0

We are using App Service Authentication to protect a web API and using Google as authentication provider. It works as expected when we fire a request from a browser (when the session information is in the cookie)

IIS log:

2016-05-29T13:51:19 PID[3600] Verbose Received request: GET https://XXXXXX.azurewebsites.net/api/user 2016-05-29T13:51:19 PID[3600] Verbose Found 'AppServiceAuthSession' cookie for site 'XXXXXX.azurewebsites.net'. Length: 728. 2016-05-29T13:51:19 PID[3600] Verbose Authenticated [email protected] successfully using 'Session Cookie' authentication.

But when we use API testing tool such as Postman and set the Authorization header with bearer token, it always results in redirection.

IIS log:

2016-05-29T13:53:38 PID[3600] Verbose Received request: POST https://XXXXX.azurewebsites.net/api/user 2016-05-29T13:53:38 PID[3600] Information Redirecting: https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=XXXXXXX-XXXXX7attpunn9smo4.apps.googleusercontent.com&redirect_uri=https%3A%2F%2FXXXXXX.azurewebsites.net%2F.auth%2Flogin%2Fgoogle%2Fcallback&scope=openid+profile+email&state=nonce%3De5f4aabe11cb4544bf18d00920940d47_20160529135838%26redir%3D%2Fapi%2Fuser

We also tried to set X-ZUMO-AUTH header with the same bearer token, we see error as the token is not in expected format. Apparently it expects encoded JWT token.

IIS log:

016-05-29T13:51:52 PID[3600] Verbose Received request: POST https://XXXXXX.azurewebsites.net/api/user 2016-05-29T13:51:52 PID[3600] Warning JWT validation failed: IDX10708: 'System.IdentityModel.Tokens.JwtSecurityTokenHandler' cannot read this string: 'Bearer ya29.XXXXXXXXXX_RDrX_zsuvMx49e_9QS5ECz9F1yhDHe5j4H9gRN6opkjLXvN1IJZjHXa_Q'. The string needs to be in compact JSON format, which is of the form: '..'.. 2016-05-29T13:51:52 PID[3600] Information Redirecting: https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=XXXXXXX-k5nj6dkf987attpunn9smo4.apps.googleusercontent.com&redirect_uri=https%3A%2F%2FXXXXXX.azurewebsites.net%2F.auth%2Flogin%2Fgoogle%2Fcallback&scope=openid+profile+email&state=nonce%3De15b0915406142378XXXXX_20160529135652%26redir%3D%2Fapi%2Fuser

Note: Bearer token obtained from Google is valid as we can verify the detail by making call to https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=[token]

Please suggest.

Improve this question

2 Answers 2

Reset to default
0

The Google token you're using is an access token, not a bearer token. It can be used to access Google resources but cannot be used to authenticate with your Web API.

I wasn't able to find good documentation on this, but I can tell you it works here instead:

  1. In your client app, you must obtain an id_token and an authorization code from Google. You normally get this when the user logs in using the Google OpenID Connect login. I assume you already know how to do this since you already know how to get the access token.
  2. Send a POST request to https://{hostname}/.auth/login/google with a JSON payload that looks like {"authorization_code":"<code>", "id_token":"<id_token>"}.
  3. A successful login response will contain a JSON payload that contains an authenticationToken field. Cache this token.
  4. You can use the authentication token from #3 to make authenticated calls to your web API. Put it in the x-zumo-auth HTTP request header.
Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

Chris, we never get to the step# 3 because the server returns internal server error.
With Google we get auth_code first then use it to get id_token in subsequent requests. developers.google.com/identity/protocols/… IIS Log: Warning Call to HTTP endpoint googleapis.com/oauth2/v4/token failed: 400 (Bad Request). Partial response: { "error": "invalid_grant", "error_description": "Code was already redeemed." } ..This can also happen if a previously-used authentication code is replayed.
The error makes sense. Can you use an auth flow with Google that returns you an authorization code and an id_token in one response? For example "response_type=code id_token"? developers.google.com/identity/protocols/…. Or if you're using Android, is it possible to acquire both the auth_code and the id_token independently via some Android API calls?
I was able to get the code and id_token in one response. But when I call https://{hostname}/.auth/login/google with the expected payload, I get the following error about invalid issuer. (https:// vs without ) JWT validation failed: IDX10205: Issuer validation failed. Issuer: 'accounts.google.com'. Did not match: validationParameters.ValidIssuer: 'accounts.google.com' or validationParameters.ValidIssuers: 'null'
That's odd. From the error message you showed the two issuers seem to match. Can you clarify what you mean by "https:// vs without"?
|
0

  1. Turn on Authentication / Authorization from App Service Portal

  2. Browse to the web app or API that requires authentication, you will be redirected to google login page, when you authenticate successfully, the response will contain:

    • "id_token": this token can be extracted from the response, or by accessing the Token Store /.auth/me
    • "redirect_uri" this token will be included in the response body, also you can just set it statically in the following step since this is the callback URL and it shouldn't change unless you change it from the google console

  3. POST a request to https://{hostname}/.auth/login/google with the following JSON payload, {"redirect_uri":"", "id_token":""}. a successful response will contain "authenticationToken" store this token or cache it

  4. Subsequent requests to the APIs that requires authentication should contain an HTTP request header:

    "x-zumo-auth" with the value of "authenitcationToken"

Bonus: In order to verify your token you can POST to https://{hostname}/.auth/login/google with the following JSON pay load {"id_token":""}, the response should specify if the token is valid or not

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.