Custom JwtSecurityTokenHandler not being invoked

Question

I have a .NET MVC application that uses Azure Active Directory for Auth.

I'm trying to add a custom JWTSecurityTokenHandler to authenticate a console app that performs some basic GET requests against the app. However every request just gets redirected to the Azure AD login page instead of being passed to the JWT handler (my breakpoints and logging statements in the handler are not being hit). Any ideas?

Web.config:

  <system.identityModel>
    <identityConfiguration>
      <audienceUris>
        <add value="https://localhost:44300/" />
      </audienceUris>
      <securityTokenHandlers>
        <add type="QS.Admin.Infrastructure.MyJwtHandler, QS.Admin" />
        <securityTokenHandlerConfiguration>
          <certificateValidation certificateValidationMode="None" />
        </securityTokenHandlerConfiguration>
      </securityTokenHandlers>
      <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
        <authority name="https://[myaccessdomain].accesscontrol.windows.net/">
          <keys>
            <add thumbprint="[thumbprint]" />
          </keys>
          <validIssuers>
            <add name="https://[myaccessdomain].accesscontrol.windows.net/" />
          </validIssuers>
        </authority>
      </issuerNameRegistry>
      <!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
      <certificateValidation certificateValidationMode="None" />
    </identityConfiguration>
  </system.identityModel>
  <system.identityModel.services>
    <federationConfiguration>
      <cookieHandler requireSsl="false" />
      <wsFederation passiveRedirectEnabled="true" issuer="https://[myaccessdomain].accesscontrol.windows.net/v2/wsfederation" realm="https://localhost:44300/" requireHttps="false" />
    </federationConfiguration>
  </system.identityModel.services>

Answer 1

The settings in web.config look right.

Couple of things to check :

1. Make sure ACS is configured to issue JWT tokens for your realm.

2. If you plug in the JwtSecurityTokenHandler from MS - is it getting hit? This will help in isolating the issue to your custom handler versus settings in ACS or web.config.

Answer 2

in addition to the above advice, the jwtsecuritytokenhandlers responsibility is to validate a jwt and serve claims upstream. I don't see session management anywhere in your config, if that is missing, each call to the host will require obtaining a new token from ACS.