microsoft-identity-web: [Bug] Custom JwtBearerOptions not applied

Which Version of Microsoft Identity Web are you using ? Note that to get help, you need to run the latest version.

0.14-preview and current souce Where is the issue?

  • Web App
    • Sign-in users
    • Sign-in users and call web APIs
  • Web API
    • [ x] Protected web APIs (Validating tokens)
    • Protected web APIs (Validating scopes)
    • Protected web APIs call downstream web APIs
  • Token cache serialization
    • In Memory caches
    • Session caches
    • Distributed caches

Other? - please describe;

Is this a new or existing app? New App Repro

            services.AddProtectedWebApi(Configuration, subscribeToJwtBearerMiddlewareDiagnosticsEvents: true);
            services.Configure<JwtBearerOptions>(AzureADDefaults.JwtBearerAuthenticationScheme, options =>
                        // This is an Microsoft identity platform Web API
                        options.Authority += "/v2.0";

                        // The valid audiences are both the Client ID (options.Audience) and api://{ClientID}
                        options.TokenValidationParameters.ValidAudiences = new string[]
                        options.Audience, $"api://{options.Audience}", $"https://{options.Audience}"
                        // D-d-d-delegate
                        options.TokenValidationParameters.IssuerValidator = Microsoft.IdentityModel.Tokens.Validators.ValidateIssuer;

Expected behavior A clear and concise description of what you expected to happen (or code). The JwtBearerOptions are never applied. So my settings audience is <<Guid>>, but I expect the valid audenices to be [<<Guid>>, api://<<Guid>>,https://<<Guid>>] Actual behavior Instead the only valid audiences is only <<Guid>>

Additional context/ Logs / Screenshots The audience is an easy example. The problem looks like the JwtBearerOptions are not being applied by Identity.Web

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 24 (5 by maintainers)

Commits related to this issue

Most upvoted comments

No apologies needed. If anything it’s me ought to be thanking you guys. This particular project has been absolutely criticial in helping me understanding OAUTH flows/tickets/audiences and how all that translates to code. Thanks!

If I understand correctly, the issue is that if both TokenValidationParameters.ValidAudience and TokenValidationParameters.ValidAudiences are specified, and audiences does not contain ValidAudience, we return false. But we also need to check other audiences in ValidAudiences.

So we either need to add ValidAudience to ValidAudiences and then just check audiences against ValidAudiences. Or on line 91, return only if it’s true. If it’s false, we also need to check against ValidAudiences.

It is clear @CalamityLorenzo. thanks!

@CalamityLorenzo : thank you. I see this is because ASP.NET Core will give it a default value. we’ll check this.

What behavior would you expect? take valid audiences first? and then valid audience if valid audiences is empty? Or the union of both? @brentschmaltz. What would you recommend?

@CalamityLorenzo Do you mind trying this branch to see if the issue is resolved? thx.