/// <summary>
/// Used for applications that accept requests from users of multiple tenants
/// </summary>
public static void CreateAuthenticationOptionsForMultiTenant(
JwtBearerOptions options, TokenValidationSettings configuration)
{
options.Authority = configuration.AuthorizationServer;
options.TokenValidationParameters = new TokenValidationParameters
{
// Disable issuer validation to allow the multi-tenant app to accept tokens from any tenant
ValidateIssuer = false,
ValidateAudience = true,
ValidAudiences = configuration.ValidAudiences.Split(','),
RequireExpirationTime = true,
RequireSignedTokens = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
};
options.Events = new JwtBearerEvents()
{
// After token was validated - add additional token validation check to verify the issuer of the multi tenant app token is as expected
OnTokenValidated = context =>
{
return(ValidateTokenIssuer(context, configuration.IssuerPrefix));
},
};
}
/// <summary>
/// Used for applications that accept requests ONLY from MSIT tenant
/// </summary>
public static void CreateAuthenticationOptionsForSingleTenant(
JwtBearerOptions options, TokenValidationSettings configuration, Guid tenantId)
{
options.Authority = configuration.AuthorizationServer;
var validIssuer = $"{configuration.IssuerPrefix}/{tenantId}/";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = validIssuer,
ValidateAudience = true,
ValidAudiences = configuration.ValidAudiences.Split(','),
RequireExpirationTime = true,
RequireSignedTokens = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
};
}
