0

Is there a way to authenticate the Microsoft or google OAuth token in active directory without using an authentication server?

Here is the scenario:

  • A client app gets an Microsoft access_token from some external service.

  • Client app will make a call to some secured web API and pass that access_token along with the request header

  • If the access_token passed by client is valid then API will provide response to the client.

Is there a way to validate that access_token on API side?

My normal understanding about OAuth 2.0 is there needs to be an authentication server to which both the client and API would talk to as shown in the figure below:

enter image description here

But if the token is provided by some external service, Can we use it to validate our web API. Are there any ways to implement such authentication?

Improve this question
4
  • In the diagram you are showing, the External Authorization Server is owned and run by Microsoft. You want to cut that out of the picture? Is there confusion where you think you need to own and run the auth server? Commented Mar 1, 2017 at 5:01
  • Hi @ShawnTabrizi , My requirement is not what the above image shows. I wanted to know, if I pass a Microsoft OAuth 2.0 token with a request to call a web API, is there a way to validate that token regardless of the source of creation of that token without using Authentication Service as shown in the diagram? Commented Mar 1, 2017 at 5:07
  • 2
    When you validate a token, you simply need to check if the token is signed by Microsoft, by looking at the public key that MS exposes, and comparing it to the signature on the token. As long as you can query for the signing key, you should be able to authenticate the token anywhere... maybe I misunderstand. Commented Mar 1, 2017 at 5:10
  • 1
    To add on to what @ShawnTabrizi said: You can check the signature of the JWT token. It is signed using one of AAD¨s private keys. You can download the public keys which you need for signature verification. Note that the public keys change sometimes, and your application would need to periodically download new ones. Commented Mar 1, 2017 at 7:22

1 Answer 1

Reset to default
1

You can learn more about AAD Signing Keys and handling Key Rollover using this page: Signing key rollover in Azure Active Directory

Validation of the token, once you have the signing key, can be done using existing libraries like OWIN. You can also try following instructions like this (although it seems the document isn't 100% complete yet): Manually validating a JWT access token in a web API

This library is also available, but I think OWIN is supposed to have replaced it in general.

Also check out this blog post, which has a pretty great deep dive into token validation.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.