Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] ValidateIssuer does not work on WebApp and WebApi mix #1126

Closed
4 of 8 tasks
jc4gh opened this issue Apr 7, 2021 · 2 comments
Closed
4 of 8 tasks

[Bug] ValidateIssuer does not work on WebApp and WebApi mix #1126

jc4gh opened this issue Apr 7, 2021 · 2 comments
Labels
duplicate This issue or pull request already exists enhancement New feature or request fixed multiple auth schemes supported in v.1.10
Milestone
1.11.0

Comments

@jc4gh
Copy link

jc4gh commented Apr 7, 2021

Which version of Microsoft Identity Web are you using?
Note that to get help, you need to run the latest version.
Microsoft Identity Web 1.8.2

Where is the issue?

  • Web app
    • Sign-in users
    • Sign-in users and call web APIs
  • Web API
    • Protected web APIs (validating tokens)
    • Protected web APIs (validating scopes)
    • Protected web APIs call downstream web APIs
  • Token cache serialization
    • In-memory caches
    • Session caches
    • Distributed caches
  • Other (please describe)

Is this a new or an existing app?
a. The app is in production and I have upgraded to a new version of Microsoft Identity Web.

Repro

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
                .AddMicrosoftIdentityWebApp(this.Configuration.GetSection("AzureAd"));

    services.AddAuthentication()
        .AddMicrosoftIdentityWebApi(this.Configuration.GetSection("AzureAd"), JwtBearerDefaults.AuthenticationScheme)
        .EnableTokenAcquisitionToCallDownstreamApi()
        .AddDownstreamWebApi("API", this.Configuration.GetSection("API"))
        .AddInMemoryTokenCaches();
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "domain.onmicrosoft.com",
    "TenantId": "organizations",
    "CallbackPath": "/signin-oidc",
    "EnablePiiLogging": true,
    "TokenValidationParameters": {
      "ValidateIssuer": true,
      "ValidIssuers": [ "https://sts.windows.net/{tenantid1}/", "https://sts.windows.net/{tenantid2}/" ]
    }

Expected behavior
Validates issuer for JwtBearer.

Actual behavior
No validation happens.

Possible solution

Additional context / logs / screenshots
JwtBearerOptions seem to be get set correctly from Configuration.Bind. I've also tried

services.Configure<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme, options =>
{
  var existingOnTokenValidatedHandler = options.Events.OnTokenValidated;
  options.Events.OnTokenValidated = async context =>
  {
       await existingOnTokenValidatedHandler(context);
      // Your code to add extra configuration that will be executed after the current event implementation.
      options.TokenValidationParameters.ValidIssuers = new[] { /* list of valid issuers */ };
      options.TokenValidationParameters.ValidAudiences = new[] { /* list of valid audiences */};
  };
});

but it did not make a difference.

For WebApp + WebApi mix, I used this
@jmprieur jmprieur added enhancement New feature or request duplicate This issue or pull request already exists labels Apr 8, 2021
@jmprieur
Copy link
Collaborator

jmprieur commented Apr 8, 2021
edited
Loading

There is a work item in progress to make this scenario (multiple schemes) work correctly. Unfortunately we got higher priority work recently but we should get back to this soon
Duplicate of #955

@jmprieur jmprieur mentioned this issue Apr 8, 2021
Closed
@jennyf19 jennyf19 added this to the 1.10.0 milestone May 5, 2021
@jennyf19 jennyf19 added the multiple auth schemes supported in v.1.10 label May 5, 2021
@jmprieur jmprieur added the fixed label May 5, 2021
@jennyf19 jennyf19 modified the milestones: 1.10.0, 1.11.0 May 14, 2021
@jennyf19
Copy link
Collaborator

Included in 1.11.0 release and documentation here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate This issue or pull request already exists enhancement New feature or request fixed multiple auth schemes supported in v.1.10
Projects
None yet
Milestone
1.11.0
Development

No branches or pull requests
3 participants
@jmprieur @jennyf19 @jc4gh