asp.net-web-apijwtclaims-based-identity.net-4.8

How to apply Microsoft Identity Platform authentication on a .NET framework 4.7 ASP.NET Web API endpoint


I have a legacy ASP.NET Web API app built with .NET framework 4.7.2 and at the moment there is no authentication implemented for it. How can I apply Microsoft Identity Platform authentication for this app. I want this authentication/authorization applied only on one endpoint, not the rest of the app.

I created another .NET 6.0 ASP.NET Core Web API app which has the below statement in its Startup.ConfigureServices method.

JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
     .AddMicrosoftIdentityWebApi(_configuration);

services.Configure<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme, options =>
{
     // The claim in the Jwt token where App roles are available.
     options.TokenValidationParameters.RoleClaimType = "roles";
});

This separate API works fine. Now I am trying to send an authenticated API request from this new app to the legacy app, and let the legacy endpoint worry about auth. Can someone guide me to the correct method? The closest questions I found so far are this, this and this, but they don't answer my question.


Solution

  • I found the solution for my issue by a combination of reading all the linked questions in my original question, reading this article and experimenting with different code snippets. My final working changes are listed below.

    Startup class:

    I created this Startup class for OWIN.

    public class Startup
    {
        public void Configuration(IAppBuilder app)
        {
            var authority = "{authority-URL}";
            var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
               authority + "/.well-known/openid-configuration",
               new OpenIdConnectConfigurationRetriever(),
               new HttpDocumentRetriever());
            var discoveryDocument = Task.Run(() => configurationManager.GetConfigurationAsync()).GetAwaiter().GetResult();
            
            app.UseJwtBearerAuthentication(
              new JwtBearerAuthenticationOptions
              {
                  AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
                  TokenValidationParameters = new TokenValidationParameters()
                  {
                      ValidAudience = "{app-audience}",
                      ValidIssuer = "{issuer-URL}",
                      IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) =>
                      {
                          return discoveryDocument.SigningKeys;
                      },
                      ValidateIssuerSigningKey = true,
                      ValidateIssuer = true,
                      ValidateAudience = false,
                  }
              });
        }
    }
    

    Web.config:

    I added the below line under the <appSettings> section:

    <add key="owin:AutomaticAppStartup" value="true" />
    

    Authorize attribute:

    I added [Authorize] attribute on the endpoint for which I wanted authentication applied.

    Most answers I read on StackOverflow had the below statement in them which never worked for me because I didn't know the secret key for the app,

    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("jwt_signing_secret_key"))
    

    but this article had an alternate example with IssuerSigningKeyResolver which was the final piece of the puzzle for me.