We want to validate the JWT token acquired using office.js Office.context.mailbox.getUserIdentityTokenAsync((result). We have implemented our own JwtSecurityTokenHandler for us to get the unique ID of the user and add it as claim to the request. So we could authorize the user in all our functions.
But we are not able to authenticate the JWT token. It is throwing the following invalidAudienceURi exception. But when we decoded the token the URI which is used to generate the token is getting generated dynamically with et query string. This et query string is injected dynamically by office.js.
Exception:
Microsoft.Exchange.WebServices.Auth.Validation.InvalidTokenAudienceException was unhandled by user code
HResult=-2146233088
Message=Audience URI validation failed. Audience does not match.
Source=Microsoft.Exchange.WebServices.Auth
StackTrace:
at Microsoft.Exchange.WebServices.Auth.Validation.AppIdentityToken.ProcessToken(Uri extensionServiceHost, String key) in \\REDMOND\EXCHANGE\BUILD\E15\15.00.0913.000\SOURCES\sources\dev\EwsManagedApi\src\Auth\Validation\ClientExtensionIdentityToken.cs:line 220
at Microsoft.Exchange.WebServices.Auth.Validation.AppIdentityToken.Validate(Uri extensionServiceHost, String catchedKey) in \\REDMOND\EXCHANGE\BUILD\E15\15.00.0913.000\SOURCES\sources\dev\EwsManagedApi\src\Auth\Validation\ClientExtensionIdentityToken.cs:line 185
at Microsoft.Exchange.WebServices.Auth.Validation.AppIdentityToken.Validate(Uri extensionServiceHost) in \\REDMOND\EXCHANGE\BUILD\E15\15.00.0913.000\SOURCES\sources\dev\EwsManagedApi\src\Auth\Validation\ClientExtensionIdentityToken.cs:line 155
at UatWork.Web.CustomTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) in C:\Users\vinay\Source\Workspaces\UatWork-O365\Development\UatWork\src\UatWork.Web\Startup.cs:line 176
at Microsoft.AspNet.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__1.MoveNext()
Image: exception and custom handler
Solution 1 Tried: We tried to override ValidateAudience method. But at runtime this method id never getting executed. Solution 2 Tried: We tried to add AudienceValidator as options for the jwttoken handler. Unfortunately this is also not been called.
Can anyone tell me on how to go about from here?
Thanks, Vinay TC
If I understand the problem correctly (and maybe I don't), it sounds like you're saying the
payload.aud
property is changing each request?For now, here's what I know of the
hostUri
used by the validation:If the provided
hostUri
does not match the first instance of a<SourceLocation>
element as defined in your manifest XML, the token.Validate() call will fail.The
token
string in raw form is three base64 encoded objectsseparated by.
s.If you do not know what your
hostUri
should be, inspect the rawtoken
string, decode the Payload section (you may need to pad it out to mod 4 length by appending=
chars).Inspecting the payload JSON object, you will see a property named
aud
. The value ofaud
is the Uri you should be using forhostUri
.So, if you can capture the raw token, you could use the following JavaScript to get the required hostUri:
Hopefully that works...
Inside the Identity Token