Skip to main content

Service to service auth via Azure Active Directory with ASP.Net Core

Sample configuration for ASP.Net Core 1.1 to use Azure AD for Service to Service Authentication.  Update your Startup.cs to have the following

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication();
    ...
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    app.UseJwtBearerAuthentication(new JwtBearerOptions
    {
        Authority = "https://login.microsoftonline.com/{AAD Tenant Name or ID}",
        Audience = "{Application ID URL}"
    });
    ...
}
Microsoft.AspNetCore.Authentication.JwtBearer defaults to using OpenID Connect discovery document to validate the bearer token.

The Authority is the prefix for the the discovery document.  The middleware will append ".well-known/openid-configuration/" to whatever you pass in to the Authority.  If your IDP has a diffrent endpoint for the discovery document, you can specify the MetadataAddress option, that address will be used without appending anything to it.  For Azure AD, the discovery documents are located at https://login.microsoftonline.com/{AAD Tenant Name or ID}/.well-known/openid-configuration/, if your unsure that your AAD Tenant Name is, the Tenant Id (or Directory ID as it's called in the new Azure Portal) works as well.

The Audience is our Application ID URI, this is the same as the resource in the token request.

There is also a sample project on Github at https://github.com/aspnet/Security/tree/release/samples/JwtBearerSample

This changed in ASP.Net Core 2

See https://github.com/aspnet/Security/issues/1310 for updates.  The new way is:
public class Startup
{
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddAuthentication(options =>
        {
            options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
        })

        .AddJwtBearer(options =>
        {
            options.Authority = "https://login.microsoftonline.com/{AAD Tenant Name or ID}";
            options.Audience = "{Application ID URL}";
        });
    }

    public void Configure(IApplicationBuilder app)
    {
        app.UseAuthentication();

        // ...
    }
}

Popular posts from this blog

Service to service auth via Azure Active Directory

One of the things I like with the newer services from Azure is the use of Azure AD to authenticate. Azure Keyvault is a perfect example, I can request a JWT from Azure AD and I just pass that to Keyvault in the Authentication header and I am in. Bringing me back to the good old days when we would use Windows AD user as service accounts, you change your password in one place and it's updated everywhere. But this time, you can have more than one password, so your services don't crash as you try to cycle the passwords. (I think I hear angels singing from heaven...) So, how do we make use of this for our own services? So glad you asked. Let's start by pointing you to Microsoft's documentation for  Authentication Scenarios for Azure AD , it's a very good read, and you really should know this stuff before starting this.  The scenario we are looking for is "Daemon or Server Application to Web API", particularly looking at how Web APP 1 ( TodoListDaemon ) and ...
Read more

Querying for items in an Array in CosmosDB

If you have spent any time looking at the documentation for Microsoft CosmosDB / DocumentDB, you will see a lot of examples where the data model has a property named "Tags" that is a list of strings.  But you don't see many times they query on something in that Tag property...  One example I saw a query on Tags[0] = "some value" I don't know how often I will need that, but you know, good to know you can do it. After looking through the SQL syntax reference .  The 2 ways I most likely query the Tags would be to use a join on the Tags property or use the ARRAY_CONTAINS function. Side note; the performance of the two methods are basically identical, leading me to believe the query optimizer generates the same instruction sets for both. So unless you have an array of complex objects, just use ARRAY_CONTAINS. Cool, we know how to query for documents that have our tag on them now... One small problem, when you load a million, or even a hundred thousand do...
Read more