response is all I see in the browser. Somehow the application is capturing the token from the 302 response (I think) and redirects me to the homepage, and I never get to interact with the token. I have changed the ValidIssuer value to something that is definitely not valid, but I never see any indication that the validation check failed (though it should in that case).

Answer 1

The Notifications property for the OpenIdConnectAuthenticationOptions class of type OpenIdConnectAuthenticationNotifications enables you to handle events as the OpenID Connect messages are processed in the authentication middleware.

For example, the SecurityTokenReceived delegate for the OpenIdConnectAuthenticationNotifications class is invoked after the ID token is received from Azure AD B2C but before it is validated.