#token authentication

The supply code for this tutorial is obtainable on GitHub.

The Web API has been revealed on Azure App Providers, so be happy to attempt it out using the Base URL (https://aadb2cresourceapi.azurewebsites.net/)

Secure ASP.NET Web API 2 using Azure AD B2C

In the previous publish, we have now configured all the wanted insurance policies in our Azure AD B2C tenant and the Reply URLs. In this Submit, we’ll reconfigure the Web API we’ve got created in the previous publish so it relays on the Azure AD B2C IdP we created to secure it and our Web API will only accept and belief tokens issued by our Azure AD BC IdP.

So let’s begin implementing those modifications on the Web API.

Step 1: Configure Web API to use Azure AD B2C tenant IDs and Policies

Now we need to modify the online.config for our Web API by adding the under keys, so open Web.config and add the under AppSettings keys:

The values for these keys as the following:

“ida:AadInstance” value accommodates the metadata discovery endpoint for each coverage, this endpoint will probably be used internally by the middle-wares which we’ll add in the subsequent steps to validate the JWT tokens.

“ida:Tenant” value accommodates the URL for our Azure AD B2C tenant we now have already outlined within the previous submit.

“ida:ClientId” worth incorporates the App shopper Id we now have already registered with our Azure AD Bb2C tenant.

“ida:SignUpPolicyId” value incorporates the identify of the signup policy we already created.

“ida:SignInPolicyId” worth accommodates the identify of the Signin policy we already created.

“ida:UserProfilePolicyId” worth accommodates the identify of the Create profile coverage we already created.

Step 2: Add the additional NyGet packages to the Web API undertaking

Open NuGet Package deal Supervisor Console and set up/replace the under packages:

Install-Package deal Microsoft.Owin.Safety.OAuth -Model 3.0.1 Set up-Package deal Microsoft.Owin.Security.Jwt -Model three.zero.1 Update-Package deal System.IdentityModel.Tokens.Jwt -version 4.zero.2.206221351 Install-Package deal Microsoft.IdentityModel.Protocol.Extensions

Set up-Package deal Microsoft.Owin.Safety.OAuth -Version three.0.1

Install-Package deal Microsoft.Owin.Safety.Jwt -Version 3.zero.1

Update-Package deal System.IdentityModel.Tokens.Jwt -version 4.0.2.206221351

Install-Package deal Microsoft.IdentityModel.Protocol.Extensions

The packages we’ve got put in is answerable for configuring our API to make use of OAuth bearer token for cover as nicely we’ve added the packages which are answerable for validating, parsing and decoding JWT tokens.

I had to downgrade the package deal “System.IdentityModel.Tokens.Jwt” to the model “4.0.2.206221351” as the newer version of it showed breaking compatibility with other packages, I’ll control it and replace the publish accordingly if there are new updates.

lastly, we need to add manually using “Add reference” dialog a reference for the meeting “System.IdentityModel” v4, I’m unsure if there’s something incorrect with these NuGet packages which overlook to include this dependency by default. I will regulate this too and replace the submit if there is a change.

Step three: Configure the Startup class

Now we have to configure our API to depend on the Azure AD B2C IdP we already created, this is an important step in configuring the Web API to trust tokens issued by our Azure AD b2C IdP, our Web API will have the ability to eat solely JWT tokens issued by the trusted IdP and issued for a specific shopper only (The app we registered in the earlier publish “Bitoftech Demo App”).

To take action, open the “Startup” class for the Web API and exchange all of the content with under code, a lot of the modifications has been launched in technique “ConfigureOAuth” which I will describe what happen within the subsequent paragraph.

public class Startup

// These values are pulled from net.config public static string aadInstance = ConfigurationManager.AppSettings[“ida:AadInstance”]; public static string tenant = ConfigurationManager.AppSettings[“ida:Tenant”]; public static string clientId = ConfigurationManager.AppSettings[“ida:ClientId”]; public static string signUpPolicy = ConfigurationManager.AppSettings[“ida:SignUpPolicyId”]; public static string signInPolicy = ConfigurationManager.AppSettings[“ida:SignInPolicyId”]; public static string editProfilePolicy = ConfigurationManager.AppSettings[“ida:UserProfilePolicyId”];

public void Configuration(IAppBuilder app)

HttpConfiguration config = new HttpConfiguration();

// Web API routes config.MapHttpAttributeRoutes();

ConfigureOAuth(app);

app.UseWebApi(config);

public void ConfigureOAuth(IAppBuilder app)

app.UseOAuthBearerAuthentication(CreateBearerOptionsFromPolicy(signUpPolicy)); app.UseOAuthBearerAuthentication(CreateBearerOptionsFromPolicy(signInPolicy)); app.UseOAuthBearerAuthentication(CreateBearerOptionsFromPolicy(editProfilePolicy));

personal OAuthBearerAuthenticationOptions CreateBearerOptionsFromPolicy(string coverage)

var metadataEndpoint = string.Format(aadInstance, tenant, policy);

TokenValidationParameters tvps = new TokenValidationParameters

// That is the place you specify that your API solely accepts tokens from its personal shoppers ValidAudience = clientId, AuthenticationType = policy, NameClaimType = “http://schemas.microsoft.com/identity/claims/objectidentifier” ;

return new OAuthBearerAuthenticationOptions

// This SecurityTokenProvider fetches the Azure AD B2C metadata & signing keys from the OpenIDConnect metadata endpoint AccessTokenFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider(metadataEndpoint)) ;

1

2

3

four

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

public class Startup

// These values are pulled from net.config

public static string aadInstance = ConfigurationManager.AppSettings[“ida:AadInstance”];

public static string tenant = ConfigurationManager.AppSettings[“ida:Tenant”];

public static string clientId = ConfigurationManager.AppSettings[“ida:ClientId”];

public static string signUpPolicy = ConfigurationManager.AppSettings[“ida:SignUpPolicyId”];

public static string signInPolicy = ConfigurationManager.AppSettings[“ida:SignInPolicyId”];

public static string editProfilePolicy = ConfigurationManager.AppSettings[“ida:UserProfilePolicyId”];

public void Configuration(IAppBuilder app)

HttpConfiguration config = new HttpConfiguration();

// Web API routes

config.MapHttpAttributeRoutes();

ConfigureOAuth(app);

app.UseWebApi(config);

public void ConfigureOAuth(IAppBuilder app)

app.UseOAuthBearerAuthentication(CreateBearerOptionsFromPolicy(signUpPolicy));

app.UseOAuthBearerAuthentication(CreateBearerOptionsFromPolicy(signInPolicy));

app.UseOAuthBearerAuthentication(CreateBearerOptionsFromPolicy(editProfilePolicy));

personal OAuthBearerAuthenticationOptions CreateBearerOptionsFromPolicy(string policy)

var metadataEndpoint = string.Format(aadInstance, tenant, coverage);

TokenValidationParameters tvps = new TokenValidationParameters

// That is where you specify that your API only accepts tokens from its own shoppers

ValidAudience = clientId,

AuthenticationType = coverage,

NameClaimType = “http://schemas.microsoft.com/identity/claims/objectidentifier”

;

return new OAuthBearerAuthenticationOptions

// This SecurityTokenProvider fetches the Azure AD B2C metadata &#zero38; signing keys from the OpenIDConnect metadata endpoint

AccessTokenFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider(metadataEndpoint))

;

What we’ve got carried out is the next:

We’ve got configured our API to eat and belief JWT tokens issued by our IdP (“BitofTechDemo.onmicrosoft.com”) for a selected shopper (“bc348057-3c44-42fc-b4df-7ef14b926b78”) This shopper represents the app we already registered, as properly it should only accept JWT tokens for the three policies we already defined and named “B2C_1_signup”, “B2C_1_Signin”, and “B2C_1_Editprofile”. Another JWT tokens don’t meet these criteria can be rejected and 401 HTTP response is returned to the requestor.

Again to the Metadata Discovery Endpoint we mentioned earlier, this endpoint is auto generated by our IdP and it is extremely essential for our API to acquire the “Signing Tokens Keys” from it; to be able to validate the JWT signature and trust this JWT token and send a response to the requestor. This finish point is constructed at run time, for instance, the metadata endpoint for the “B2C_1_signin” can be as the comply with: https://login.microsoftonline.com/BitofTechDemo.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_signin feel free to click on the hyperlink and observe the info returned.

A nice trick right here that I’ve configured the “NameClaimType” of the “TokenValidationParameters” to make use of the claim named “objectidentifer” (“oid”) This can facilitate studying the distinctive consumer id for the authenticated consumer contained in the controllers, all we need to name now contained in the controller is: “User.Identity.Name” as an alternative of querying the claims collection each time.

The last thing we need to add to the “Startup” class is a brand new class named “OpenIdConnectCachingSecurityTokenProvider”, this class might be answerable for communicating with the “Metadata Discovery Endpoint” and problem HTTP requests to get the signing keys that our API will use to validate signatures from our IdP, those keys exists within the jwks_uri which may read from the invention endpoint. So as to add this class create a brand new class named “OpenIdConnectCachingSecurityTokenProvider” and paste the code under:

// This class is important as a result of the OAuthBearer Middleware does not leverage // the OpenID Connect metadata endpoint uncovered by the STS by default. public class OpenIdConnectCachingSecurityTokenProvider : IIssuerSecurityTokenProvider

public ConfigurationManager _configManager; personal string _issuer; personal IEnumerable _tokens; personal readonly string _metadataEndpoint;

personal readonly ReaderWriterLockSlim _synclock = new ReaderWriterLockSlim();

public OpenIdConnectCachingSecurityTokenProvider(string metadataEndpoint)

_metadataEndpoint = metadataEndpoint; _configManager = new ConfigurationManager(metadataEndpoint);

RetrieveMetadata();

///

/// Gets the issuer the credentials are for. ///

/// /// The issuer the credentials are for. /// public string Issuer

get

RetrieveMetadata(); _synclock.EnterReadLock(); attempt

return _issuer;

lastly

_synclock.ExitReadLock();

///

/// Gets all recognized security tokens. ///

/// /// All recognized security tokens. /// public IEnumerable SecurityTokens

get

RetrieveMetadata(); _synclock.EnterReadLock(); attempt

return _tokens;

finally

_synclock.ExitReadLock();

personal void RetrieveMetadata()

_synclock.EnterWriteLock(); attempt

OpenIdConnectConfiguration config = Activity.Run(_configManager.GetConfigurationAsync).Outcome; _issuer = config.Issuer; _tokens = config.SigningTokens;

lastly

_synclock.ExitWriteLock();

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

// This class is important because the OAuthBearer Middleware does not leverage

// the OpenID Join metadata endpoint uncovered by the STS by default.

public class OpenIdConnectCachingSecurityTokenProvider : IIssuerSecurityTokenProvider

public ConfigurationManager _configManager;

personal string _issuer;

personal IEnumerable _tokens;

personal readonly string _metadataEndpoint;

personal readonly ReaderWriterLockSlim _synclock = new ReaderWriterLockSlim();

public OpenIdConnectCachingSecurityTokenProvider(string metadataEndpoint)

_metadataEndpoint = metadataEndpoint;

_configManager = new ConfigurationManager(metadataEndpoint);

RetrieveMetadata();

///

/// Will get the issuer the credentials are for.

///

///

/// The issuer the credentials are for.

///

public string Issuer

get

RetrieveMetadata();

_synclock.EnterReadLock();

attempt

return _issuer;

finally

_synclock.ExitReadLock();

///

/// Gets all recognized security tokens.

///

///

/// All recognized safety tokens.

///

public IEnumerable SecurityTokens

get

RetrieveMetadata();

_synclock.EnterReadLock();

attempt

return _tokens;

finally

_synclock.ExitReadLock();

personal void RetrieveMetadata()

_synclock.EnterWriteLock();

attempt

OpenIdConnectConfiguration config = Activity.Run(_configManager.GetConfigurationAsync).End result;

_issuer = config.Issuer;

_tokens = config.SigningTokens;

finally

_synclock.ExitWriteLock();

Step 4: Add protected controller for testing

Now we’ll add an (non-compulsory) class which reads all of the decoded claims in the JWT token and return them within the response, observe that we’ve got protected our controller by the [Authorize] attribute so solely valid JWT tokens shall be accepted to serve the request and return response, to do so add new controller named “ProtectedController” beneath folder Controllers and paste the code under:

[Authorize] [RoutePrefix(“api/protected”)]

public class ProtectedController : ApiController

[Route(“”)] public IEnumerable Get()

var id = Consumer.Id as ClaimsIdentity;

var userName = id.Identify;

return id.Claims.Choose(c => new

Sort = c.Sort, Value = c.Worth );

1

2

3

four

5

6

7

eight

9

10

11

12

13

14

15

16

17

18

[Authorize]

[RoutePrefix(“api/protected”)]

public class ProtectedController : ApiController

[Route(“”)]

public IEnumerable Get()

var id = Consumer.Id as ClaimsIdentity;

var userName = id.Identify;

return id.Claims.Choose(c => new

Sort = c.Sort,

Worth = c.Worth

);

We’ll check the controller within the next steps.

Step 5: Modify the “OrdersController” we created within the previous submit

Now we need to do a very little change on the “OrdersController” by including the [Authorize] attribute on the controller to guard it, as properly to read the unique authenticated consumer id from the declare and retailer it in Azure Table Storage as an alternative of the fastened worth we defined earlier within the previous publish. The change could be very simple and ought to be as the under snippet, a lot of the code is omitted so simply add/exchange the lacking elements as the under:

[Authorize] [RoutePrefix(“api/Orders”)]

public class OrdersController : ApiController

[Route(“”)] public IHttpActionResult Get()

//This can be learn from the entry token claims. var userId = Consumer.Id.Identify;

// code ommited for brevity

[Route(“”)] public IHttpActionResult Submit (OrderModel order)

//This shall be learn from the access token claims. var userId = Consumer.Id.Identify;

// code ommited for brevity

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

[Authorize] [RoutePrefix(“api/Orders”)]

public class OrdersController : ApiController

[Route(“”)]

public IHttpActionResult Get()

//This will probably be learn from the access token claims.

var userId = Consumer.Id.Identify;

// code ommited for brevity

[Route(“”)]

public IHttpActionResult Publish (OrderModel order)

//This shall be read from the access token claims.

var userId = Consumer.Id.Identify;

// code ommited for brevity

Step 6: Testing out the protected controllers

Last item we have to do here is to obtain a JWT token from out IdP by executing one of many insurance policies we have now outlined, then sending the JWT token in the Authorization header for one among out API endpoints, if all is sweet we should always access the API and return the protected assets.

To do that I have choose the policy Sign up from Azure AD B2C tenant and clicked on “Run now” button,  a brand new window will open and you provide a legitimate credentials, then a redirect will happen to the defined Reply URL and you may acquire the token manually by copying it, then you might want to ship the token to the top level “api/protected” or “api/orders” within the authorization header using the bearer scheme. The request will look because the under picture:

GET Request to the “Api/orders” endpoint to listing all the orders assigned to the consumer with e mail “[email protected]”

Notice: This guide testing demonstrated right here is just for testing purposes, in the subsequent submit you will notice how we’ll add an MVC software which might be liable for executing the policies, get hold of JWT tokens, create the session for the authenticated users, and entry the protected API assets.

The Supply code for this tutorial is on the market on GitHub.

Comply with me on Twitter @tjoudeh

The supply code for this tutorial is obtainable on GitHub.

The Web API has been revealed on Azure App Providers, so be happy to attempt it out using the Base URL (https://aadb2cresourceapi.azurewebsites.net/)

Secure ASP.NET Web API 2 using Azure AD B2C

In the previous publish, we have now configured all the wanted insurance policies in our Azure AD B2C tenant and the Reply URLs. In this Submit, we’ll reconfigure the Web API we’ve got created in the previous publish so it relays on the Azure AD B2C IdP we created to secure it and our Web API will only accept and belief tokens issued by our Azure AD BC IdP.

So let’s begin implementing those modifications on the Web API.

Step 1: Configure Web API to use Azure AD B2C tenant IDs and Policies

Now we need to modify the online.config for our Web API by adding the under keys, so open Web.config and add the under AppSettings keys:

The values for these keys as the following:

“ida:AadInstance” value accommodates the metadata discovery endpoint for each coverage, this endpoint will probably be used internally by the middle-wares which we’ll add in the subsequent steps to validate the JWT tokens.

“ida:Tenant” value accommodates the URL for our Azure AD B2C tenant we now have already outlined within the previous submit.

“ida:ClientId” worth incorporates the App shopper Id we now have already registered with our Azure AD Bb2C tenant.

“ida:SignUpPolicyId” value incorporates the identify of the signup policy we already created.

“ida:SignInPolicyId” worth accommodates the identify of the Signin policy we already created.

“ida:UserProfilePolicyId” worth accommodates the identify of the Create profile coverage we already created.

Step 2: Add the additional NyGet packages to the Web API undertaking

Open NuGet Package deal Supervisor Console and set up/replace the under packages:

Install-Package deal Microsoft.Owin.Safety.OAuth -Model 3.0.1 Set up-Package deal Microsoft.Owin.Security.Jwt -Model three.zero.1 Update-Package deal System.IdentityModel.Tokens.Jwt -version 4.zero.2.206221351 Install-Package deal Microsoft.IdentityModel.Protocol.Extensions

Set up-Package deal Microsoft.Owin.Safety.OAuth -Version three.0.1

Install-Package deal Microsoft.Owin.Safety.Jwt -Version 3.zero.1

Update-Package deal System.IdentityModel.Tokens.Jwt -version 4.0.2.206221351

Install-Package deal Microsoft.IdentityModel.Protocol.Extensions

The packages we’ve got put in is answerable for configuring our API to make use of OAuth bearer token for cover as nicely we’ve added the packages which are answerable for validating, parsing and decoding JWT tokens.

I had to downgrade the package deal “System.IdentityModel.Tokens.Jwt” to the model “4.0.2.206221351” as the newer version of it showed breaking compatibility with other packages, I’ll control it and replace the publish accordingly if there are new updates.

lastly, we need to add manually using “Add reference” dialog a reference for the meeting “System.IdentityModel” v4, I’m unsure if there’s something incorrect with these NuGet packages which overlook to include this dependency by default. I will regulate this too and replace the submit if there is a change.

Step three: Configure the Startup class

Now we have to configure our API to depend on the Azure AD B2C IdP we already created, this is an important step in configuring the Web API to trust tokens issued by our Azure AD b2C IdP, our Web API will have the ability to eat solely JWT tokens issued by the trusted IdP and issued for a specific shopper only (The app we registered in the earlier publish “Bitoftech Demo App”).

To take action, open the “Startup” class for the Web API and exchange all of the content with under code, a lot of the modifications has been launched in technique “ConfigureOAuth” which I will describe what happen within the subsequent paragraph.

public class Startup

// These values are pulled from net.config public static string aadInstance = ConfigurationManager.AppSettings[“ida:AadInstance”]; public static string tenant = ConfigurationManager.AppSettings[“ida:Tenant”]; public static string clientId = ConfigurationManager.AppSettings[“ida:ClientId”]; public static string signUpPolicy = ConfigurationManager.AppSettings[“ida:SignUpPolicyId”]; public static string signInPolicy = ConfigurationManager.AppSettings[“ida:SignInPolicyId”]; public static string editProfilePolicy = ConfigurationManager.AppSettings[“ida:UserProfilePolicyId”];

public void Configuration(IAppBuilder app)

HttpConfiguration config = new HttpConfiguration();

// Web API routes config.MapHttpAttributeRoutes();

ConfigureOAuth(app);

app.UseWebApi(config);

public void ConfigureOAuth(IAppBuilder app)

app.UseOAuthBearerAuthentication(CreateBearerOptionsFromPolicy(signUpPolicy)); app.UseOAuthBearerAuthentication(CreateBearerOptionsFromPolicy(signInPolicy)); app.UseOAuthBearerAuthentication(CreateBearerOptionsFromPolicy(editProfilePolicy));

personal OAuthBearerAuthenticationOptions CreateBearerOptionsFromPolicy(string coverage)

var metadataEndpoint = string.Format(aadInstance, tenant, policy);

TokenValidationParameters tvps = new TokenValidationParameters

// That is the place you specify that your API solely accepts tokens from its personal shoppers ValidAudience = clientId, AuthenticationType = policy, NameClaimType = “http://schemas.microsoft.com/identity/claims/objectidentifier” ;

return new OAuthBearerAuthenticationOptions

// This SecurityTokenProvider fetches the Azure AD B2C metadata & signing keys from the OpenIDConnect metadata endpoint AccessTokenFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider(metadataEndpoint)) ;

1

2

3

four

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

public class Startup

// These values are pulled from net.config

public static string aadInstance = ConfigurationManager.AppSettings[“ida:AadInstance”];

public static string tenant = ConfigurationManager.AppSettings[“ida:Tenant”];

public static string clientId = ConfigurationManager.AppSettings[“ida:ClientId”];

public static string signUpPolicy = ConfigurationManager.AppSettings[“ida:SignUpPolicyId”];

public static string signInPolicy = ConfigurationManager.AppSettings[“ida:SignInPolicyId”];

public static string editProfilePolicy = ConfigurationManager.AppSettings[“ida:UserProfilePolicyId”];

public void Configuration(IAppBuilder app)

HttpConfiguration config = new HttpConfiguration();

// Web API routes

config.MapHttpAttributeRoutes();

ConfigureOAuth(app);

app.UseWebApi(config);

public void ConfigureOAuth(IAppBuilder app)

app.UseOAuthBearerAuthentication(CreateBearerOptionsFromPolicy(signUpPolicy));

app.UseOAuthBearerAuthentication(CreateBearerOptionsFromPolicy(signInPolicy));

app.UseOAuthBearerAuthentication(CreateBearerOptionsFromPolicy(editProfilePolicy));

personal OAuthBearerAuthenticationOptions CreateBearerOptionsFromPolicy(string policy)

var metadataEndpoint = string.Format(aadInstance, tenant, coverage);

TokenValidationParameters tvps = new TokenValidationParameters

// That is where you specify that your API only accepts tokens from its own shoppers

ValidAudience = clientId,

AuthenticationType = coverage,

NameClaimType = “http://schemas.microsoft.com/identity/claims/objectidentifier”

;

return new OAuthBearerAuthenticationOptions

// This SecurityTokenProvider fetches the Azure AD B2C metadata &#zero38; signing keys from the OpenIDConnect metadata endpoint

AccessTokenFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider(metadataEndpoint))

;

What we’ve got carried out is the next:

We’ve got configured our API to eat and belief JWT tokens issued by our IdP (“BitofTechDemo.onmicrosoft.com”) for a selected shopper (“bc348057-3c44-42fc-b4df-7ef14b926b78”) This shopper represents the app we already registered, as properly it should only accept JWT tokens for the three policies we already defined and named “B2C_1_signup”, “B2C_1_Signin”, and “B2C_1_Editprofile”. Another JWT tokens don’t meet these criteria can be rejected and 401 HTTP response is returned to the requestor.

Again to the Metadata Discovery Endpoint we mentioned earlier, this endpoint is auto generated by our IdP and it is extremely essential for our API to acquire the “Signing Tokens Keys” from it; to be able to validate the JWT signature and trust this JWT token and send a response to the requestor. This finish point is constructed at run time, for instance, the metadata endpoint for the “B2C_1_signin” can be as the comply with: https://login.microsoftonline.com/BitofTechDemo.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_signin feel free to click on the hyperlink and observe the info returned.

A nice trick right here that I’ve configured the “NameClaimType” of the “TokenValidationParameters” to make use of the claim named “objectidentifer” (“oid”) This can facilitate studying the distinctive consumer id for the authenticated consumer contained in the controllers, all we need to name now contained in the controller is: “User.Identity.Name” as an alternative of querying the claims collection each time.

The last thing we need to add to the “Startup” class is a brand new class named “OpenIdConnectCachingSecurityTokenProvider”, this class might be answerable for communicating with the “Metadata Discovery Endpoint” and problem HTTP requests to get the signing keys that our API will use to validate signatures from our IdP, those keys exists within the jwks_uri which may read from the invention endpoint. So as to add this class create a brand new class named “OpenIdConnectCachingSecurityTokenProvider” and paste the code under:

// This class is important as a result of the OAuthBearer Middleware does not leverage // the OpenID Connect metadata endpoint uncovered by the STS by default. public class OpenIdConnectCachingSecurityTokenProvider : IIssuerSecurityTokenProvider

public ConfigurationManager _configManager; personal string _issuer; personal IEnumerable _tokens; personal readonly string _metadataEndpoint;

personal readonly ReaderWriterLockSlim _synclock = new ReaderWriterLockSlim();

public OpenIdConnectCachingSecurityTokenProvider(string metadataEndpoint)

_metadataEndpoint = metadataEndpoint; _configManager = new ConfigurationManager(metadataEndpoint);

RetrieveMetadata();

///

/// Gets the issuer the credentials are for. ///

/// /// The issuer the credentials are for. /// public string Issuer

get

RetrieveMetadata(); _synclock.EnterReadLock(); attempt

return _issuer;

lastly

_synclock.ExitReadLock();

///

/// Gets all recognized security tokens. ///

/// /// All recognized security tokens. /// public IEnumerable SecurityTokens

get

RetrieveMetadata(); _synclock.EnterReadLock(); attempt

return _tokens;

finally

_synclock.ExitReadLock();

personal void RetrieveMetadata()

_synclock.EnterWriteLock(); attempt

OpenIdConnectConfiguration config = Activity.Run(_configManager.GetConfigurationAsync).Outcome; _issuer = config.Issuer; _tokens = config.SigningTokens;

lastly

_synclock.ExitWriteLock();

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

// This class is important because the OAuthBearer Middleware does not leverage

// the OpenID Join metadata endpoint uncovered by the STS by default.

public class OpenIdConnectCachingSecurityTokenProvider : IIssuerSecurityTokenProvider

public ConfigurationManager _configManager;

personal string _issuer;

personal IEnumerable _tokens;

personal readonly string _metadataEndpoint;

personal readonly ReaderWriterLockSlim _synclock = new ReaderWriterLockSlim();

public OpenIdConnectCachingSecurityTokenProvider(string metadataEndpoint)

_metadataEndpoint = metadataEndpoint;

_configManager = new ConfigurationManager(metadataEndpoint);

RetrieveMetadata();

///

/// Will get the issuer the credentials are for.

///

///

/// The issuer the credentials are for.

///

public string Issuer

get

RetrieveMetadata();

_synclock.EnterReadLock();

attempt

return _issuer;

finally

_synclock.ExitReadLock();

///

/// Gets all recognized security tokens.

///

///

/// All recognized safety tokens.

///

public IEnumerable SecurityTokens

get

RetrieveMetadata();

_synclock.EnterReadLock();

attempt

return _tokens;

finally

_synclock.ExitReadLock();

personal void RetrieveMetadata()

_synclock.EnterWriteLock();

attempt

OpenIdConnectConfiguration config = Activity.Run(_configManager.GetConfigurationAsync).End result;

_issuer = config.Issuer;

_tokens = config.SigningTokens;

finally

_synclock.ExitWriteLock();

Step 4: Add protected controller for testing

Now we’ll add an (non-compulsory) class which reads all of the decoded claims in the JWT token and return them within the response, observe that we’ve got protected our controller by the [Authorize] attribute so solely valid JWT tokens shall be accepted to serve the request and return response, to do so add new controller named “ProtectedController” beneath folder Controllers and paste the code under:

[Authorize] [RoutePrefix(“api/protected”)]

public class ProtectedController : ApiController

[Route(“”)] public IEnumerable Get()

var id = Consumer.Id as ClaimsIdentity;

var userName = id.Identify;

return id.Claims.Choose(c => new

Sort = c.Sort, Value = c.Worth );

1

2

3

four

5

6

7

eight

9

10

11

12

13

14

15

16

17

18

[Authorize]

[RoutePrefix(“api/protected”)]

public class ProtectedController : ApiController

[Route(“”)]

public IEnumerable Get()

var id = Consumer.Id as ClaimsIdentity;

var userName = id.Identify;

return id.Claims.Choose(c => new

Sort = c.Sort,

Worth = c.Worth

);

We’ll check the controller within the next steps.

Step 5: Modify the “OrdersController” we created within the previous submit

Now we need to do a very little change on the “OrdersController” by including the [Authorize] attribute on the controller to guard it, as properly to read the unique authenticated consumer id from the declare and retailer it in Azure Table Storage as an alternative of the fastened worth we defined earlier within the previous publish. The change could be very simple and ought to be as the under snippet, a lot of the code is omitted so simply add/exchange the lacking elements as the under:

[Authorize] [RoutePrefix(“api/Orders”)]

public class OrdersController : ApiController

[Route(“”)] public IHttpActionResult Get()

//This can be learn from the entry token claims. var userId = Consumer.Id.Identify;

// code ommited for brevity

[Route(“”)] public IHttpActionResult Submit (OrderModel order)

//This shall be learn from the access token claims. var userId = Consumer.Id.Identify;

// code ommited for brevity

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

[Authorize] [RoutePrefix(“api/Orders”)]

public class OrdersController : ApiController

[Route(“”)]

public IHttpActionResult Get()

//This will probably be learn from the access token claims.

var userId = Consumer.Id.Identify;

// code ommited for brevity

[Route(“”)]

public IHttpActionResult Publish (OrderModel order)

//This shall be read from the access token claims.

var userId = Consumer.Id.Identify;

// code ommited for brevity

Step 6: Testing out the protected controllers

Last item we have to do here is to obtain a JWT token from out IdP by executing one of many insurance policies we have now outlined, then sending the JWT token in the Authorization header for one among out API endpoints, if all is sweet we should always access the API and return the protected assets.

To do that I have choose the policy Sign up from Azure AD B2C tenant and clicked on “Run now” button,  a brand new window will open and you provide a legitimate credentials, then a redirect will happen to the defined Reply URL and you may acquire the token manually by copying it, then you might want to ship the token to the top level “api/protected” or “api/orders” within the authorization header using the bearer scheme. The request will look because the under picture:

GET Request to the “Api/orders” endpoint to listing all the orders assigned to the consumer with e mail “[email protected]”

Notice: This guide testing demonstrated right here is just for testing purposes, in the subsequent submit you will notice how we’ll add an MVC software which might be liable for executing the policies, get hold of JWT tokens, create the session for the authenticated users, and entry the protected API assets.

The Supply code for this tutorial is on the market on GitHub.

Comply with me on Twitter @tjoudeh

The supply code for this tutorial is obtainable on GitHub.

The Web API has been revealed on Azure App Providers, so be happy to attempt it out using the Base URL (https://aadb2cresourceapi.azurewebsites.net/)

Secure ASP.NET Web API 2 using Azure AD B2C

In the previous publish, we have now configured all the wanted insurance policies in our Azure AD B2C tenant and the Reply URLs. In this Submit, we’ll reconfigure the Web API we’ve got created in the previous publish so it relays on the Azure AD B2C IdP we created to secure it and our Web API will only accept and belief tokens issued by our Azure AD BC IdP.

So let’s begin implementing those modifications on the Web API.

Step 1: Configure Web API to use Azure AD B2C tenant IDs and Policies

Now we need to modify the online.config for our Web API by adding the under keys, so open Web.config and add the under AppSettings keys:

The values for these keys as the following:

“ida:AadInstance” value accommodates the metadata discovery endpoint for each coverage, this endpoint will probably be used internally by the middle-wares which we’ll add in the subsequent steps to validate the JWT tokens.

“ida:Tenant” value accommodates the URL for our Azure AD B2C tenant we now have already outlined within the previous submit.

“ida:ClientId” worth incorporates the App shopper Id we now have already registered with our Azure AD Bb2C tenant.

“ida:SignUpPolicyId” value incorporates the identify of the signup policy we already created.

“ida:SignInPolicyId” worth accommodates the identify of the Signin policy we already created.

“ida:UserProfilePolicyId” worth accommodates the identify of the Create profile coverage we already created.

Step 2: Add the additional NyGet packages to the Web API undertaking

Open NuGet Package deal Supervisor Console and set up/replace the under packages:

Install-Package deal Microsoft.Owin.Safety.OAuth -Model 3.0.1 Set up-Package deal Microsoft.Owin.Security.Jwt -Model three.zero.1 Update-Package deal System.IdentityModel.Tokens.Jwt -version 4.zero.2.206221351 Install-Package deal Microsoft.IdentityModel.Protocol.Extensions

Set up-Package deal Microsoft.Owin.Safety.OAuth -Version three.0.1

Install-Package deal Microsoft.Owin.Safety.Jwt -Version 3.zero.1

Update-Package deal System.IdentityModel.Tokens.Jwt -version 4.0.2.206221351

Install-Package deal Microsoft.IdentityModel.Protocol.Extensions

The packages we’ve got put in is answerable for configuring our API to make use of OAuth bearer token for cover as nicely we’ve added the packages which are answerable for validating, parsing and decoding JWT tokens.

I had to downgrade the package deal “System.IdentityModel.Tokens.Jwt” to the model “4.0.2.206221351” as the newer version of it showed breaking compatibility with other packages, I’ll control it and replace the publish accordingly if there are new updates.

lastly, we need to add manually using “Add reference” dialog a reference for the meeting “System.IdentityModel” v4, I’m unsure if there’s something incorrect with these NuGet packages which overlook to include this dependency by default. I will regulate this too and replace the submit if there is a change.

Step three: Configure the Startup class

Now we have to configure our API to depend on the Azure AD B2C IdP we already created, this is an important step in configuring the Web API to trust tokens issued by our Azure AD b2C IdP, our Web API will have the ability to eat solely JWT tokens issued by the trusted IdP and issued for a specific shopper only (The app we registered in the earlier publish “Bitoftech Demo App”).

To take action, open the “Startup” class for the Web API and exchange all of the content with under code, a lot of the modifications has been launched in technique “ConfigureOAuth” which I will describe what happen within the subsequent paragraph.

public class Startup

// These values are pulled from net.config public static string aadInstance = ConfigurationManager.AppSettings[“ida:AadInstance”]; public static string tenant = ConfigurationManager.AppSettings[“ida:Tenant”]; public static string clientId = ConfigurationManager.AppSettings[“ida:ClientId”]; public static string signUpPolicy = ConfigurationManager.AppSettings[“ida:SignUpPolicyId”]; public static string signInPolicy = ConfigurationManager.AppSettings[“ida:SignInPolicyId”]; public static string editProfilePolicy = ConfigurationManager.AppSettings[“ida:UserProfilePolicyId”];

public void Configuration(IAppBuilder app)

HttpConfiguration config = new HttpConfiguration();

// Web API routes config.MapHttpAttributeRoutes();

ConfigureOAuth(app);

app.UseWebApi(config);

public void ConfigureOAuth(IAppBuilder app)

app.UseOAuthBearerAuthentication(CreateBearerOptionsFromPolicy(signUpPolicy)); app.UseOAuthBearerAuthentication(CreateBearerOptionsFromPolicy(signInPolicy)); app.UseOAuthBearerAuthentication(CreateBearerOptionsFromPolicy(editProfilePolicy));

personal OAuthBearerAuthenticationOptions CreateBearerOptionsFromPolicy(string coverage)

var metadataEndpoint = string.Format(aadInstance, tenant, policy);

TokenValidationParameters tvps = new TokenValidationParameters

// That is the place you specify that your API solely accepts tokens from its personal shoppers ValidAudience = clientId, AuthenticationType = policy, NameClaimType = “http://schemas.microsoft.com/identity/claims/objectidentifier” ;

return new OAuthBearerAuthenticationOptions

// This SecurityTokenProvider fetches the Azure AD B2C metadata & signing keys from the OpenIDConnect metadata endpoint AccessTokenFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider(metadataEndpoint)) ;

1

2

3

four

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

public class Startup

// These values are pulled from net.config

public static string aadInstance = ConfigurationManager.AppSettings[“ida:AadInstance”];

public static string tenant = ConfigurationManager.AppSettings[“ida:Tenant”];

public static string clientId = ConfigurationManager.AppSettings[“ida:ClientId”];

public static string signUpPolicy = ConfigurationManager.AppSettings[“ida:SignUpPolicyId”];

public static string signInPolicy = ConfigurationManager.AppSettings[“ida:SignInPolicyId”];

public static string editProfilePolicy = ConfigurationManager.AppSettings[“ida:UserProfilePolicyId”];

public void Configuration(IAppBuilder app)

HttpConfiguration config = new HttpConfiguration();

// Web API routes

config.MapHttpAttributeRoutes();

ConfigureOAuth(app);

app.UseWebApi(config);

public void ConfigureOAuth(IAppBuilder app)

app.UseOAuthBearerAuthentication(CreateBearerOptionsFromPolicy(signUpPolicy));

app.UseOAuthBearerAuthentication(CreateBearerOptionsFromPolicy(signInPolicy));

app.UseOAuthBearerAuthentication(CreateBearerOptionsFromPolicy(editProfilePolicy));

personal OAuthBearerAuthenticationOptions CreateBearerOptionsFromPolicy(string policy)

var metadataEndpoint = string.Format(aadInstance, tenant, coverage);

TokenValidationParameters tvps = new TokenValidationParameters

// That is where you specify that your API only accepts tokens from its own shoppers

ValidAudience = clientId,

AuthenticationType = coverage,

NameClaimType = “http://schemas.microsoft.com/identity/claims/objectidentifier”

;

return new OAuthBearerAuthenticationOptions

// This SecurityTokenProvider fetches the Azure AD B2C metadata &#zero38; signing keys from the OpenIDConnect metadata endpoint

AccessTokenFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider(metadataEndpoint))

;

What we’ve got carried out is the next:

We’ve got configured our API to eat and belief JWT tokens issued by our IdP (“BitofTechDemo.onmicrosoft.com”) for a selected shopper (“bc348057-3c44-42fc-b4df-7ef14b926b78”) This shopper represents the app we already registered, as properly it should only accept JWT tokens for the three policies we already defined and named “B2C_1_signup”, “B2C_1_Signin”, and “B2C_1_Editprofile”. Another JWT tokens don’t meet these criteria can be rejected and 401 HTTP response is returned to the requestor.

Again to the Metadata Discovery Endpoint we mentioned earlier, this endpoint is auto generated by our IdP and it is extremely essential for our API to acquire the “Signing Tokens Keys” from it; to be able to validate the JWT signature and trust this JWT token and send a response to the requestor. This finish point is constructed at run time, for instance, the metadata endpoint for the “B2C_1_signin” can be as the comply with: https://login.microsoftonline.com/BitofTechDemo.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_signin feel free to click on the hyperlink and observe the info returned.

A nice trick right here that I’ve configured the “NameClaimType” of the “TokenValidationParameters” to make use of the claim named “objectidentifer” (“oid”) This can facilitate studying the distinctive consumer id for the authenticated consumer contained in the controllers, all we need to name now contained in the controller is: “User.Identity.Name” as an alternative of querying the claims collection each time.

The last thing we need to add to the “Startup” class is a brand new class named “OpenIdConnectCachingSecurityTokenProvider”, this class might be answerable for communicating with the “Metadata Discovery Endpoint” and problem HTTP requests to get the signing keys that our API will use to validate signatures from our IdP, those keys exists within the jwks_uri which may read from the invention endpoint. So as to add this class create a brand new class named “OpenIdConnectCachingSecurityTokenProvider” and paste the code under:

// This class is important as a result of the OAuthBearer Middleware does not leverage // the OpenID Connect metadata endpoint uncovered by the STS by default. public class OpenIdConnectCachingSecurityTokenProvider : IIssuerSecurityTokenProvider

public ConfigurationManager _configManager; personal string _issuer; personal IEnumerable _tokens; personal readonly string _metadataEndpoint;

personal readonly ReaderWriterLockSlim _synclock = new ReaderWriterLockSlim();

public OpenIdConnectCachingSecurityTokenProvider(string metadataEndpoint)

_metadataEndpoint = metadataEndpoint; _configManager = new ConfigurationManager(metadataEndpoint);

RetrieveMetadata();

///

/// Gets the issuer the credentials are for. ///

/// /// The issuer the credentials are for. /// public string Issuer

get

RetrieveMetadata(); _synclock.EnterReadLock(); attempt

return _issuer;

lastly

_synclock.ExitReadLock();

///

/// Gets all recognized security tokens. ///

/// /// All recognized security tokens. /// public IEnumerable SecurityTokens

get

RetrieveMetadata(); _synclock.EnterReadLock(); attempt

return _tokens;

finally

_synclock.ExitReadLock();

personal void RetrieveMetadata()

_synclock.EnterWriteLock(); attempt

OpenIdConnectConfiguration config = Activity.Run(_configManager.GetConfigurationAsync).Outcome; _issuer = config.Issuer; _tokens = config.SigningTokens;

lastly

_synclock.ExitWriteLock();

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

// This class is important because the OAuthBearer Middleware does not leverage

// the OpenID Join metadata endpoint uncovered by the STS by default.

public class OpenIdConnectCachingSecurityTokenProvider : IIssuerSecurityTokenProvider

public ConfigurationManager _configManager;

personal string _issuer;

personal IEnumerable _tokens;

personal readonly string _metadataEndpoint;

personal readonly ReaderWriterLockSlim _synclock = new ReaderWriterLockSlim();

public OpenIdConnectCachingSecurityTokenProvider(string metadataEndpoint)

_metadataEndpoint = metadataEndpoint;

_configManager = new ConfigurationManager(metadataEndpoint);

RetrieveMetadata();

///

/// Will get the issuer the credentials are for.

///

///

/// The issuer the credentials are for.

///

public string Issuer

get

RetrieveMetadata();

_synclock.EnterReadLock();

attempt

return _issuer;

finally

_synclock.ExitReadLock();

///

/// Gets all recognized security tokens.

///

///

/// All recognized safety tokens.

///

public IEnumerable SecurityTokens

get

RetrieveMetadata();

_synclock.EnterReadLock();

attempt

return _tokens;

finally

_synclock.ExitReadLock();

personal void RetrieveMetadata()

_synclock.EnterWriteLock();

attempt

OpenIdConnectConfiguration config = Activity.Run(_configManager.GetConfigurationAsync).End result;

_issuer = config.Issuer;

_tokens = config.SigningTokens;

finally

_synclock.ExitWriteLock();

Step 4: Add protected controller for testing

Now we’ll add an (non-compulsory) class which reads all of the decoded claims in the JWT token and return them within the response, observe that we’ve got protected our controller by the [Authorize] attribute so solely valid JWT tokens shall be accepted to serve the request and return response, to do so add new controller named “ProtectedController” beneath folder Controllers and paste the code under:

[Authorize] [RoutePrefix(“api/protected”)]

public class ProtectedController : ApiController

[Route(“”)] public IEnumerable Get()

var id = Consumer.Id as ClaimsIdentity;

var userName = id.Identify;

return id.Claims.Choose(c => new

Sort = c.Sort, Value = c.Worth );

1

2

3

four

5

6

7

eight

9

10

11

12

13

14

15

16

17

18

[Authorize]

[RoutePrefix(“api/protected”)]

public class ProtectedController : ApiController

[Route(“”)]

public IEnumerable Get()

var id = Consumer.Id as ClaimsIdentity;

var userName = id.Identify;

return id.Claims.Choose(c => new

Sort = c.Sort,

Worth = c.Worth

);

We’ll check the controller within the next steps.

Step 5: Modify the “OrdersController” we created within the previous submit

Now we need to do a very little change on the “OrdersController” by including the [Authorize] attribute on the controller to guard it, as properly to read the unique authenticated consumer id from the declare and retailer it in Azure Table Storage as an alternative of the fastened worth we defined earlier within the previous publish. The change could be very simple and ought to be as the under snippet, a lot of the code is omitted so simply add/exchange the lacking elements as the under:

[Authorize] [RoutePrefix(“api/Orders”)]

public class OrdersController : ApiController

[Route(“”)] public IHttpActionResult Get()

//This can be learn from the entry token claims. var userId = Consumer.Id.Identify;

// code ommited for brevity

[Route(“”)] public IHttpActionResult Submit (OrderModel order)

//This shall be learn from the access token claims. var userId = Consumer.Id.Identify;

// code ommited for brevity

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

[Authorize] [RoutePrefix(“api/Orders”)]

public class OrdersController : ApiController

[Route(“”)]

public IHttpActionResult Get()

//This will probably be learn from the access token claims.

var userId = Consumer.Id.Identify;

// code ommited for brevity

[Route(“”)]

public IHttpActionResult Publish (OrderModel order)

//This shall be read from the access token claims.

var userId = Consumer.Id.Identify;

// code ommited for brevity

Step 6: Testing out the protected controllers

Last item we have to do here is to obtain a JWT token from out IdP by executing one of many insurance policies we have now outlined, then sending the JWT token in the Authorization header for one among out API endpoints, if all is sweet we should always access the API and return the protected assets.

To do that I have choose the policy Sign up from Azure AD B2C tenant and clicked on “Run now” button,  a brand new window will open and you provide a legitimate credentials, then a redirect will happen to the defined Reply URL and you may acquire the token manually by copying it, then you might want to ship the token to the top level “api/protected” or “api/orders” within the authorization header using the bearer scheme. The request will look because the under picture:

GET Request to the “Api/orders” endpoint to listing all the orders assigned to the consumer with e mail “[email protected]”

Notice: This guide testing demonstrated right here is just for testing purposes, in the subsequent submit you will notice how we’ll add an MVC software which might be liable for executing the policies, get hold of JWT tokens, create the session for the authenticated users, and entry the protected API assets.

The Supply code for this tutorial is on the market on GitHub.

Comply with me on Twitter @tjoudeh

The supply code for this tutorial is obtainable on GitHub.

The Web API has been revealed on Azure App Providers, so be happy to attempt it out using the Base URL (https://aadb2cresourceapi.azurewebsites.net/)

Secure ASP.NET Web API 2 using Azure AD B2C

In the previous publish, we have now configured all the wanted insurance policies in our Azure AD B2C tenant and the Reply URLs. In this Submit, we’ll reconfigure the Web API we’ve got created in the previous publish so it relays on the Azure AD B2C IdP we created to secure it and our Web API will only accept and belief tokens issued by our Azure AD BC IdP.

So let’s begin implementing those modifications on the Web API.

Step 1: Configure Web API to use Azure AD B2C tenant IDs and Policies

Now we need to modify the online.config for our Web API by adding the under keys, so open Web.config and add the under AppSettings keys:

The values for these keys as the following:

“ida:AadInstance” value accommodates the metadata discovery endpoint for each coverage, this endpoint will probably be used internally by the middle-wares which we’ll add in the subsequent steps to validate the JWT tokens.

“ida:Tenant” value accommodates the URL for our Azure AD B2C tenant we now have already outlined within the previous submit.

“ida:ClientId” worth incorporates the App shopper Id we now have already registered with our Azure AD Bb2C tenant.

“ida:SignUpPolicyId” value incorporates the identify of the signup policy we already created.

“ida:SignInPolicyId” worth accommodates the identify of the Signin policy we already created.

“ida:UserProfilePolicyId” worth accommodates the identify of the Create profile coverage we already created.

Step 2: Add the additional NyGet packages to the Web API undertaking

Open NuGet Package deal Supervisor Console and set up/replace the under packages:

Install-Package deal Microsoft.Owin.Safety.OAuth -Model 3.0.1 Set up-Package deal Microsoft.Owin.Security.Jwt -Model three.zero.1 Update-Package deal System.IdentityModel.Tokens.Jwt -version 4.zero.2.206221351 Install-Package deal Microsoft.IdentityModel.Protocol.Extensions

Set up-Package deal Microsoft.Owin.Safety.OAuth -Version three.0.1

Install-Package deal Microsoft.Owin.Safety.Jwt -Version 3.zero.1

Update-Package deal System.IdentityModel.Tokens.Jwt -version 4.0.2.206221351

Install-Package deal Microsoft.IdentityModel.Protocol.Extensions

The packages we’ve got put in is answerable for configuring our API to make use of OAuth bearer token for cover as nicely we’ve added the packages which are answerable for validating, parsing and decoding JWT tokens.

I had to downgrade the package deal “System.IdentityModel.Tokens.Jwt” to the model “4.0.2.206221351” as the newer version of it showed breaking compatibility with other packages, I’ll control it and replace the publish accordingly if there are new updates.

lastly, we need to add manually using “Add reference” dialog a reference for the meeting “System.IdentityModel” v4, I’m unsure if there’s something incorrect with these NuGet packages which overlook to include this dependency by default. I will regulate this too and replace the submit if there is a change.

Step three: Configure the Startup class

Now we have to configure our API to depend on the Azure AD B2C IdP we already created, this is an important step in configuring the Web API to trust tokens issued by our Azure AD b2C IdP, our Web API will have the ability to eat solely JWT tokens issued by the trusted IdP and issued for a specific shopper only (The app we registered in the earlier publish “Bitoftech Demo App”).

To take action, open the “Startup” class for the Web API and exchange all of the content with under code, a lot of the modifications has been launched in technique “ConfigureOAuth” which I will describe what happen within the subsequent paragraph.

public class Startup

// These values are pulled from net.config public static string aadInstance = ConfigurationManager.AppSettings[“ida:AadInstance”]; public static string tenant = ConfigurationManager.AppSettings[“ida:Tenant”]; public static string clientId = ConfigurationManager.AppSettings[“ida:ClientId”]; public static string signUpPolicy = ConfigurationManager.AppSettings[“ida:SignUpPolicyId”]; public static string signInPolicy = ConfigurationManager.AppSettings[“ida:SignInPolicyId”]; public static string editProfilePolicy = ConfigurationManager.AppSettings[“ida:UserProfilePolicyId”];

public void Configuration(IAppBuilder app)

HttpConfiguration config = new HttpConfiguration();

// Web API routes config.MapHttpAttributeRoutes();

ConfigureOAuth(app);

app.UseWebApi(config);

public void ConfigureOAuth(IAppBuilder app)

app.UseOAuthBearerAuthentication(CreateBearerOptionsFromPolicy(signUpPolicy)); app.UseOAuthBearerAuthentication(CreateBearerOptionsFromPolicy(signInPolicy)); app.UseOAuthBearerAuthentication(CreateBearerOptionsFromPolicy(editProfilePolicy));

personal OAuthBearerAuthenticationOptions CreateBearerOptionsFromPolicy(string coverage)

var metadataEndpoint = string.Format(aadInstance, tenant, policy);

TokenValidationParameters tvps = new TokenValidationParameters

// That is the place you specify that your API solely accepts tokens from its personal shoppers ValidAudience = clientId, AuthenticationType = policy, NameClaimType = “http://schemas.microsoft.com/identity/claims/objectidentifier” ;

return new OAuthBearerAuthenticationOptions

// This SecurityTokenProvider fetches the Azure AD B2C metadata & signing keys from the OpenIDConnect metadata endpoint AccessTokenFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider(metadataEndpoint)) ;

1

2

3

four

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

public class Startup

// These values are pulled from net.config

public static string aadInstance = ConfigurationManager.AppSettings[“ida:AadInstance”];

public static string tenant = ConfigurationManager.AppSettings[“ida:Tenant”];

public static string clientId = ConfigurationManager.AppSettings[“ida:ClientId”];

public static string signUpPolicy = ConfigurationManager.AppSettings[“ida:SignUpPolicyId”];

public static string signInPolicy = ConfigurationManager.AppSettings[“ida:SignInPolicyId”];

public static string editProfilePolicy = ConfigurationManager.AppSettings[“ida:UserProfilePolicyId”];

public void Configuration(IAppBuilder app)

HttpConfiguration config = new HttpConfiguration();

// Web API routes

config.MapHttpAttributeRoutes();

ConfigureOAuth(app);

app.UseWebApi(config);

public void ConfigureOAuth(IAppBuilder app)

app.UseOAuthBearerAuthentication(CreateBearerOptionsFromPolicy(signUpPolicy));

app.UseOAuthBearerAuthentication(CreateBearerOptionsFromPolicy(signInPolicy));

app.UseOAuthBearerAuthentication(CreateBearerOptionsFromPolicy(editProfilePolicy));

personal OAuthBearerAuthenticationOptions CreateBearerOptionsFromPolicy(string policy)

var metadataEndpoint = string.Format(aadInstance, tenant, coverage);

TokenValidationParameters tvps = new TokenValidationParameters

// That is where you specify that your API only accepts tokens from its own shoppers

ValidAudience = clientId,

AuthenticationType = coverage,

NameClaimType = “http://schemas.microsoft.com/identity/claims/objectidentifier”

;

return new OAuthBearerAuthenticationOptions

// This SecurityTokenProvider fetches the Azure AD B2C metadata &#zero38; signing keys from the OpenIDConnect metadata endpoint

AccessTokenFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider(metadataEndpoint))

;

What we’ve got carried out is the next:

We’ve got configured our API to eat and belief JWT tokens issued by our IdP (“BitofTechDemo.onmicrosoft.com”) for a selected shopper (“bc348057-3c44-42fc-b4df-7ef14b926b78”) This shopper represents the app we already registered, as properly it should only accept JWT tokens for the three policies we already defined and named “B2C_1_signup”, “B2C_1_Signin”, and “B2C_1_Editprofile”. Another JWT tokens don’t meet these criteria can be rejected and 401 HTTP response is returned to the requestor.

Again to the Metadata Discovery Endpoint we mentioned earlier, this endpoint is auto generated by our IdP and it is extremely essential for our API to acquire the “Signing Tokens Keys” from it; to be able to validate the JWT signature and trust this JWT token and send a response to the requestor. This finish point is constructed at run time, for instance, the metadata endpoint for the “B2C_1_signin” can be as the comply with: https://login.microsoftonline.com/BitofTechDemo.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_signin feel free to click on the hyperlink and observe the info returned.

A nice trick right here that I’ve configured the “NameClaimType” of the “TokenValidationParameters” to make use of the claim named “objectidentifer” (“oid”) This can facilitate studying the distinctive consumer id for the authenticated consumer contained in the controllers, all we need to name now contained in the controller is: “User.Identity.Name” as an alternative of querying the claims collection each time.

The last thing we need to add to the “Startup” class is a brand new class named “OpenIdConnectCachingSecurityTokenProvider”, this class might be answerable for communicating with the “Metadata Discovery Endpoint” and problem HTTP requests to get the signing keys that our API will use to validate signatures from our IdP, those keys exists within the jwks_uri which may read from the invention endpoint. So as to add this class create a brand new class named “OpenIdConnectCachingSecurityTokenProvider” and paste the code under:

// This class is important as a result of the OAuthBearer Middleware does not leverage // the OpenID Connect metadata endpoint uncovered by the STS by default. public class OpenIdConnectCachingSecurityTokenProvider : IIssuerSecurityTokenProvider

public ConfigurationManager _configManager; personal string _issuer; personal IEnumerable _tokens; personal readonly string _metadataEndpoint;

personal readonly ReaderWriterLockSlim _synclock = new ReaderWriterLockSlim();

public OpenIdConnectCachingSecurityTokenProvider(string metadataEndpoint)

_metadataEndpoint = metadataEndpoint; _configManager = new ConfigurationManager(metadataEndpoint);

RetrieveMetadata();

///

/// Gets the issuer the credentials are for. ///

/// /// The issuer the credentials are for. /// public string Issuer

get

RetrieveMetadata(); _synclock.EnterReadLock(); attempt

return _issuer;

lastly

_synclock.ExitReadLock();

///

/// Gets all recognized security tokens. ///

/// /// All recognized security tokens. /// public IEnumerable SecurityTokens

get

RetrieveMetadata(); _synclock.EnterReadLock(); attempt

return _tokens;

finally

_synclock.ExitReadLock();

personal void RetrieveMetadata()

_synclock.EnterWriteLock(); attempt

OpenIdConnectConfiguration config = Activity.Run(_configManager.GetConfigurationAsync).Outcome; _issuer = config.Issuer; _tokens = config.SigningTokens;

lastly

_synclock.ExitWriteLock();

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

// This class is important because the OAuthBearer Middleware does not leverage

// the OpenID Join metadata endpoint uncovered by the STS by default.

public class OpenIdConnectCachingSecurityTokenProvider : IIssuerSecurityTokenProvider

public ConfigurationManager _configManager;

personal string _issuer;

personal IEnumerable _tokens;

personal readonly string _metadataEndpoint;

personal readonly ReaderWriterLockSlim _synclock = new ReaderWriterLockSlim();

public OpenIdConnectCachingSecurityTokenProvider(string metadataEndpoint)

_metadataEndpoint = metadataEndpoint;

_configManager = new ConfigurationManager(metadataEndpoint);

RetrieveMetadata();

///

/// Will get the issuer the credentials are for.

///

///

/// The issuer the credentials are for.

///

public string Issuer

get

RetrieveMetadata();

_synclock.EnterReadLock();

attempt

return _issuer;

finally

_synclock.ExitReadLock();

///

/// Gets all recognized security tokens.

///

///

/// All recognized safety tokens.

///

public IEnumerable SecurityTokens

get

RetrieveMetadata();

_synclock.EnterReadLock();

attempt

return _tokens;

finally

_synclock.ExitReadLock();

personal void RetrieveMetadata()

_synclock.EnterWriteLock();

attempt

OpenIdConnectConfiguration config = Activity.Run(_configManager.GetConfigurationAsync).End result;

_issuer = config.Issuer;

_tokens = config.SigningTokens;

finally

_synclock.ExitWriteLock();

Step 4: Add protected controller for testing

Now we’ll add an (non-compulsory) class which reads all of the decoded claims in the JWT token and return them within the response, observe that we’ve got protected our controller by the [Authorize] attribute so solely valid JWT tokens shall be accepted to serve the request and return response, to do so add new controller named “ProtectedController” beneath folder Controllers and paste the code under:

[Authorize] [RoutePrefix(“api/protected”)]

public class ProtectedController : ApiController

[Route(“”)] public IEnumerable Get()

var id = Consumer.Id as ClaimsIdentity;

var userName = id.Identify;

return id.Claims.Choose(c => new

Sort = c.Sort, Value = c.Worth );

1

2

3

four

5

6

7

eight

9

10

11

12

13

14

15

16

17

18

[Authorize]

[RoutePrefix(“api/protected”)]

public class ProtectedController : ApiController

[Route(“”)]

public IEnumerable Get()

var id = Consumer.Id as ClaimsIdentity;

var userName = id.Identify;

return id.Claims.Choose(c => new

Sort = c.Sort,

Worth = c.Worth

);

We’ll check the controller within the next steps.

Step 5: Modify the “OrdersController” we created within the previous submit

Now we need to do a very little change on the “OrdersController” by including the [Authorize] attribute on the controller to guard it, as properly to read the unique authenticated consumer id from the declare and retailer it in Azure Table Storage as an alternative of the fastened worth we defined earlier within the previous publish. The change could be very simple and ought to be as the under snippet, a lot of the code is omitted so simply add/exchange the lacking elements as the under:

[Authorize] [RoutePrefix(“api/Orders”)]

public class OrdersController : ApiController

[Route(“”)] public IHttpActionResult Get()

//This can be learn from the entry token claims. var userId = Consumer.Id.Identify;

// code ommited for brevity

[Route(“”)] public IHttpActionResult Submit (OrderModel order)

//This shall be learn from the access token claims. var userId = Consumer.Id.Identify;

// code ommited for brevity

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

[Authorize] [RoutePrefix(“api/Orders”)]

public class OrdersController : ApiController

[Route(“”)]

public IHttpActionResult Get()

//This will probably be learn from the access token claims.

var userId = Consumer.Id.Identify;

// code ommited for brevity

[Route(“”)]

public IHttpActionResult Publish (OrderModel order)

//This shall be read from the access token claims.

var userId = Consumer.Id.Identify;

// code ommited for brevity

Step 6: Testing out the protected controllers

Last item we have to do here is to obtain a JWT token from out IdP by executing one of many insurance policies we have now outlined, then sending the JWT token in the Authorization header for one among out API endpoints, if all is sweet we should always access the API and return the protected assets.

To do that I have choose the policy Sign up from Azure AD B2C tenant and clicked on “Run now” button,  a brand new window will open and you provide a legitimate credentials, then a redirect will happen to the defined Reply URL and you may acquire the token manually by copying it, then you might want to ship the token to the top level “api/protected” or “api/orders” within the authorization header using the bearer scheme. The request will look because the under picture:

GET Request to the “Api/orders” endpoint to listing all the orders assigned to the consumer with e mail “[email protected]”

Notice: This guide testing demonstrated right here is just for testing purposes, in the subsequent submit you will notice how we’ll add an MVC software which might be liable for executing the policies, get hold of JWT tokens, create the session for the authenticated users, and entry the protected API assets.

The Supply code for this tutorial is on the market on GitHub.

Comply with me on Twitter @tjoudeh

Mobile / Web Authentication using Tokens for Phonegap and AngularJs

Just a couple keyword explanations. 

Token-Based Authentication, relies on a signed token that is sent to the server on each request.

JSON Web Token (JWT, pronounced jot) is a relatively new token format used in space-constrained environments such as HTTP Authorization headers. JWT is architected as a method for transferring security claims based between parties.

You can find out more info about…

Just a couple keyword explanations. 

Token-Based Authentication, relies on a signed token that is sent to the server on each request.

JSON Web Token (JWT, pronounced jot) is a relatively new token format used in space-constrained environments such as HTTP Authorization headers. JWT is architected as a method for transferring security claims based between parties.

You can find out more info about this authentication method by Googling or visiting this blog post by Auth0. I'm just gonna show how I implemented mine with Node.js and Angular.js. You should use SSL / TLS connections if possible along with this authentication scheme.

Straight to code.

var expressJWT = require('express-jwt'); module.exports.routes = function (app) { app.route('/api/v1/*') .all(function (req, res, next) { //expect the authorization header //to be present in every request. on //this route. so... if (req.headers.authorization) { //now check the validity of the header.. //expressJWT will return an error if its //invalid or call the next() middleware //if its valid expressJWT({secret: "appConfig.secret"}) .call(null, req, res, next); } else { res.json(401, {status: 'not authd'}); } }); //test route app.get('/api/v1/routetest', function (req, res) { res.json(200, true); }); };

You can use it with your authentication strategy like...

//Authentication Api Routes app.post('/api/users/session', passport.authenticate('local', { session: false }), function (req, res) { if (req.user) { res.json({ authorizationToken: jwt.sign(req.user, 'appConfig.secret', {expiresInMinutes: 60 * 30}) }); } else { res.json(401, {message: 'Authorized Staffs only.'}); } });

Cool right? So little explanation; I'm using passport.authenticate() to validate my users. I have disabled sessions because its "anti-token" based authentication. If the user is authenticated, I expect passport to populate the req.user property with the user object. The rest should be code-explanatory. I had some problems using passport.authenticate('bearer'). Which I think is preferred. I ended up using passport.authenticate('local'). 

You would want to use this with HTTP Auth Interceptor Module for AngularJS. Remember to set the authorizatin header on the client-side when you have successfully authenticated a user, so subsequent requests to protected routes will succeed. I'm prepping another post about it soon.