/// <summary> /// Used for applications that accept requests from users of multiple tenants /// </summary> public static void CreateAuthenticationOptionsForMultiTenant( JwtBearerOptions options, TokenValidationSettings configuration) { options.Authority = configuration.AuthorizationServer; options.TokenValidationParameters = new TokenValidationParameters { // Disable issuer validation to allow the multi-tenant app to accept tokens from any tenant ValidateIssuer = false, ValidateAudience = true, ValidAudiences = configuration.ValidAudiences.Split(','), RequireExpirationTime = true, RequireSignedTokens = true, ValidateLifetime = true, ValidateIssuerSigningKey = true, }; options.Events = new JwtBearerEvents() { // After token was validated - add additional token validation check to verify the issuer of the multi tenant app token is as expected OnTokenValidated = context => { return(ValidateTokenIssuer(context, configuration.IssuerPrefix)); }, }; }
/// <summary> /// Used for applications that accept requests ONLY from MSIT tenant /// </summary> public static void CreateAuthenticationOptionsForSingleTenant( JwtBearerOptions options, TokenValidationSettings configuration, Guid tenantId) { options.Authority = configuration.AuthorizationServer; var validIssuer = $"{configuration.IssuerPrefix}/{tenantId}/"; options.TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = true, ValidIssuer = validIssuer, ValidateAudience = true, ValidAudiences = configuration.ValidAudiences.Split(','), RequireExpirationTime = true, RequireSignedTokens = true, ValidateLifetime = true, ValidateIssuerSigningKey = true, }; }