I am using B2C to protect WebApi in Asp.Net Core. My code is below. Do I need to check tokens or use middleware for me? I would have thought that if everyone had to do this, it would be easier for me to find an example code, but I can not find any real direction in this matter.
However, this B2C documentation claims that my api does the check.
I found sample , but it is not for Core, and they use CertificateValidator = X509CertificateValidator.None. Doesn't that defeat the goal? And another example here where they do it.
Is it necessary to have a signature key from B2C and all that?
I can assemble a solution from them, but do I really need to do this?
Thanks in advance.
app.UseJwtBearerAuthentication(new JwtBearerOptions()
{
AuthenticationScheme = Constants.B2CAuthenticationSchemeName,
AutomaticAuthenticate = false,
MetadataAddress = string.Format(
_identityConfig.B2CInfo.AadInstance,
_identityConfig.B2CInfo.Tenant,
_identityConfig.B2CInfo.Policies
.Where(p => p.IsDefaultSignUpSignInPolicy == true)
.First()
.Name),
Audience = _identityConfig.B2CInfo.ClientId,
TokenValidationParameters = new TokenValidationParameters
{
ValidateLifetime = true,
RequireExpirationTime = true,
RequireSignedTokens = true,
},
Events = new JwtBearerEvents
{
OnAuthenticationFailed = B2CAuthenticationFailed
}
});