I have been using for long time OAuth based authentication with some enterprise-proprietary providers. For this reason we commonly appended the authorization header with method TryAddWithoutValidation as shown below:
client.DefaultRequestHeaders.TryAddWithoutValidation(“Bearer”, result.AccessToken);
After I started to use Active Directory Authentication Library (ADAL) to generate the token with
AuthenticationResult result = await m_AuthContext.AcquireTokenAsync(m_ResourceId, m_ClientId);
I tried to use again the method TryAddWithoutValidation. Unfortunately this didn’t work. I figured out, that if I want to properly send the token I have to use following method to append the token in the header:
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(“Bearer”, result.Token);
I was a bit surprised that the previous statement didn’t work, but explanation is very simple.
The AAD (Azure Active Directory) OWIN provider hosted in my web site (WebApi) has decliened the token sent by TryAddWithoutValidation. The reason is that AAD expect the token with header “Authorization: Bearer”. The TryAddWithoutValidation sent the token “Bearer”.
Following table shows exactly what is sent in both cases
The invalid one sent by
DefaultRequestHeaders.TryAddWithoutValidation(“Bearer”, “..”)
Bearer: eyJ0eXAiOiJKV1QiLCJhbGciO… | The good one sent by
DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(“Bearer”, “..”);
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciO… |
Posted
Jul 29 2014, 09:03 AM
by
Damir Dobric