Add guidance on V1 and V2 STS tokens#36979
Conversation
There was a problem hiding this comment.
Pull request overview
Adds documentation to clarify V1 vs V2 Microsoft Entra STS token issuer formats and links OIDC guidance to the new Entra-specific section so readers can choose the correct authority/issuer settings.
Changes:
- Adds a new STS token version section to the Entra Blazor Web App security article with V1/V2 authority examples and V2 migration notes.
- Adds cross-references from the OIDC Blazor Web App security article to the Entra article’s STS token version guidance.
- Expands authority examples in the Entra article to explicitly show both V1 and V2 issuer URL formats for ME-ID tenants.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| aspnetcore/blazor/security/blazor-web-app-with-oidc.md | Adds repeated notes/cross-links pointing readers to Entra STS token version guidance. |
| aspnetcore/blazor/security/blazor-web-app-with-entra.md | Adds V1/V2 authority examples and a new STS token version section with V2 migration guidance. |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
I'll wait to see @halter73's review before adding mine. |
|
Thanks again, @GC-brian-taylor! If you look at the last commit, I'm going to see if we can add that troubleshooting guidance here. Makes sense, given that @halter73 has to review this for the other items anyway ... a time saver for him. I changed it up a bit from what you did ...
|
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
|
||
| This article and its accompanying sample apps adopt V1 STS tokens. To adopt V2 tokens, make the following changes: | ||
|
|
||
| * The STS version must be changed in the apps' registrations in the Azure portal. Set the value of `requestedAccessTokenVersion` to `2` in the apps' manifests, both in the app's registration and the web API's (`MinimalApiJwt`) registration. |
There was a problem hiding this comment.
requestedAccessTokenVersion in the app manifest controls the version of access tokens issued for that app as a resource (i.e., when it's the audience). For a Blazor Web App + MinimalApiJwt setup, the access token the BFF sends to the web API is issued for the web API's audience, so only the web API's app registration needs requestedAccessTokenVersion: 2. Setting it on the client app registration has no effect on the tokens consumed by MinimalApiJwt. Suggest narrowing this to just the web API registration as follows:
> * The STS version must be changed in the web API's (`MinimalApiJwt`) app registration in the Azure portal. Set the value of `requestedAccessTokenVersion` to `2` in the web API app registration's manifest. Entra issues access tokens in the version requested by the resource (audience) app registration, so this setting on the Blazor Web App's client registration has no effect on the tokens that `MinimalApiJwt` receives and validates.
| try | ||
| { | ||
| var handler = | ||
| new System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler(); |
There was a problem hiding this comment.
Consider using Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler instead of JwtSecurityTokenHandler. It's the newer, recommended handler. ASP.NET Core's JWT bearer middleware uses it by default in recent versions, and JwtSecurityTokenHandler is in maintenance mode.
var handler =
new Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler();
var jwtToken = handler.ReadJsonWebToken(token);
logger.LogDebug("Audience: {Audience}",
string.Join(", ", jwtToken.Audiences));
logger.LogDebug("Issuer: {Issuer}", jwtToken.Issuer);| jwtOptions.TokenValidationParameters = new TokenValidationParameters | ||
| { | ||
| ValidateIssuer = true, | ||
| // Ensure the issuer ends with /v2.0 if using the V2 endpoint |
There was a problem hiding this comment.
Worth noting {TENANT ID} here must be the tenant GUID (matching the tid claim), not a domain like contoso.onmicrosoft.com — the iss claim for V2 work/school tokens is always the GUID form, so a domain-form ValidIssuer won't match. Suggest folding that into the existing comment:
| // Ensure the issuer ends with /v2.0 if using the V2 endpoint | |
| // Ensure the issuer ends with /v2.0 if using the V2 endpoint and that | |
| // {TENANT ID} is the tenant GUID (matching the token's tid claim), not a domain |
Fixes #36978
Fixes #37030
Fixes #37031
Stephen ...
sts.windows.net) URLs.TokenValidationParametersfor the web API (MinimalApiJwt). Should I also be doing that in the Blazor app'sProgramfile?TokenValidationParameters, why is theValidAudiencejust the client id and not the full audience passed tojwtOptions.Audience? If I try to use the full audience value there, it 💥 with a mismatch error with Azure and explicitly tells me that its just looking for the client id.Internal previews