How to replicate "Windows Azure Active Directory Bearer Authentication"

cris · July 25, 2016, 3:11pm

Hi,
I need to protect the API with a JWT token obtained from Azure AD.
Basically I need to replicate the authentication executed by the following Owin middletier

public void ConfigureAuth(IAppBuilder app)
{
	app.UseWindowsAzureActiveDirectoryBearerAuthentication(
		new WindowsAzureActiveDirectoryBearerAuthenticationOptions
		{
			Audience = ConfigurationManager.AppSettings["ida:Audience"],
			Tenant = ConfigurationManager.AppSettings["ida:Tenant"]
		});
}

IOW I need an authentication provider that simply search for the jwt token within the Authorization header and validate it against the issuer (Azure AD)

I noticed there’s a TP provider, but it also take care to get the token. I simply need to validate an existing one.

mythz · July 25, 2016, 5:13pm

I don’t know what that code does, but if you want to extract a JWT Bearer token you can use the IRequest.GetBearerToken() extension method, e.g:

string bearerToken = req.GetBearerToken();

A JWT Token is just a 3-part URL-Safe Base64 encoded string, with the first 2 parts containing the JWT Header and JWT Payload in JSON Objects. If it helps here’s how we parse the JWT Token in JwtAuthProviderReader. The Audience Claim is a standardized JWT header that’s meant to be defined “aud” JWT Header which you can extract with:

var parts = bearerToken.Split('.');
var header = parts[0];
var headerJson = header.FromBase64UrlSafe().FromUtf8Bytes();
var headerData = headerJson.FromJson<Dictionary<string, string>>();

string audience;
if (headerData.TryGetValue("aud", out audience)) {
   //...
}

cris · July 25, 2016, 7:00pm

Hi, Thanks for the reply.
I didn’t dig yet in the owin middletier yet, but I assume the most Important part will be verifying the jwt signature downloading the key from azure according to the tenant and audience.
Are you considering to add azure ad provider among ss built in providers?

mythz · July 25, 2016, 7:59pm

JWT’s are cryptographically verified with the JWT Signature, at a minimum you’re going to need access to the authenticating key regardless of whether it was signed with AES or RSA.

Yeah we’re eventually going to provide integration and support for Azure like we do with ServiceStack.Aws but CoreCLR support will be our top priority from next release onwards which is still an unknown quantity, so may be a while before we’re freed up to focus on the remaining feature requests.

cris · July 28, 2016, 10:52am

I have been able to satisfy my need using JwtAuthProviderReader provider supplying “manually” the PublicKey used by azure to sign the token.

A simple solution should be a “AzureJwtAuthProviderReader” able to retrieve the public key from the endpoint “https://login.windows.net/{0}/federationmetadata/2007-06/federationmetadata.xml” where the placeholder is the AzureAD Tenant “.onmicrosoft.com”.

mythz · July 28, 2016, 6:56pm

Cool, if it’s at all possible to share the code that worked, e.g. here or in a Gist I’m sure others would find it valuable.

cris · July 31, 2016, 8:55pm

I added some sample here

I had to remove the AzureADSettings.resx file w/ azure settings

In reality I didn’t do much: all the features are already available through JwtAuthProviderReader

I simply add some code grab from katana to download the federationmetadata containing the public key

The main change of JwtAuthProviderReader is due to the

github.com

ServiceStack/ServiceStack/blob/master/src/ServiceStack/Auth/JwtAuthProviderReader.cs#L290


      
          /// <summary>
          /// Whether to also Include Token in ConvertSessionToTokenResponse   
          /// </summary>
          public bool IncludeJwtInConvertSessionToTokenResponse { get; set; }
          
          
/// <summary>
          /// Whether to store JWTs in Cookies (ss-tok) for successful Authentications (default true) 
          /// </summary>
          public bool UseTokenCookie { get; set; } = true;
          
          
/// <summary>
          /// Override conversion to Unix Time used in issuing JWTs and validation
          /// </summary>
          public Func<DateTime,long> ResolveUnixTime { get; set; } = DefaultResolveUnixTime;
          public static long DefaultResolveUnixTime(DateTime dateTime) => dateTime.ToUnixTime();
          
          
/// <summary>
          /// Inspect or modify JWT Payload before validation, return error message if invalid else null 
          /// </summary>
          public Func<Dictionary<string,string>, string> PreValidateJwtPayloadFilter { get; set; }

According to microsoft documentation, you may have to validate the jwt against more than one signing key. Basically the JwtAuthProviderReader should accept more the one PublicKey and try the token validation w/ all of those.