How to replicate "Windows Azure Active Directory Bearer Authentication"

I need to protect the API with a JWT token obtained from Azure AD.
Basically I need to replicate the authentication executed by the following Owin middletier

public void ConfigureAuth(IAppBuilder app)
		new WindowsAzureActiveDirectoryBearerAuthenticationOptions
			Audience = ConfigurationManager.AppSettings["ida:Audience"],
			Tenant = ConfigurationManager.AppSettings["ida:Tenant"]

IOW I need an authentication provider that simply search for the jwt token within the Authorization header and validate it against the issuer (Azure AD)

I noticed there’s a TP provider, but it also take care to get the token. I simply need to validate an existing one.

I don’t know what that code does, but if you want to extract a JWT Bearer token you can use the IRequest.GetBearerToken() extension method, e.g:

string bearerToken = req.GetBearerToken();

A JWT Token is just a 3-part URL-Safe Base64 encoded string, with the first 2 parts containing the JWT Header and JWT Payload in JSON Objects. If it helps here’s how we parse the JWT Token in JwtAuthProviderReader. The Audience Claim is a standardized JWT header that’s meant to be defined “aud” JWT Header which you can extract with:

var parts = bearerToken.Split('.');
var header = parts[0];
var headerJson = header.FromBase64UrlSafe().FromUtf8Bytes();
var headerData = headerJson.FromJson<Dictionary<string, string>>();

string audience;
if (headerData.TryGetValue("aud", out audience)) {

Hi, Thanks for the reply.
I didn’t dig yet in the owin middletier yet, but I assume the most Important part will be verifying the jwt signature downloading the key from azure according to the tenant and audience.
Are you considering to add azure ad provider among ss built in providers?

JWT’s are cryptographically verified with the JWT Signature, at a minimum you’re going to need access to the authenticating key regardless of whether it was signed with AES or RSA.

Yeah we’re eventually going to provide integration and support for Azure like we do with ServiceStack.Aws but CoreCLR support will be our top priority from next release onwards which is still an unknown quantity, so may be a while before we’re freed up to focus on the remaining feature requests.

I have been able to satisfy my need using JwtAuthProviderReader provider supplying “manually” the PublicKey used by azure to sign the token.

A simple solution should be a “AzureJwtAuthProviderReader” able to retrieve the public key from the endpoint “{0}/federationmetadata/2007-06/federationmetadata.xml” where the placeholder is the AzureAD Tenant “”.

1 Like

Cool, if it’s at all possible to share the code that worked, e.g. here or in a Gist I’m sure others would find it valuable.

I added some sample here

I had to remove the AzureADSettings.resx file w/ azure settings

In reality I didn’t do much: all the features are already available through JwtAuthProviderReader

I simply add some code grab from katana to download the federationmetadata containing the public key

The main change of JwtAuthProviderReader is due to the

According to microsoft documentation, you may have to validate the jwt against more than one signing key. Basically the JwtAuthProviderReader should accept more the one PublicKey and try the token validation w/ all of those.