How to store the token received in AcquireTokenAsync with Active Directory

Question

Problem Statement

I am using .NET Core, and I\'m trying to make a web application talk to a web API. Both require authentication using the [Authorize]

Answer 1

(Note: I had been struggling with this exact issue for several days. I followed the same Microsoft Tutorial as the one linked in the question, and tracked various problems like a wild goose chase; it turns out the sample contains a whole bunch of seemingly unnecessary steps when using the latest version of the Microsoft.AspNetCore.Authentication.OpenIdConnect package.).

I eventually had a breakthrough moment when I read this page: http://docs.identityserver.io/en/release/quickstarts/5_hybrid_and_api_access.html

The solution essentially involves letting OpenID Connect auth put the various tokens (access_token, refresh_token) into the cookie.

Firstly, I'm using a Converged Application created at https://apps.dev.microsoft.com and v2.0 of the Azure AD endpoint. The App has an Application Secret (password/public key) and uses Allow Implicit Flow for a Web platform.

(For some reason it seems as if v2.0 of the endpoint doesn't work with Azure AD only applications. I'm not sure why, and I'm not sure if it really matters anyway.)

Relevant lines from the Startup.Configure method:

    // Configure the OWIN pipeline to use cookie auth.
    app.UseCookieAuthentication(new CookieAuthenticationOptions());

    // Configure the OWIN pipeline to use OpenID Connect auth.
    var openIdConnectOptions = new OpenIdConnectOptions
    {
         ClientId = "{Your-ClientId}",
         ClientSecret = "{Your-ClientSecret}",
         Authority = "http://login.microsoftonline.com/{Your-TenantId}/v2.0",
         ResponseType = OpenIdConnectResponseType.CodeIdToken,
         TokenValidationParameters = new TokenValidationParameters
         {
             NameClaimType = "name",
         },
         GetClaimsFromUserInfoEndpoint = true,
         SaveTokens = true,
    };

    openIdConnectOptions.Scope.Add("offline_access");

    app.UseOpenIdConnectAuthentication(openIdConnectOptions);

And that's it! No OpenIdConnectOptions.Event callbacks. No calls to AcquireTokenAsync or AcquireTokenSilentAsync. No TokenCache. None of those things seem to be necessary.

The magic seems to happen as part of OpenIdConnectOptions.SaveTokens = true

Here's an example where I'm using the access token to send an e-mail on behalf of the user using their Office365 account.

I have a WebAPI controller action which obtains their access token using HttpContext.Authentication.GetTokenAsync("access_token"):

    [HttpGet]
    public async Task<IActionResult> Get()
    {
        var graphClient = new GraphServiceClient(new DelegateAuthenticationProvider(async requestMessage =>
        {
            var accessToken = await HttpContext.Authentication.GetTokenAsync("access_token");
            requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", accessToken);
        }));

        var message = new Message
        {
            Subject = "Hello",
            Body = new ItemBody
            {
                Content = "World",
                ContentType = BodyType.Text,
            },
            ToRecipients = new[]
            {
                new Recipient
                {
                    EmailAddress = new EmailAddress
                    {
                        Address = "email@address.com",
                        Name = "Somebody",
                    }
                }
            },
        };

        var request = graphClient.Me.SendMail(message, true);
        await request.Request().PostAsync();

        return Ok();
    }

---

Side Note #1

At some point you might also need to get hold of the refresh_token too, in case the access_token expires:

HttpContext.Authentication.GetTokenAsync("refresh_token")

---

Side Note #2

My OpenIdConnectOptions actually includes a few more things which I've omitted here, for example:

    openIdConnectOptions.Scope.Add("email");
    openIdConnectOptions.Scope.Add("Mail.Send");

I've used these for working with the Microsoft.Graph API to send an e-mail on behalf of the currently logged in user.

(Those delegated permissions for Microsoft Graph are set up on the app too).

---

Update - How to 'silently' Refresh the Azure AD Access Token

So far, this answer explains how to use the cached access token but not what to do when the token expires (typically after 1 hour).

The options seem to be:

1. Force the user to sign in again. (Not silent)
2. POST a request to the Azure AD service using the refresh_token to obtain a new access_token (silent).

How to Refresh the Access Token using v2.0 of the Endpoint

After more digging, I found part of the answer in this SO Question:

How to handle expired access token in asp.net core using refresh token with OpenId Connect

It seems like the Microsoft OpenIdConnect libraries do not refresh the access token for you. Unfortunately the answer in the question above is missing the crucial detail about precisely how to refresh the token; presumably because it depends on specific details about Azure AD which OpenIdConnect doesn't care about.

The accepted answer to the above question suggests sending a request directly to the Azure AD Token REST API instead of using one of the Azure AD libraries.

Here's the relevant documentation (Note: this covers a mix of v1.0 and v2.0)

• https://developer.microsoft.com/en-us/graph/docs/concepts/rest
• https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code#refreshing-the-access-tokens

Here's a proxy based on the API docs:

public class AzureAdRefreshTokenProxy
{
    private const string HostUrl = "https://login.microsoftonline.com/";
    private const string TokenUrl = $"{Your-Tenant-Id}/oauth2/v2.0/token";
    private const string ContentType = "application/x-www-form-urlencoded";

    // "HttpClient is intended to be instantiated once and re-used throughout the life of an application."
    // - MSDN Docs:
    // https://msdn.microsoft.com/en-us/library/system.net.http.httpclient(v=vs.110).aspx
    private static readonly HttpClient Http = new HttpClient {BaseAddress = new Uri(HostUrl)};

    public async Task<AzureAdTokenResponse> RefreshAccessTokenAsync(string refreshToken)
    {
        var body = $"client_id={Your-Client-Id}" +
                   $"&refresh_token={refreshToken}" +
                   "&grant_type=refresh_token" +
                   $"&client_secret={Your-Client-Secret}";
        var content = new StringContent(body, Encoding.UTF8, ContentType);

        using (var response = await Http.PostAsync(TokenUrl, content))
        {
            var responseContent = await response.Content.ReadAsStringAsync();
            return response.IsSuccessStatusCode
                ? JsonConvert.DeserializeObject<AzureAdTokenResponse>(responseContent)
                : throw new AzureAdTokenApiException(
                    JsonConvert.DeserializeObject<AzureAdErrorResponse>(responseContent));
        }
    }
}

The AzureAdTokenResponse and AzureAdErrorResponse classes used by JsonConvert:

[JsonObject(MemberSerialization = MemberSerialization.OptIn)]
public class AzureAdTokenResponse
{
    [JsonProperty(NullValueHandling = NullValueHandling.Ignore, PropertyName = "token_type", Required = Required.Default)]
    public string TokenType { get; set; }
    [JsonProperty(NullValueHandling = NullValueHandling.Ignore, PropertyName = "expires_in", Required = Required.Default)]
    public int ExpiresIn { get; set; }
    [JsonProperty(NullValueHandling = NullValueHandling.Ignore, PropertyName = "expires_on", Required = Required.Default)]
    public string ExpiresOn { get; set; } 
    [JsonProperty(NullValueHandling = NullValueHandling.Ignore, PropertyName = "resource", Required = Required.Default)]
    public string Resource { get; set; }
    [JsonProperty(NullValueHandling = NullValueHandling.Ignore, PropertyName = "access_token", Required = Required.Default)]
    public string AccessToken { get; set; }
    [JsonProperty(NullValueHandling = NullValueHandling.Ignore, PropertyName = "refresh_token", Required = Required.Default)]
    public string RefreshToken { get; set; }
}

[JsonObject(MemberSerialization = MemberSerialization.OptIn)]
public class AzureAdErrorResponse
{
    [JsonProperty(NullValueHandling = NullValueHandling.Ignore, PropertyName = "error", Required = Required.Default)]
    public string Error { get; set; }
    [JsonProperty(NullValueHandling = NullValueHandling.Ignore, PropertyName = "error_description", Required = Required.Default)]
    public string ErrorDescription { get; set; }
    [JsonProperty(NullValueHandling = NullValueHandling.Ignore, PropertyName = "error_codes", Required = Required.Default)]
    public int[] ErrorCodes { get; set; }
    [JsonProperty(NullValueHandling = NullValueHandling.Ignore, PropertyName = "timestamp", Required = Required.Default)]
    public string Timestamp { get; set; }
    [JsonProperty(NullValueHandling = NullValueHandling.Ignore, PropertyName = "trace_id", Required = Required.Default)]
    public string TraceId { get; set; }
    [JsonProperty(NullValueHandling = NullValueHandling.Ignore, PropertyName = "correlation_id", Required = Required.Default)]
    public string CorrelationId { get; set; }
}

public class AzureAdTokenApiException : Exception
{
    public AzureAdErrorResponse Error { get; }

    public AzureAdTokenApiException(AzureAdErrorResponse error) :
        base($"{error.Error} {error.ErrorDescription}")
    {
        Error = error;
    }
}

Finally, my modifications to Startup.cs to refresh the access_token (Based on the answer I linked above)

        // Configure the OWIN pipeline to use cookie auth.
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            Events = new CookieAuthenticationEvents
            {
                OnValidatePrincipal = OnValidatePrincipal
            },
        });

The OnValidatePrincipal handler in Startup.cs (Again, from the linked answer above):

    private async Task OnValidatePrincipal(CookieValidatePrincipalContext context)
    {
        if (context.Properties.Items.ContainsKey(".Token.expires_at"))
        {
            if (!DateTime.TryParse(context.Properties.Items[".Token.expires_at"], out var expiresAt))
            {
                expiresAt = DateTime.Now;
            }

            if (expiresAt < DateTime.Now.AddMinutes(-5))
            {
                var refreshToken = context.Properties.Items[".Token.refresh_token"];
                var refreshTokenService = new AzureAdRefreshTokenService();
                var response = await refreshTokenService.RefreshAccessTokenAsync(refreshToken);

                context.Properties.Items[".Token.access_token"] = response.AccessToken;
                context.Properties.Items[".Token.refresh_token"] = response.RefreshToken;
                context.Properties.Items[".Token.expires_at"] = DateTime.Now.AddSeconds(response.ExpiresIn).ToString(CultureInfo.InvariantCulture);
                context.ShouldRenew = true;
            }
        }
    }

---

Finally, a solution with OpenIdConnect using v2.0 of the Azure AD API.

Interestingly, it seems that v2.0 does not ask for a resource to be included in the API request; the documentation suggests it's necessary, but the API itself simply replies that resource is not supported. This is probably a good thing - presumably it means that the access token works for all resources (it certainly works with the Microsoft Graph API)