Validating Azure AD token

Question

I have an angular app that I added Azure Active directory authentication and I got azure to return an access token with the user details.

I pass the ad token to my web api (running in .net 4.6.1 ) to check if the user has already been registered and I want to validate that the token is valid.

I've used the following code. But I am getting an error whenever I Tried to recover my configuration from ConfigurationManager

string tenantId = "someguid"; //not including these guids in here
var audience = "anotherguid";
var issuer = $"https://login.microsoftonline.com/{tenantId}/v2.0";
var stsDiscoveryEndpoint = $"https://login.microsoft.com/{tenantId}/v2.0/.well-known/openid-configuration";
var configManager = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndpoint, new OpenIdConnectConfigurationRetriever());
try
{
    CancellationToken cancellationToken = new CancellationToken();
    var config = await configManager.GetConfigurationAsync(cancellationToken);

    var tokenHandler = new JwtSecurityTokenHandler();

    var validationParameters = new TokenValidationParameters
    {
        ValidAudience = audience,
       
        ValidIssuer = issuer,
        IssuerSigningKeys = config.SigningKeys,
        ValidateAudience = true,
        ValidateIssuerSigningKey = true,
        RequireExpirationTime = true,
        ValidateLifetime = true
    };

    SecurityToken validatedToken = new JwtSecurityToken();
    tokenHandler.ValidateToken(token, validationParameters, out validatedToken);

    return validatedToken;
  }

IOException: IDX20807: Unable to retrieve document from: 'https://login.microsoft.com/145fa4fc-d5f6-489c-affn-6407cca77ef0/v2.0/.well-known/openid-configuration'. HttpResponseMessage: 'StatusCode: 400, ReasonPhrase: 'Bad Request', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:

Am I missing something in azure or should I be getting the config some other way? any direction would be appreciated.

Answer 1

• The error IDX20807: Unable to retrieve document from: 'https://login.microsoft.com/145xxxxxxx7ccxxxxf0/v2.0/.well-known/openid-configuration means: OIDC metadata https://login.microsoftonline.com/.well-known/openid-configuration is not valid due to something being wrong in web configuration or has not been correctly configured in the application.Probably,the authority parameter is not recognized properly.

I see you have given wrong metadata url in place of https://login.microsoftonline.com as I see you have given wrong metadata url in place of https://login.microsoft.com

Also you need need to add "Authority" to the appsettings.json. which is the meta data url Or else instance and domain must be given

(authority format: " https://login.microsoftonline.com/<tenantId>" )

"AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "yourtenantdomain",
    "ClientId": "My Client Id",
    "TenantId": "<common or organizations>", // must be there in Multi Tenant application 
    "CallbackPath": "/signin-oidc"
  },

And try with dotnet version 4.7 or later and make sure to run on the tls version is 1.2 or later