stackoom
  简体   繁体   中英

How to Validate appid of the Azure AD Access

 原文  2020-11-04 09:53:40       c#/ asp.net-core/ azure-active-directory/ jwt

Question

We have a .NET Core application which performs JWT token authentication. This application is registered in Azure AD with a client Id of abcde and an API scope of api://abcde . Our tenant has other applications registered, one of which has a client id of fghij . What I noticed is that if I use this client Id with its secret and API scope api://abcde I was able to generate an access token and access the APIs under this scope.

services.AddAuthentication(options =>
{
    options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
    options.Authority = $"{ Configuration.GetValue<string>("AzureAD:Instance") }/{ Configuration.GetValue<string>("AzureAD:TenantId") }/";
    options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
    {
        ValidAudience = Configuration.GetValue<string>("AzureAD:Audience"),
        ValidIssuer = $"https://sts.windows.net/{ Configuration.GetValue<string>("AzureAD:TenantId") }"
    };
});

The solution I have in mind is to validate the appid field in the access token. How can I achieve this? Basically I want to make sure that only client Id abcde can request for an access token for scope api://abcde .

"aio": "abcde=",
"appid": "abcde", //client id of the application in Azure AD
"appidacr": "1",

2 answers

solution1
 2  2020-12-01 07:15:45

You can get ClaimsPrincipal first and then use

ClaimsPrincipal.Current.FindFirst("appid").Value

to get the value of appid field. Then judge if the value equal to your specified app id.

solution2
 1 ACCPTED  2020-12-03 14:30:19

You can change the default Authorization policy to validate appid claim. Out of the box, the default policy is:

new AuthorizationPolicyBuilder()
    .RequireAuthenticatedUser()
    .Build();

You can change it to:

    builder.Services.AddAuthorization(options =>
    {
        options.DefaultPolicy = new AuthorizationPolicyBuilder()
            .RequireAuthenticatedUser()
            .RequireClaim("appid", "allowedApp1", "allowedApp2")
            .Build();
    });

Please see for reference Setting global authorization policies using the DefaultPolicy and the FallbackPolicy in ASP.NET Core 3.x

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to validate Azure AD security token? Azure AD - Validate Token How to Validate OpenID Connect Access Token generated by Azure AD v2 in ASP.NET core WEB API? How to validate Azure AD web form token in web service How to validate user credentials in Azure AD with Web application / WebAPI How does the openid connect owin validate the token from Azure AD? How do I validate a username and password in Azure AD? .Net Core Azure AD Cloud how to get logged in user and access their Azure AD Security Groups to determine if they are in a group Azure AD: How to access Azure AD Graph API without using any library Validate Bearer token (azure ad) with MSAL
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM