I have a dotnet core 1.1 web API that is protected by Azure AD. My Angular SPA uses adal to authenticate the users. I also have a daemon application that does some background jobs, it also uses the web api to call functionality or retrieve data.
It is largely based on the samples provided by Microsoft which you can find here.
The big difference is that I'm using a different middleware. The API uses the JwtBearerAuthentication
.UseJwtBearerAuthentication(new JwtBearerOptions
{
TokenValidationParameters = tokenValParam,
AutomaticAuthenticate = true,
AutomaticChallenge = false,
Authority = String.Format(Configuration["AzureAd:AadInstance"], Configuration["AzureAD:Tenant"]),
Audience = Configuration["AzureAd:Audience"],
})
Tokens in the daemon app are created by the following code:
var authContext = new AuthenticationContext("https://login.microsoftonline.com/##adId##);
var clientCredential = new ClientCredential("##serviceCredenitalKey##", "##serviceCredentialSecret##");
var result = await authContext.AcquireTokenAsync(##webApiUri##, clientCredential);
The problem I'm facing is that the tokens generated by AD via adal for the SPA have the clientId of the client application as audience. The tokens generated for the daemon application do not have clientId as audience but instead the uri of the web api. There is no way to specify multiple valid audiences in the middleware. Should I use my own validator, is there a built in mechanic to solve this or am I missing the point completely.
The simplest way I can think of would be try setting all your client apps use same one(audience) , client ID or api url . You could use client ID as your resource when acquiring token for your web api in daemon application , and web api accepts client ID as validated audience . If you want to support multi audiences in your web api , you need to write your own validator .