Figure 7 A Sample Bearer JSON Web Token
of the aud (audience) claim. It basically means the token is issued for the intended audience, which is your Web service but not any other Web service. In this case, the API to be called is http://api.contoso.com/expense/approve. The value in the claim will be the base URL, which is https://api.contoso.com.
The method will return an instance of ActionableMessage- TokenValidationResult. First, you’ll check the property
Figure 9 The VerifyBearerToken Method
{
typ: "JWT",
alg: "RS256",
x5t: "8qgp8TDBl2H6JyFE4Z34d2ha-kE", kid: "8qgp8TDBl2H6JyFE4Z34d2ha-kE"
}. {
iat: 1484089279,
ver: "STI.ExternalAccessToken.V1",
appid: "48af08dc-f6d2-435f-b2a7-069abd99c086", sub: "david@contoso.com",
appidacr: "2",
acr: "0",
sender: "expenseapproval@contoso.com",
iss: "https://substrate.office.com/sts/", aud: "https://api.contoso.com",
exp: 1484090179,
nbf: 1484089279
}. [signature]
private async Task<HttpStatusCode> VerifyBearerToken(
HttpRequestMessage request, string serviceBaseUrl, string expectedSender)
{
if (request.Headers.Authorization == null ||
!string.Equals(request.Headers.Authorization.Scheme, "bearer", StringComparison.OrdinalIgnoreCase) || string.IsNullOrEmpty(request.Headers.Authorization.Parameter))
{
return HttpStatusCode.Unauthorized ;
}
string bearerToken = request.Headers.Authorization.Parameter; ActionableMessageTokenValidator validator =
new ActionableMessageTokenValidator(); ActionableMessageTokenValidationResult result =
await validator.ValidateTokenAsync(bearerToken, serviceBaseUrl);
if (!result.ValidationSucceeded) {
return HttpStatusCode.Unauthorized; }
if (!string.Equals(result.Sender, expectedSender, StringComparison.OrdinalIgnoreCase) ||
!result.ActionPerformer.EndsWith("@contoso.com", StringComparison.OrdinalIgnoreCase))
{
return HttpStatusCode.Forbidden;
}
return HttpStatusCode.OK; }
[HttpPost]
[Route("approve")]
public async Task<HttpResponseMessage> Approve([FromBody]JObject jBody) {
HttpRequestMessage request = this.ActionContext.Request; HttpStatusCode result = await VerifyBearerToken(
request, "https://api.contoso.com", "expenseapproval@contoso.com");
switch (result) {
case HttpStatusCode.Unauthorized: return request.CreateErrorResponse(
HttpStatusCode.Unauthorized, new HttpError());
case HttpStatusCode.Forbidden: HttpResponseMessage errorResponse =
this.Request.CreateErrorResponse(HttpStatusCode.Forbidden, new HttpError()); errorResponse.Headers.Add("CARD-ACTION-STATUS",
"Invalid sender or the action performer is not allowed."); return errorResponse;
default: break;
}
string expenseId = jBody["id"].ToString();
// Process and approve the expense report.
HttpResponseMessage response = this.Request.CreateResponse(HttpStatusCode.OK); response.Headers.Add("CARD-ACTION-STATUS", "The expense was approved.");
return response; }
After you include the NuGet package in the Web service project, you can use the VerifyBearerToken method, as shown in Figure 9, to verify the bearer token in a request.
Verifying a digital signature is a complex task. Fortunately, there’s a library on NuGet that makes the verification task easy.
First, the method verifies there’s a bearer token in the Authorization header. Then, it initializes a new instance of ActionableMessageTokenValidator and calls the ValidateToken- Async method. The method takes two parameters. The first one is the bearer token itself. The second one is the Web service base URL. If you look at the decoded JWT, this is the value
Figure 8 Description of Claims in Payload
Claims
Description
iss
The token issuer. The value should always be https://substrate.office.om/sts/. The Web service should reject the token and the request if the value does not match.
appid
The ID of the application which issues the token. The value should always be 48af08dc-f6d2-435f-b2a7-069abd99c086. The Web service should reject the token and the request if the value doesn’t match.
aud
The audience of the token. It should match the hostname of the Web service URL. The Web service should reject the token and the request if the value doesn’t match.
sub
The subject who performed the action. The value will be the e-mail address of the person who performed the action, if the e-mail address or any of the proxy e-mail addresses is in the To: line. If none of the e-mail addresses is matched, this will be the hashed value of the subject’s user principal name (UPN). It’s guaranteed to be the same hashed value for the same UPN.
sender
The e-mail address of the original message sender.
tid
The tenant ID of the token issuer.
42 msdn magazine
Microsoft Office