I have the following configuration in my ASP.NET Core Web API:
// Adds Microsoft Identity platform (AAD v2.0) support to protect this Api
services.AddMicrosoftIdentityWebApiAuthentication(configuration);
services.AddControllers(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.RequireClaim("email")
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
I have an Angular client application that sends the AuthToken with each request. I don’t believe that the Web API should validate the AuthToken for every single request as that would impact the performance as it might be contacting the Microsoft validate endpoint.
Are the authentication tokens validated for every request by the ASP.NET Core Web API?
>Solution :
Yes, the tokens are validated by every request.
But there is no "Microsoft validate endpoint", it does the validation completely in-memory most of the time.
What actually happens at runtime:
- App startup
- App downloads metadata from "authority-uri/.well-known/openid-configuration" (for example: https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration)
- This JSON contains the "jwks_uri" (for example https://login.microsoftonline.com/organizations/discovery/v2.0/keys)
- App downloads the keys from that URL
Later a request is received:
- App validates signature using one of those keys it downloaded earlier (it uses the one where "kid" matches in the token header)
- Other validation is done
If I recall correctly the metadata is cached in memory for 24 hours by default.
It automatically refreshes it when needed.
In short, most of the time there are no requests at all to Microsoft endpoints.
Your app validates the token in-memory using only some CPU time.
Your DB queries will most likely completely eclipse the overhead of token validation.