I'm using CustomAuthorizationAttribute: AuthorizeAttribute to validate an access token. Below is the code snippet. Same code works fine in local. But when it is deployed to IIS, it throws an exception:
Unable to validate token. validationParameters.Issuer is null or whitespace and validationParameters.Issuers is null or empty. (using log for exception)
Token validation parameters:
return new TokenValidationParameters()
{
ValidateLifetime = true,
ValidateAudience = true,
ValidAudience = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
ValidateIssuer = true,
ValidIssuer = "https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx/v2.0",
ValidateIssuerSigningKey = true,
IssuerSigningKeys = openidconfig.SigningKeys,
};
private bool ValidateToken(string token)
{
var validationParameters = GetValidationParameters();
var tokenHandler = new JwtSecurityTokenHandler();
try
{
SecurityToken validateToken;
tokenHandler.ValidateToken(token, validationParameters, out validateToken);
return true;
}
catch (SecurityTokenValidationException ex)
{
WriteLog(ex.Message);
return false;
}
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
var authtokenHeader = httpContext.Request.Headers["Authorization"];
WriteLog(authtokenHeader);
if (!string.IsNullOrEmpty(authtokenHeader) &&
authtokenHeader.StartsWith("Bearer", StringComparison.OrdinalIgnoreCase))
{
string accessToken = authtokenHeader.Substring("Bearer".Length).Trim();
if (ValidateToken(accessToken))
{
return true;
}
return false;
}
else
{
WriteLog("User not authorized - Auth token is empty or null");
return false;
}
}
web.config authentication mode is none. Is there anything I need to add to the web.config?
<system.web>
<compilation debug="true" targetFramework="4.8" />
<authentication mode="None" />
</system.web>
Any help would be appreciated. Thanks in advance.