发表新帖
发表新帖

How to validate Microsoft Graph API jwt access_token and secure your API?

前端 未结
关注
2 1609
孤独总比滥情好
孤独总比滥情好 2021-01-07 14:44

Scenario:

I have an angular5 client application, which uses hello.js to authenticate users using their office 365 credentials.

Client Code:
相关标签:
2条回答
  • 一向
    2021-01-07 14:50

    Yeah, this took a bit to work through. For anyone else researching this, here's my understanding.

    You don't use the Microsoft Graph API to secure your web api. Instead:

    1. The client continues to use the Microsoft Identity Platform to authenticate.

    2. The client uses the resulting JWT access token to call the Web API as normal for OAuth 2.0 flow

    3. The web API uses JwtBearerAuthenticationScheme, setting the authority to the Microsoft identity platform. See this example and search for JwtBearerAuthenticationScheme.

    4. The web API uses the provided access token to obtain an 'On Behalf Of' user token.

    5. The web API calls the Graph API using this 'On Behalf Of' token. This token has a different lifespan than the token the client obtained, and refreshes must be handled separately.

    This is a very distilled version of this example. Disclaimer: I haven't put this into practice yet.

    0 讨论(0)
  • 爱一瞬间的悲伤
    2021-01-07 15:03

    I tried to validate the access_token in jwt.io (https://nicksnettravels.builttoroam.com/post/2017/01/24/Verifying-Azure-Active-Directory-JWT-Tokens.aspx) but I was not able to.

    Microsoft Graph API access tokens are signed differently from other access tokens from what I can see. You do not need to validate tokens that are meant for another API, it is their job.

    The aud here is https://graph.microsoft.com, I am not sure if I need to and why do I need to change aud to my client id. how do I do that?

    I don't know about HelloJS, but you should be able to get an Id token after authentication with response_type=id_token token. Then you need to attach that to the requests. It should have your client id as the audience.

    Is there something wrong in the code or do i need to tweak the way I am requesting header tokens.

    The only thing that stands out to me is that you are doing a lot of unnecessary configuration. Basically the configuration should be:

    .AddJwtBearer(o =>
{
    o.Audience = "your-client-id";
    o.Authority = "https://login.microsoftonline.com/your-tenant-id/v2.0";
})

    The handler will automatically fetch the public signing keys on startup. It's not really a good idea to hard-code signing keys in your app since your app will break when AAD finishes signing key rollover.

    0 讨论(0)
 看不清?
提交回复
热议问题