I'm working on AzureAD authentication in web API. Every thing is working fine for me. I'm curious, how below piece of code validates the Azure Active directory Token.
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions{
Audience = ConfigurationManager.AppSettings["ida:Audience"],
Tenant = ConfigurationManager.AppSettings["ida:Tenant"]
}
);
Q1) Will it call the azure active directory for webapi request?
Q2) Will it holds any keys(Private key, public key, etc)? If yes, what are the tokens? How and where?
Q3) How it decrypts the bearer token ?
Q4) Is it secure enough to depend on the chunk?
Yes, it will get the public keys from https://login.microsoftonline.com/common/discovery/keys when the app starts.
See above, it stores the public keys in memory.
It decodes the token. The tokens are not encrypted, just base64-encoded and digitally signed. The middleware decodes the token and checks the signature is valid using the public key(s) it got earlier.
Basically the setup you have is enough for a single-tenant API. A good idea is of course to define delegated/app permissions in your API's manifest in Azure AD so you can give apps using the API different levels of access to it.