Description
Which version of Microsoft Identity Web are you using?
Note that to get help, you need to run the latest version.
Microsoft Identity Web 1.3.0
Where is the issue?
- Web app
- Sign-in users
- Sign-in users and call web APIs
- Web API
- Protected web APIs (validating tokens)
- Protected web APIs (validating scopes)
- Protected web APIs call downstream web APIs
- Token cache serialization
- In-memory caches
- Session caches
- Distributed caches
- Other (please describe)
Is this a new or an existing app?
a. The app is in production and I have upgraded to a new version of Microsoft Identity Web.
Repro
Startup.cs
services.AddAuthentication()
.AddMicrosoftIdentityWebApi(
(jwtOpt) =>
{
Configuration.Bind("AzureAdB2C", jwtOpt);
jwtOpt.TokenValidationParameters.ValidateIssuer = false;
},
(msIdOpt) => Configuration.Bind("AzureAdB2C", msIdOpt));appsettings.json
"AzureAdB2C": {
"Instance": "https://mytenant.b2clogin.com",
"ClientId": "ccb2a9f5-3b90-4f01-b4de-619daa1b9e49",
"ClientSecret": "*****",
"Domain": "mytenant.onmicrosoft.com",
"SignUpSignInPolicyId": "B2C_1A_Signup_Signin"
}
JWT
{
"typ": "JWT",
"alg": "RS256",
"kid": "0kcuEIFYUmeulxXnEdH43prYHw3HVshbaNlXyRpgQb4"
}.{
"iss": "https://mytenant.b2clogin.com/97d559f9-30de-42c5-b79a-1645d748e84d/v2.0/",
"exp": 1606881975,
"nbf": 1606874775,
"aud": "3ff65921-74c1-4ec6-8c37-f012ca63811e",
"tid": "fe2738ba-6955-4bcd-ba5d-a1fef14fc86a",
"email": "[email protected]",
"given_name": "John",
"family_name": "Doe",
"name": "John Doe",
"idp": "myIdP",
"sub": "67d4fe2f-f68b-4580-ad78-5c0640f4cf30",
"emails": [
"[email protected]"
],
"scp": "user_impersonation",
"azp": "48ff8d08-0206-4f8a-9c90-084e6eae7d36",
"ver": "1.0",
"iat": 1606874775
}.[Signature]
Expected behavior
Since JwtBearerOptions.TokenValidationParameters.ValidateIssuer is set to false, I would expect the issuer not to be validated.
Actual behavior
The issuer is validated anyway. This is a problem because it fails validation with the default AadIssuerValidator.
Possible solution
Workaround (Register a dummy [or custom] IssuerValidator):
Startup.cs
services.AddAuthentication()
.AddMicrosoftIdentityWebApi(
(jwtOpt) =>
{
Configuration.Bind("AzureAdB2C", jwtOpt);
jwtOpt.TokenValidationParameters.IssuerValidator = (a, b, c) => a;
},
(msIdOpt) => Configuration.Bind("AzureAdB2C", msIdOpt));Possible Solution:
microsoft-identityweb/src/Microsoft.Identity.Web/WebApiExtensions/MicrosoftIdentityWebApiAuthenticationBuilderExtensions.cs, line 193
// If the developer registered an IssuerValidator, do not overwrite it
if (options.TokenValidationParameters.ValidateIssuer && // <--- Add This
options.TokenValidationParameters.IssuerValidator == null)
{
// Instead of using the default validation (validating against a single tenant, as we do in line of business apps),
// we inject our own multi-tenant validation logic (which even accepts both v1.0 and v2.0 tokens)
MicrosoftIdentityIssuerValidatorFactory microsoftIdentityIssuerValidatorFactory =
serviceProvider.GetRequiredService<MicrosoftIdentityIssuerValidatorFactory>();
options.TokenValidationParameters.IssuerValidator =
microsoftIdentityIssuerValidatorFactory.GetAadIssuerValidator(options.Authority).Validate;
}