.NET Core 3.1 Blazor + .NET Core 3.1 Web API + Azure AD + JWT Bearer RRS feed

  • Question

  • User-1004235376 posted

    Dear readers,

    I want to authenticate my .NET Core 3.1 Blazor Server (Client) against my custom .NET Core 3.1 Web API. 
    For this I use the practice of JTW Bearer. To retrieve a valid token my client sends a request to Azure AD including a client secret (showing
    the client is allowed to retrieve a token). Onces the token is received this is added to the HTTP request to the web API.

    I have some questions about best practices.

    1. Where do I implement the retrieval of a token, is that in startup.cs or program.cs or elsewhere?
    2. How often to I retrieve a token? Because I use aquiretokenforclient the token is bound to the client and not the user.
    3. If I aquire a token for a client instead of a user does this mean that every user uses the same token or when they use the client
      the client makes sure tokens are refreshed?
    4. They way I implement token retrieval, am I sure tokens are refreshed?

    In fact, I got it working and was able to retrieve data from my web API authorised using the token. My code looks as follows using MSAL.


    private async Task<AuthenticationResult> RunAsync()
                IConfidentialClientApplication app;
                app = ConfidentialClientApplicationBuilder.Create("clientID")
                                                          .WithAuthority(new Uri("https://login.microsoftonline.com/79e14469-174a-4e55-add7-eb32eccb14d1/oauth2/v2.0/authorize"))
                string[] scopes = new string[] { "resourceID" };
                    AuthenticationResult result = await app.AcquireTokenForClient(scopes).ExecuteAsync();
                    return result;
                catch (System.Exception)
                    return null;

    The above is a method I created in the startup.cs. It retrieves a token async.
    Then in startup.cs 

    AuthenticationResult token = RunAsync().GetAwaiter().GetResult();
                services.AddHttpClient<IRelationService, RelationService>(client =>
                             = new AuthenticationHeaderValue("Bearer", token.AccessToken);

    Don't mind the clientsecret being hardcoded because in production this is managed by the azure key vault.

    Thanks in advance! 

    Saturday, July 25, 2020 1:14 PM

All replies

  • User-474980206 posted

    You should get a fresh token for every request, first try silent, then token request. Tokens have a lifetime, and if is a refresh token is supplied, it’s used to get a new token when expired, otherwise, the login process is used. Msal handles this for you.

    Saturday, July 25, 2020 4:39 PM
  • User-1004235376 posted

    How do I implement this in the above code?

    Sunday, July 26, 2020 6:45 PM