microsoft-identity-web: [Bug] Custom JwtBearerOptions not applied

Which Version of Microsoft Identity Web are you using ? Note that to get help, you need to run the latest version.

0.14-preview and current souce Where is the issue?

Web App
- Sign-in users
- Sign-in users and call web APIs
Web API
- [ x] Protected web APIs (Validating tokens)
- Protected web APIs (Validating scopes)
- Protected web APIs call downstream web APIs
Token cache serialization
- In Memory caches
- Session caches
- Distributed caches

Other? - please describe;

Is this a new or existing app? New App Repro

            services.AddProtectedWebApi(Configuration, subscribeToJwtBearerMiddlewareDiagnosticsEvents: true);
            services.Configure<JwtBearerOptions>(AzureADDefaults.JwtBearerAuthenticationScheme, options =>
                    {
                        // This is an Microsoft identity platform Web API
                        options.Authority += "/v2.0";

                        // The valid audiences are both the Client ID (options.Audience) and api://{ClientID}
                        options.TokenValidationParameters.ValidAudiences = new string[]
                        {
                        options.Audience, $"api://{options.Audience}", $"https://{options.Audience}"
                        };
                        // D-d-d-delegate
                        options.TokenValidationParameters.IssuerValidator = Microsoft.IdentityModel.Tokens.Validators.ValidateIssuer;
                    });

Expected behavior A clear and concise description of what you expected to happen (or code). The JwtBearerOptions are never applied. So my settings audience is <<Guid>>, but I expect the valid audenices to be [<<Guid>>, api://<<Guid>>,https://<<Guid>>] Actual behavior Instead the only valid audiences is only <<Guid>>

Additional context/ Logs / Screenshots The audience is an easy example. The problem looks like the JwtBearerOptions are not being applied by Identity.Web

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 24 (5 by maintainers)

Commits related to this issue

New proposal to fix #211 — committed to AzureAD/microsoft-identity-web by jmprieur 4 years ago
New proposal to fix #211 (#275) * New proposal to fix #211 * Fixing a missed path * Addressing PR feedback — committed to AzureAD/microsoft-identity-web by jmprieur 4 years ago

Most upvoted comments

No apologies needed. If anything it’s me ought to be thanking you guys. This particular project has been absolutely criticial in helping me understanding OAUTH flows/tickets/audiences and how all that translates to code. Thanks!

CalamityLorenzo on Jul 2, 2020

Included in 0.2.0-preview release cc: @CalamityLorenzo

jennyf19 on Jul 13, 2020

If I understand correctly, the issue is that if both TokenValidationParameters.ValidAudience and TokenValidationParameters.ValidAudiences are specified, and audiences does not contain ValidAudience, we return false. But we also need to check other audiences in ValidAudiences.

https://github.com/AzureAD/microsoft-identity-web/blob/09bb43e5b44073a1013a2b69cc85cf3514a1a928/src/Microsoft.Identity.Web/Resource/RegisterValidAudience.cs#L88-L96

So we either need to add ValidAudience to ValidAudiences and then just check audiences against ValidAudiences. Or on line 91, return only if it’s true. If it’s false, we also need to check against ValidAudiences.

pmaytak on Jun 23, 2020

It is clear @CalamityLorenzo. thanks!

jmprieur on Jun 22, 2020

@CalamityLorenzo : thank you. I see this is because ASP.NET Core will give it a default value. we’ll check this.

What behavior would you expect? take valid audiences first? and then valid audience if valid audiences is empty? Or the union of both? @brentschmaltz. What would you recommend?

jmprieur on Jun 22, 2020

@CalamityLorenzo Do you mind trying this branch to see if the issue is resolved? thx.

jennyf19 on Jun 21, 2020