3

We have an ASP.NET Core Web API that I want to secure with Microsoft Graph Access token. The graph token is valid and I can do graph call it works fine.

However, If I try to access the ASP.NET Core Web API which is configured with JWT Bearer authentication, it gives the following error.

Bearer error="invalid_token", error_description="The signature key was not found

Am I missing some configurations to configure or this is a problem with graph token? Here is how the authentication is configured.

        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
               .AddJwtBearer(options =>
               {
                   options.TokenValidationParameters = new TokenValidationParameters()
                   {
                       ValidateIssuer = false, // For multi tenant
                       ValidateIssuerSigningKey = false,
                       ValidateAudience = false // This is for testing
                   };
               });

The same configurations works fine with Azure AD Access Token.

Improve this question

1 Answer 1

Reset to default
2

We have an ASP.NET Core Web API that I want to secure with Microsoft Graph Access toke

No , i suggest register your web api as a resource which protected by Azure AD .

Microsoft Graph API token is used to access the Microsoft Graph , Microsoft Graph's server side will validate the claims/signature after receiving the JWT token . In addition , i remember Microsoft Graph API access tokens are signed different from the JWT tokens which issued from AAD . So let Microsoft Graph API server side to validate the token and the token should not be used to protected other API .

Your client app could uses the OpenID Connect middleware and the Active Directory Authentication Library (ADAL.NET) to obtain a JWT bearer token for the signed-in user using the OAuth 2.0 protocol. The bearer token is passed to the web API, which validates the token and authorizes the user using the JWT bearer authentication middleware :

Calling a web API in an ASP.NET Core web application using Azure AD

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

The current scenario is that, we are using OAuth protocol to get the graph token, rather than getting one more token If I could just use graph token to secure the API that would greatly enhance code and usability.
@DeepakSharma , one token is meant for one resource , i don't think that is good idea to use one token to access two protected resource . Azure AD provides SDKs for different platform which make it easy to acquire another access token using refresh token , so that you needn't login again .
And IMO , Microsoft Graph access token is signed a bit different , it would meet problem if you validate signature yourself .
Ok makes sense will consider using AAD

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.