click2install click2install - 9 months ago 98
C# Question

How to configure Azure AD OAuth2 using node-adal and OWIN?

How can I configure the OWIN to authenticate an accesstoken request that was collected from Azure AD using node-adal?

Startup class below:

app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new []
ConfigurationManager.AppSettings["ida:ClientId"] // AAD clientid from registered application
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
new SymmetricKeyIssuerSecurityTokenProvider(
ConfigurationManager.AppSettings["ida:Issuer"], //<tenantid-guid>/ retrieved from AAD federationmetadata.xml
TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["ida:ClientSecret"]) // AAD secret from registered application

Token response from node-adal below:
implementation described here

tokenType: "Bearer",
expiresIn: 3599,
expiresOn: "2016-10-19T13:49:47.649Z",
resource: "spn:00000002-0000-0000-c000-000000000000",
accessToken: "removed for brevity",
refreshToken: "removed for brevity",
userId: "",
isUserIdDisplayable: true,
familyName: "familyName",
givenName: "givenName",
identityProvider: "",
oid: "oid-guid",
tenantId: "tenantid-guid"

from the above node-adal response is sent using

Authorization: Bearer accesstoken-here

to a secured endpoint using an
attribute which returns

{"message":"Authorization has been denied for this request."}

EDIT to show old and new approach's, old works - new does not

// this is new version (using clientsecret, aka AD web app)
var issuer = ConfigurationManager.AppSettings["ida:Issuer"];
var secret = TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["ida:ClientSecret"]);
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
AuthenticationMode = AuthenticationMode.Active,
AuthenticationType = OAuthDefaults.AuthenticationType,
Provider = new OAuthBearerAuthenticationProvider(),
AccessTokenFormat = new JwtFormat(
new[] { ConfigurationManager.AppSettings["ida:ClientId"] },
new IIssuerSecurityTokenProvider[] { new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret) }

// this is old version (not using clientsecret, aka AD native app), this works but all my code is in the Angular Single Page app, I am trying to move the auth code into the node server to secure all access
app.UseWindowsAzureActiveDirectoryBearerAuthentication(new WindowsAzureActiveDirectoryBearerAuthenticationOptions
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
TokenValidationParameters = new TokenValidationParameters
ValidAudiences = new[]

Answer Source

We have a specific OWIN middleware for validating tokens from Azure AD:

    new WindowsAzureActiveDirectoryBearerAuthenticationOptions
        Audience = ConfigurationManager.AppSettings["ida:Audience"],
        Tenant = ConfigurationManager.AppSettings["ida:Tenant"],


Check out the .NET samples at for more thorough guidance.