Is your feature request related to a problem? Please describe.
This library always verify scope or role whether inside a JWT token pass in Auth header, if they both not exist, it will throw exception:
IDW10201: Neither scope or roles claim was found in the bearer token.
However, we do not want to verify existence of this two claims, and didn't find any configurations for it.
Describe the solution you'd like
We want a simple config which can turn off or turn on this verification
Describe alternatives you've considered
On way I consider is to override the token validation handler just like below:
services.Configure<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme, options =>
{
Configuration.GetSection("AzureAd").Bind(options);
var existingOnTokenValidatedHandler = options.Events.OnTokenValidated;
options.Events.OnTokenValidated = async context =>
{
// await existingOnTokenValidatedHandler(context);
};
});
However, the code above would cause the exception below:
No account or login hint was passed to the AcquireTokenSilent call
Another way I think is to config AAD to append application role claim inside the JWT token. However, this need admin consent for the AAD, which is not acceptable.
@SLdragon
If your web API is protected by ACLs instead of tokens, you can disable this error message.
See https://github.com/AzureAD/microsoft-identity-web/wiki/web-apis#to-support-acl-based-authorization
@jennyf19 adding a supportability labe, as we could add an aka.ms link in the error message to the doc.
Thank you @jennyf19 ,
we're using JWT token in Auth header for authentication, and we want Web API can verify this JWT token such as audience, signiture and so on. After I disable the error messages through the configuration you just mentioned, is the validation still work? or I need to implement it some where myself?
{
"AzureAD"
{
"AllowWebApiToBeAuthorizedByACL" : true,
}
}
Yes, @SLdragon : the token validation will still happen, but the library won't throw if your token has neither scope or roles (as this is a valid scenario if you protect your API by ACLs, or just enforce verifying roles/scopes in your controller actions/pages methods: see https://github.com/AzureAD/microsoft-identity-web/wiki/web-apis#verification-of-scopes-or-app-roles-in-the-controller-actions
Thank you @jmprieur , that make sense!
By the way, what's the meaning of ACLs? I am not very familiar with this.
Does it mean Access Control List? I am not sure what's the relationship between JWT token validation and ACLs ?
@SLdragon : yes Access Control Lists. This is because you can secure your web API with ACLs. See control tokens without a roles claim