Share via

www-authenticate: Bearer error="invalid_token", error_description="The signature is invalid" (Occurred in .net core web api)

Piyumi Perera 131 Reputation points
2022-03-08T04:36:57.97+00:00

Hi all,

I have an outlook Addin which has react frontend and .net core web api. I am obtaining access token using auth code work flow via https://login.microsoftonline.com/common/oauth2/token. I need to use that access token as a bearer token to secure web api endpoints. I tried to modify my startup.cs file as follows and add [Authorize] filter for the api end point.

public void ConfigureServices(IServiceCollection services)
        {

            services.AddMicrosoftIdentityWebApiAuthentication(Configuration);
            services.AddCors(c =>
            {
                c.AddPolicy(AllowAnyOrigins, options => options.AllowAnyOrigin().AllowAnyHeader());
            });

            services.AddControllersWithViews();
            services.AddHttpClient
Microsoft Security Microsoft Entra Microsoft Entra ID
Accepted answer
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2022-03-08T11:39:39.717+00:00

    Hi @Piyumi Perera ,

    Thanks for reaching out.

    From you query, I understand that you are calling custom Web API from Single Page application and getting "invalid token" error while authorizing the Web API.

    Protected APIs are protected and called by authorized identity only using bearer token which holds the information about authorized identity to validate against protected API.

    Web API need to configure a bearer token by specifying the authority, audience, tenant id JSON configuration based on your requirement 

    {  
  "AzureAd": {  
    "Instance": "https://login.microsoftonline.com/",  
    "ClientId": "[Client_id-of-web-api-eg-2ec40e65-ba09-4853-bcde-bcb60029e596]",  
    /*  
      You need specify the TenantId only if you want to accept access tokens from a single tenant  
     (line-of-business app).  
      Otherwise, you can leave them set to common.  
      This can be:  
      - A GUID (Tenant ID = Directory ID)  
      - 'common' (any organization and personal accounts)  
      - 'organizations' (any organization)  
      - 'consumers' (Microsoft personal accounts)  
    */  
    "TenantId": "common"  
  },  
       "AllowedHosts": "*"  
}

    ASP.net forwarded the bearer token to JWTBearer middleware which calls Microsoft Identity Model Extension for .Net. 

    public void ConfigureServices(IServiceCollection services)  
{  
  services.AddAuthentication(AzureADDefaults.JwtBearerAuthenticationScheme)  
          .AddAzureADBearer(options => Configuration.Bind("AzureAd", options));

    Currently Microsoft.Identity.Web is recommended where middleware can be initialized as 

    public void ConfigureServices(IServiceCollection services)  
{  
  services.AddMicrosoftIdentityWebApiAuthentication(Configuration, "AzureAd");  
}

    or 

      public void ConfigureServices(IServiceCollection services)  
    {  
     // Adds Microsoft Identity platform (AAD v2.0) support to protect this API  
     services.AddAuthentication(AzureADDefaults.JwtBearerAuthenticationScheme)  
                 .AddMicrosoftIdentityWebApi(Configuration, "AzureAd");  
      
    services.AddControllers();  
    }

    Reference : https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-app-configuration

    Hope this will help to configure middleware to accept bearer token for web API with valid scopes which can be validated using jwt.ms

    Thanks,
    Shweta

    ----------------------------------------------------

    Please remember to "Accept Answer" if answer helped you.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.