i am following this tutorial https://medium.com/#far3ns/kong-oauth-2-0-plugin-38faf938a468 and when i request the tokens with
Headers: Content-Type:application/json
Host:api.ct.id
Body:
{
“client_id”: “CLIENT_ID_11”,
“client_secret”: “CLIENT_SECRET_11”,
“grant_type”: “password”,
“provision_key”: “kl3bUfe32WBcppmYFr1aZtXxzrBTL18l”,
“authenticated_userid”: “oneone#gmail.com”,
“scope”: “read”
}
it returns
{
"error_description": "Invalid client authentication",
"error": "invalid_client"
}
no matter what i tried i couldn't fix it, any idea how to make it work properly
You need to create kong developer and it will give you client_id and client_secret_Id. Use those values in generating auth token.
Here is the working c# code.
Option 1
public static string GetOAuthToken(string url, string clientId, string clientSecret, string scope = "all", string grantType = "client_credentials")
{
try
{
string token = "";
if (string.IsNullOrWhiteSpace(url)) throw new ArgumentException("message", nameof(url));
if (string.IsNullOrWhiteSpace(clientId)) throw new ArgumentNullException("message", nameof(clientId));
if (string.IsNullOrWhiteSpace(clientSecret)) throw new ArgumentNullException("message", nameof(clientSecret));
var oAuthClient = new RestClient(new Uri(url));
var request = new RestRequest("Authenticate", Method.POST);
request.AddHeader("Content-Type", "application/json");
var credentials = new
{
grant_type = grantType,
scope = scope,
client_id = clientId,
client_secret = clientSecret
};
request.AddJsonBody(credentials);
var response = oAuthClient?.Execute(request);
var content = response?.Content;
if (string.IsNullOrWhiteSpace(content)) throw new ArgumentNullException("message", nameof(clientSecret));
token = content?.Trim('"');
return token;
}
catch (Exception ex)
{
throw new Exception(ex.Message,ex);
}
}
Option 2
var httpClient = new HttpClient()
var creds = $"client_id={client_id}&client_secret{client_secret}&grant_type=client_credentials";
httpClient.DefaultRequestHeaders.Accept.Clear();
httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/x-www-form-urlencoded"));
var content = new StringContent(creds, Encoding.UTF8, "application/x-www-form-urlencoded");
var response = httpClient.PostAsync("https://myorg/oauth/oauth2/cached/token", content).Result;
var OAuthBearerToken = response.Content.ReadAsStringAsync().Result;
Related
We are implementing Azure SSO in Traditional ASP.Net Web Application and we want to implement Authorization Code Flow for generating Refresh, Access and Id Tokens.
We have implemented the below code in AuthorizationCodeReceived function of the owin's app.UseOpenIdConnectAuthentication class. From the below mentioned code we are able to successfully fetch the Refreshtoken, AccessToken and IdToken.
But notification.AuthenticationTicket is null and it throws null reference excpetion so we are not able to add the claims for id and access tokens.
Also in the aspx.cs file the HttpContext.Current.User.Identity.IsAuthenticated is returned as false even after generating all the 3 tokens.
Please suggest why notification.AuthenticationTicket is null inside AuthorizationCodeReceived event and what changes we have to do inside AuthorizationCodeReceived event to make HttpContext.Current.User.Identity.IsAuthenticated as "true".
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseKentorOwinCookieSaver();
app.UseCookieAuthentication(new CookieAuthenticationOptions());
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator dd = new Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator();
dd.RequireNonce = false;
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
ClientSecret = clientSecret,
PostLogoutRedirectUri = redirectUri,
RedirectUri = redirectUri,
Scope = "openid profile email offline_access",
ResponseType = OpenIdConnectResponseType.Code,
SignInAsAuthenticationType = "Cookies",
Notifications = new OpenIdConnectAuthenticationNotifications()
{
AuthenticationFailed = (context) =>
{
return System.Threading.Tasks.Task.FromResult(0);
},
AuthorizationCodeReceived = async notification =>
{
using (var client = new HttpClient())
{
var configuration = await notification.Options.ConfigurationManager.GetConfigurationAsync(notification.Request.CallCancelled);
var request = new HttpRequestMessage(HttpMethod.Post, configuration.TokenEndpoint);
request.Content = new FormUrlEncodedContent(new Dictionary<string, string>
{
[OpenIdConnectParameterNames.ClientId] = notification.Options.ClientId,
[OpenIdConnectParameterNames.ClientSecret] = notification.Options.ClientSecret,
[OpenIdConnectParameterNames.Code] = notification.ProtocolMessage.Code,
[OpenIdConnectParameterNames.GrantType] = "authorization_code",
[OpenIdConnectParameterNames.RedirectUri] = notification.Options.RedirectUri
});
var response = await client.SendAsync(request, notification.Request.CallCancelled);
response.EnsureSuccessStatusCode();
var payload = JObject.Parse(await response.Content.ReadAsStringAsync());
notification.AuthenticationTicket.Identity.AddClaim(new Claim(
type: OpenIdConnectParameterNames.AccessToken,
value: payload.Value<string>(OpenIdConnectParameterNames.AccessToken)));
notification.AuthenticationTicket.Identity.AddClaim(new Claim(
type: OpenIdConnectParameterNames.IdToken,
value: payload.Value<string>(OpenIdConnectParameterNames.IdToken)));
}
},
// Attach the id_token stored in the authentication cookie to the logout request.
RedirectToIdentityProvider = notification =>
{
if (notification.ProtocolMessage.RequestType == OpenIdConnectRequestType.Logout)
{
var token = notification.OwinContext.Authentication.User?.FindFirst(OpenIdConnectParameterNames.IdToken);
if (token != null)
{
notification.ProtocolMessage.IdTokenHint = token.Value;
}
}
return Task.CompletedTask;
},
SecurityTokenValidated = (context) =>
{ if (context != null)
{
if (context.ProtocolMessage != null && !string.IsNullOrEmpty(context.ProtocolMessage.IdToken))
{
context.AuthenticationTicket.Identity.AddClaim(new Claim("IdToken", context.ProtocolMessage.IdToken));
}
}
return Task.FromResult(0);
}
}
}
);
I am trying to build a method which validates my tokens. I am retrieving my tokens from Azure Active Directory with Open Id Connect Authorization Code Flow. The tokens that I get are the access_token and the id_token. I am using .NET Core.
My validation code is as follows:
string stsDiscoveryEndpoint = "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration";
var handler = new JwtSecurityTokenHandler();
ConfigurationManager<OpenIdConnectConfiguration> configManager = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndpoint, new OpenIdConnectConfigurationRetriever());
OpenIdConnectConfiguration config = configManager.GetConfigurationAsync().Result;
try
{
TokenValidationParameters validationParameters = new TokenValidationParameters
{
ValidIssuers = new [] { "https://login.microsoftonline.com/tenantid/v2.0" },
ValidAudiences = new [] { "client-Id" },
ValidateAudience = true,
ValidateIssuer = true,
IssuerSigningKeys = config.SigningKeys,
ValidateLifetime = true
};
var tokenHandler = new JwtSecurityTokenHandler();
SecurityToken validatedToken = null;
tokenHandler.ValidateToken(token.AccessToken, validationParameters, out validatedToken);
return validatedToken != null;
}
catch (SecurityTokenInvalidSignatureException ex)
{
return false;
}
catch(SecurityTokenValidationException)
{
return false;
}
The code below works for the id_token BUT
does not work for the access_token
The error message which I am getting when this method is executed for the access_token is:
IDX10511: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey , KeyId: CtAAALb-8NsDe333734859crfOc
'.
kid: 'CtAAALb-8NsDe333734859crfOc'.
Exceptions caught:
' '
the nonce header has to be SHA2 hashed before signature verification
Here is an example of code where you can see
jsonToken.Header.Add("nonce", hashedNonce);
private static bool _hashNonceBeforeValidateToken = true;
private const string MicrosoftGraphApplicationId = "00000003-0000-0000-c000-000000000000";
private const string MicrosoftIssuer = "https://sts.windows.net";
public static bool ValidateTokenSignature(string accessToken, ApplicationConfiguration applicationConfiguration) {
var tokenHandler = new JwtSecurityTokenHandler();
var jsonToken = tokenHandler.ReadJwtToken(accessToken);
string[] parts = accessToken.Split('.');
string header = parts[0];
string payload = parts[1];
string signature = parts[2];
//hash nonce and update header with the hash before validating
if (_hashNonceBeforeValidateToken &&
jsonToken.Header.TryGetValue("nonce", out object nonceAsObject))
{
string plainNonce = nonceAsObject.ToString();
using (SHA256 sha256 = SHA256.Create())
{
byte[] hashedNonceAsBytes = sha256.ComputeHash(
System.Text.Encoding.UTF8.GetBytes(plainNonce));
string hashedNonce = Base64Url.Encode(hashedNonceAsBytes);
jsonToken.Header.Remove("nonce");
jsonToken.Header.Add("nonce", hashedNonce);
header = tokenHandler.WriteToken(jsonToken).Split('.')[0];
accessToken = $"{header}.{payload}.{signature}";
}
}
//get the Microsoft JWT signature public key
string stsDiscoveryEndpoint = $"https://login.microsoftonline.com/{applicationConfiguration.TenantId}/v2.0/.well-known/openid-configuration";
if (jsonToken.Header.TryGetValue("ver", out object version) && version.ToString() == "1.0")
{
stsDiscoveryEndpoint = $"https://login.microsoftonline.com/{applicationConfiguration.TenantId}/.well-known/openid-configuration";
}
var openidConfigManaged = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndpoint,
new OpenIdConnectConfigurationRetriever(),
new HttpDocumentRetriever());
var configTask = openidConfigManaged.GetConfigurationAsync();
configTask.Wait();
var config = configTask.Result;
var parameteres = new TokenValidationParameters()
{
RequireAudience = true,
ValidateAudience = true,
ValidAudiences = new[] { applicationConfiguration.ApplicationId, MicrosoftGraphApplicationId },
ValidateIssuer = true,
ValidIssuers = new string[] { $"{MicrosoftIssuer}/{applicationConfiguration.TenantId}/", config.Issuer },
IssuerSigningKeys = config.SigningKeys,
ValidateIssuerSigningKey = true,
RequireExpirationTime = true,
ValidateLifetime = true,
};
var claimPrincipal = tokenHandler.ValidateToken(
accessToken, parameteres, out SecurityToken validatedToken);
return claimPrincipal.Identity.IsAuthenticated;
}
Is the access_token audience your API or Microsoft Graph/other 3rd party service? It only makes sense to validate the tokens that you (your service) consumes, other audiences will take care of this on their own. On top of that, the signature of that JWT may be opaque to you.
See this for more - https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/812#issuecomment-456700813
I am trying to patch password credentials for an application using Microsoft Graph API beta endpoint for application resource type.
https://graph.microsoft.com/beta/applications/{applicationId}
The content variable is a JSON-serialized representation of something like this:
[{
"customKeyIdentifier":null,
"endDateTime":"2019-11-19T23:16:24.2602448Z",
"keyId":"47fde652-8b60-4384-b630-8e5f8f6e24b1",
"startDateTime":"2018-11-19T23:16:24.2602448Z",
"secretText":"SomeGeneratedPassword",
"hint":null
}]
Calling code is this:
using (HttpClient client = new HttpClient())
{
client.BaseAddress = new Uri("https://graph.microsoft.com");
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", authHeaderValue.Result.AccessToken);
client.DefaultRequestHeaders
.Accept
.Add(new MediaTypeWithQualityHeaderValue("application/json"));
var method = new HttpMethod("PATCH");
var requestUri = $"https://graph.microsoft.com/beta/applications/{applicationId}";
var content = GeneratePasswordCredentials(passwordHint);
var request = new HttpRequestMessage(method, requestUri)
{
Content = new StringContent(
content,
System.Text.Encoding.UTF8,
"application/json")
};
request.Headers
.Accept
.Add(new MediaTypeWithQualityHeaderValue("application/json"));
var resultApi = await client.SendAsync(request);
response = await resultApi.Content.ReadAsStringAsync();
}
Auth appears to be working fine, but the response is this (inner error removed for brevity):
{
"error": {
"code": "BadRequest",
"message": "Empty Payload. JSON content expected.",
}
}
What is wrong with the above code?
The body content format should be
{
"passwordCredentials":
[
{"customKeyIdentifier":"YWJjZA==",
"startDateTime":"2018-11-20T02:37:07.3963006Z",
"endDateTime":"2019-11-20T02:37:07.3963006Z",
"secretText":"The passwords must be 16-64 characters in length",
"keyId":"aeda515d-dc58-4ce6-a452-3bc3d84f58a3",
"hint":"xxx"}
]
}
The following the demo code to Generate PasswordCredentials body content
public static string GeneratePasswordCredentials(string passwordHint)
{
var passwordCredential = new JObject
{
new JProperty("customKeyIdentifier",Encoding.UTF8.GetBytes(passwordHint)),
new JProperty("startDateTime",DateTime.UtcNow),
new JProperty("endDateTime", DateTime.UtcNow.AddYears(1)),
new JProperty("secretText", "The passwords must be 16-64 characters in length"),
new JProperty("keyId", Guid.NewGuid().ToString()),
new JProperty("hint", passwordHint)
};
JArray jArray = new JArray
{
passwordCredential
};
var jsonObject = new JObject
{
new JProperty("passwordCredentials",jArray)
};
var json = JsonConvert.SerializeObject(jsonObject);
return json;
}
Note: The request url should be $"https://graph.microsoft.com/beta/applications/{ApplicationObjectId}"
The issue is with JSON string specified for Update Application Microsoft Graph API. It's missing which property you're trying to update for the application. I've added "passwordCredentials" property and given it the JSON as a collection. See jsonContent variable at the very beginning of my code.
/*Only change here from original JSON is to add the passwordCredentials node*/
{
"passwordCredentials":[
{
"customKeyIdentifier": null,
"endDateTime": "2019-11-19T23:16:24.2602448Z",
"keyId": "47fde652-8b60-4384-b630-8e5f8f6e24b1",
"startDateTime": "2018-11-19T23:16:24.2602448Z",
"secretText": "SomeGeneratedPassword",
"hint": null
}
]
}
I started with your code and the 400 bad response error reproduced for me as well.
Below is the final working code and now I get back a 204 response status. I can also see the new key added to Application keys collection from Azure Portal > App Registrations > My app > Settings > Keys
string jsonContent = "{\"passwordCredentials\":[{\"customKeyIdentifier\":null,\"endDateTime\":\"2019-11-19T23:16:24.2602448Z\",\"keyId\":\"47fde652-8b60-4384-b630-8e5f8f6e24b1\",\"startDateTime\":\"2018-11-19T23:16:24.2602448Z\",\"secretText\":\"somegeneratedpassword\",\"hint\":null}]}";
using (HttpClient client = new HttpClient())
{
client.BaseAddress = new Uri("https://graph.microsoft.com");
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", authHeaderValue.Result.AccessToken);
client.DefaultRequestHeaders
.Accept
.Add(new MediaTypeWithQualityHeaderValue("application/json"));
var method = new HttpMethod("PATCH");
var requestUri = $"https://graph.microsoft.com/beta/applications/{applicationId}";
// I have commented out this method and passed in my JSON instead.
//var content = GeneratePasswordCredentials(passwordHint);
var content = jsonContent;
var request = new HttpRequestMessage(method, requestUri)
{
Content = new StringContent(
content,
System.Text.Encoding.UTF8,
"application/json")
};
request.Headers
.Accept
.Add(new MediaTypeWithQualityHeaderValue("application/json"));
var resultApi = client.SendAsync(request).GetAwaiter().GetResult();
//response = await resultApi.Content.ReadAsStringAsync();
var response = resultApi.Content.ReadAsStringAsync().GetAwaiter().GetResult();
}
Please, help!!!!
I am trying to follow a Hybrid implementation (Azure AD + Identity Server 3) from here
I am able to get to the AAD, I seem to get authenticated (get user info, etc) and receive a context.code:
When I pass that code into RequestAuthorizationCodeAsync I get an "invalid_grant" and if I look at the client, here is what I see (Authorization Code is too long):
Here is my code:
public class Startup
{
string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
public void Configuration(IAppBuilder app)
{
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies"
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
RedirectUri = "https://localhost:44300/",
PostLogoutRedirectUri = "https://localhost:44300/",
ResponseType = "code id_token",
Scope = "openid profile read write offline_access",
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "role"
},
SignInAsAuthenticationType = "Cookies",
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = async context =>
{
string userObjectID = context.AuthenticationTicket.Identity.FindFirst("oid").Value;
string tenantID = context.AuthenticationTicket.Identity.FindFirst("tid").Value;
string appBaseUrl = context.Request.Scheme + "://" + context.Request.Host + context.Request.PathBase;
context.ProtocolMessage.RedirectUri = appBaseUrl + "/";
context.ProtocolMessage.PostLogoutRedirectUri = appBaseUrl;
Uri redirectUri = new Uri(context.Request.Uri.GetLeftPart(UriPartial.Path));
string authorizationCode = context.Code;
// use the code to get the access and refresh token
var tokenClient = new TokenClient(
Constants.TokenEndpoint,
clientId,
"secret", AuthenticationStyle.PostValues);
var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(
authorizationCode, context.RedirectUri);
if (tokenResponse.IsError)
{
throw new Exception(tokenResponse.Error);
}
// use the access token to retrieve claims from userinfo
var userInfoClient = new UserInfoClient(
new Uri(Constants.UserInfoEndpoint),
tokenResponse.AccessToken);
var userInfoResponse = await userInfoClient.GetAsync();
// create new identity
var id = new ClaimsIdentity(context.AuthenticationTicket.Identity.AuthenticationType);
id.AddClaims(userInfoResponse.GetClaimsIdentity().Claims);
id.AddClaim(new Claim("access_token", tokenResponse.AccessToken));
id.AddClaim(new Claim("expires_at", DateTime.Now.AddSeconds(tokenResponse.ExpiresIn).ToLocalTime().ToString()));
id.AddClaim(new Claim("refresh_token", tokenResponse.RefreshToken));
id.AddClaim(new Claim("id_token", context.ProtocolMessage.IdToken));
id.AddClaim(new Claim("sid", context.AuthenticationTicket.Identity.FindFirst("sid").Value));
context.AuthenticationTicket = new AuthenticationTicket(
new ClaimsIdentity(id.Claims, context.AuthenticationTicket.Identity.AuthenticationType, "name", "role"),
context.AuthenticationTicket.Properties);
},
RedirectToIdentityProvider = context =>
{
// if signing out, add the id_token_hint
if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
{
var idTokenHint = context.OwinContext.Authentication.User.FindFirst("id_token");
if (idTokenHint != null)
{
context.ProtocolMessage.IdTokenHint = idTokenHint.Value;
}
}
return Task.FromResult(0);
}
}
});
}
}
I have two applications using the same azure active directory. App A and App B.
App A uses
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
ClientId = Configuration["Authentication:AzureAd:ClientId"],
Authority = Configuration["Authentication:AzureAd:AADInstance"] + Configuration["Authentication:AzureAd:TenantId"],
ClientSecret = Configuration["Authentication:AzureAd:ClientSecret"],
CallbackPath = Configuration["Authentication:AzureAd:CallbackPath"],
ResponseType = OpenIdConnectResponseType.CodeIdToken,
GetClaimsFromUserInfoEndpoint = true,
SignInScheme = "Cookies",
SaveTokens = true,
Events = new OpenIdConnectEvents
{
OnAuthorizationCodeReceived = OnAuthorizationCodeReceived,
}
});
And i acquire an access to application B api service resource by acquiring the token with:
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext context)
{
string userObjectId = (context.Ticket.Principal.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
ClientCredential clientCred = new ClientCredential(Configuration["Authentication:AzureAd:ClientId"], Configuration["Authentication:AzureAd:ClientSecret"]);
AuthenticationContext authContext = new AuthenticationContext(Configuration["Authentication:AzureAd:AADInstance"] + Configuration["Authentication:AzureAd:TenantId"]);
AuthenticationResult authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(
context.ProtocolMessage.Code, new Uri(context.Properties.Items[OpenIdConnectDefaults.RedirectUriForCodePropertiesKey]), clientCred, Configuration["Authentication:AzureAd:GraphResourceId"]);
I'm also using cookies to sign in into app A with:
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AuthenticationScheme = "Cookies",
AutomaticAuthenticate = true,
AutomaticChallenge = true,
SlidingExpiration = true,
ExpireTimeSpan = TimeSpan.FromHours(1),
Events = new CookieAuthenticationEvents()
{
OnSignedIn = OnSignedIn,
OnSigningIn = OnSigningIn,
OnValidatePrincipal = OnValidatePrincipal
}
});
/* Account Controller SignIn() */
return Challenge(
new AuthenticationProperties {
AllowRefresh = true,
IsPersistent = true,
RedirectUri = "/" }, OpenIdConnectDefaults.AuthenticationScheme);
Now my problem is similar to others where my access token is expiring, but my signin cookie to app a is still valid so the user appears to be logged in fine, although they have no token in the cache.
I've followed suit of other questions and looked to my Cookie event of
Task OnValidatePrincipal(CookieValidatePrincipalContext arg) {
var http = new HttpClient();
var uri = "https://login.microsoftonline.com/<tenant>/oauth2/token";
var client_id = "<my_client_id>";
var scope = "https://graph.microsoft.com/mail.read";
var refresh_token = "<saved_refresh_token_in_cookie_if_SaveTokens = true>";
var redirect_uri = "https://localhost:20352/";
var grant_type = "refresh_token";
var client_secret = "<client_secret_from_azure>";
var body = new List<KeyValuePair<string, string>>
{
new KeyValuePair<string, string>("client_id", client_id),
new KeyValuePair<string, string>("scope", scope),
new KeyValuePair<string, string>("refresh_token", refresh_token),
new KeyValuePair<string, string>("redirect_uri", redirect_uri),
new KeyValuePair<string, string>("grant_type", grant_type),
new KeyValuePair<string, string>("client_secret", client_secret)
};
var content = new FormUrlEncodedContent(body);
var result = http.PostAsync(uri, content).Result;
var stringContent = result.Content.ReadAsStringAsync().Result;
JObject jobject = JObject.Parse(stringContent);
var token = jobject["access_token"].Value<string>();
Problem here is I don't know how to get this token back into the default TokenStore that the adal AuthenticationContext uses. We have code deeper that needs to pull from:
_authenticationResult = await authContext.AcquireTokenSilentAsync(_authConfigOptions.AzureAd.WebserviceAppIdUri.ToString(), credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));
Is there a way I can get a new resource access token back into the tokenstore for users App B api calls, without a valid token / refresh token 'On Behalf of User' flow?
If you lose the access token and refresh token, you must redirect the user to Azure AD to authenticate again. They may be still authenticated there so they just get redirected back to your app along with the authorization code.
In one of my projects I made an exception filter that does this:
public void OnException(ExceptionContext filterContext)
{
//If the error is a silent token acquisition exception from ADAL..
if(filterContext.Exception is AdalSilentTokenAcquisitionException)
{
//Instead of the usual procedure, return a 401 which triggers the OpenIdConnect middleware redirection
filterContext.Result = new HttpUnauthorizedResult();
filterContext.ExceptionHandled = true;
}
}
So if the exception is thrown where silent token acquisition fails, just swallow the error and change the result into a 401, which triggers the OpenIdConnect middleware to send the user to Azure AD.
Since you have AutomaticAuthenticate=true, it should do this.