Get ID Token to forward to another Application

Question

I'd like to retrieve the ID Token that I can send it via GET/POST request to another application, after successful authentication.

Scenario is the following:

• Multiple web applications using different urls (*.domain.com)
• All applications need authentication against Azure Active Directory
• Too many URL's to put them all as redirect_url (would need one for every hostname)
• Idea is to have a "login" app (login.domain.com) which handles the login and then forwards the ID Token to the *.domain.com applications (using URL in the state field)
• *.domain.com then verifies the ID Token and authorizes users

Using Microsoft.AspNetCore.Authentication.OpenIdConnect, I cannot figure out how to retrieve the ID Token so that I can forward it properly.

I've used the VS2015 Template for ASP.NET Core 1.0 Web Application and configured authentication properly (this works)

Now I need to get the Token somehow, but I can't figure out how.

app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions()
        {
            ClientId = Configuration["Authentication:AzureAd:ClientId"],
            Authority = Configuration["Authentication:AzureAd:AADInstance"] + "Common",
            CallbackPath = Configuration["Authentication:AzureAd:CallbackPath"],

            TokenValidationParameters = new TokenValidationParameters
            {
                // Instead of using the default validation (validating against a single issuer value, as we do in line of business apps),
                // we inject our own multitenant validation logic
                ValidateIssuer = false,

                // If the app is meant to be accessed by entire organizations, add your issuer validation logic here.
                //IssuerValidator = (issuer, securityToken, validationParameters) => {
                //    if (myIssuerValidationLogic(issuer)) return issuer;
                //}
            },
            Events = new OpenIdConnectEvents
            {
                OnTicketReceived = (context) =>
                {
                    // If your authentication logic is based on users then add your logic here
                    return Task.FromResult(0);

                },
                OnAuthenticationFailed = (context) =>
                {
                    context.Response.Redirect("/Home/Error");
                    context.HandleResponse(); // Suppress the exception
                    return Task.FromResult(0);
                },
                // If your application needs to do authenticate single users, add your user validation below.
                //OnTokenValidated = (context) =>
                //{
                //    return myUserValidationLogic(context.Ticket.Principal);
                //}
            }
        });

I guess I should be able to get it in the OnTicketReceived event using the TicketReceivedContext ?

Answer 1

I was using the wrong event. In the OnTokenValidated event, you get access to context.SecurityToken.RawData, which is the raw token that is received, and is exactly what I need.

Answer 2

You can also try this:

string idToken = string.Empty;
if (ctx.Properties.Items.ContainsKey(".Token.id_token"))
{
     idToken = ctx.Properties.Items[".Token.id_token"];
}