click2install click2install - 1 month ago 29
C# Question

How to configure Azure AD OAuth2 using node-adal and OWIN?

How can I configure the OWIN to authenticate an accesstoken request that was collected from Azure AD using node-adal?

Startup class below:

app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new []
{
ConfigurationManager.AppSettings["ida:ClientId"] // AAD clientid from registered application
},
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new SymmetricKeyIssuerSecurityTokenProvider(
ConfigurationManager.AppSettings["ida:Issuer"], // https://sts.windows.net/<tenantid-guid>/ retrieved from AAD federationmetadata.xml
TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["ida:ClientSecret"]) // AAD secret from registered application
)
}
});


Token response from node-adal below:
implementation described here

{
tokenType: "Bearer",
expiresIn: 3599,
expiresOn: "2016-10-19T13:49:47.649Z",
resource: "spn:00000002-0000-0000-c000-000000000000",
accessToken: "removed for brevity",
refreshToken: "removed for brevity",
userId: "user@domain.com",
isUserIdDisplayable: true,
familyName: "familyName",
givenName: "givenName",
identityProvider: "live.com",
oid: "oid-guid",
tenantId: "tenantid-guid"
}


The
accesstoken
from the above node-adal response is sent using

Authorization: Bearer accesstoken-here


to a secured endpoint using an
[Authorize]
attribute which returns

{"message":"Authorization has been denied for this request."}


EDIT to show old and new approach's, old works - new does not

// this is new version (using clientsecret, aka AD web app)
var issuer = ConfigurationManager.AppSettings["ida:Issuer"];
var secret = TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["ida:ClientSecret"]);
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AuthenticationType = OAuthDefaults.AuthenticationType,
Provider = new OAuthBearerAuthenticationProvider(),
AccessTokenFormat = new JwtFormat(
new[] { ConfigurationManager.AppSettings["ida:ClientId"] },
new IIssuerSecurityTokenProvider[] { new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret) }
)
});

// this is old version (not using clientsecret, aka AD native app), this works but all my code is in the Angular Single Page app, I am trying to move the auth code into the node server to secure all access
app.UseWindowsAzureActiveDirectoryBearerAuthentication(new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
TokenValidationParameters = new TokenValidationParameters
{
ValidAudiences = new[]
{
ConfigurationManager.AppSettings["ida:AudienceImplicit"],
ConfigurationManager.AppSettings["ida:AudienceDaemon"]
}
}
});

Answer

We have a specific OWIN middleware for validating tokens from Azure AD:

app.UseWindowsAzureActiveDirectoryBearerAuthentication(
    new WindowsAzureActiveDirectoryBearerAuthenticationOptions
    {
        Audience = ConfigurationManager.AppSettings["ida:Audience"],
        Tenant = ConfigurationManager.AppSettings["ida:Tenant"],

    }
);

Check out the .NET samples at aka.ms/aaddev for more thorough guidance.