CallAutomation.AspNetCore.Authentication.JwtBearer 1.0.2

dotnet add package CallAutomation.AspNetCore.Authentication.JwtBearer --version 1.0.2                
NuGet\Install-Package CallAutomation.AspNetCore.Authentication.JwtBearer -Version 1.0.2                
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="CallAutomation.AspNetCore.Authentication.JwtBearer" Version="1.0.2" />                
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add CallAutomation.AspNetCore.Authentication.JwtBearer --version 1.0.2                
#r "nuget: CallAutomation.AspNetCore.Authentication.JwtBearer, 1.0.2"                
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
// Install CallAutomation.AspNetCore.Authentication.JwtBearer as a Cake Addin
#addin nuget:?package=CallAutomation.AspNetCore.Authentication.JwtBearer&version=1.0.2

// Install CallAutomation.AspNetCore.Authentication.JwtBearer as a Cake Tool
#tool nuget:?package=CallAutomation.AspNetCore.Authentication.JwtBearer&version=1.0.2                

CallAutomation.AspNetCore.Authentication.JwtBearer

.NET Nuget Nuget

This project contains several extension methods used with an ASP.NET web application to protect and validate public web endpoints.

Protecting Webhook Endpoints

The Azure Communication Services Call Automation platform uses HTTPS webhook callbacks to send events for call setup and mid-call action responses. The webhook endpoint must be publicly accessible by the Call Automation servers which leaves some people to be concerned about protecting these endpoints from unauthorized access.

A recent addition to the Call Automation platform allows you to use Json Web Token (JWT) bearer authentication and OAuth2's Open ID Connect extensions to verify the inbound communications to your web server.

The JWT bearer token is present on all callbacks and is in the Authorization header of the inbound HTTP request.

Application Configuration

You can use the built-in constants from the AcsOpenIdDefaults class to retrieve configuration information.

As an example, you can configure your secrets.json file for local development using the AcsJwtBearerOptions section name which is defined in the AcsJwtBearerOptions class as a static string value. The ValidAudience property refers to your Azure Communication Services immutable resource ID which can be found in your ACS resource. The aud claim of the JWT bearer token will need to match this resource ID value.

{
  "AcsJwtBearerOptions": {
    "ValidAudience": "abc8b7b5-6666-4e99-a66f-r90c600e6cb9",
    "ValidateLifetime": true //<-- optional (defaults to true)
  }
}

NOTE: If you want to test your configuration with an expired token, change the token validation lifetime check by setting ValidateLifetime to false in your configuration as shown in the previous example.

Example Program.cs Setup


// use the extension method to add the authentication scheme and policy and bind the configuration section name automatically.
builder.Services.AddAcsWebHookAuthentication(x => 
    builder.Configuration.Bind(AcsOpenIdDefaults.SectionName, x));


// protect an HTTP endpoint by adding the extension method as follows
app.MapGet("/{name}", (string name) => $"Hello {name}!")
    .RequireAcsWebHookAuthorization();

You have the option of using your own policy name on both the AddAcsWebHookAuthentication and RequireAcsWebHookAuthorization methods.

Token Validation

This library will perform JWT bearer token validation on endpoints matching the policy you specify or using the default policy in this library. On protected endpoints the authentication middleware in ASP.NET will trigger the retrieval of the JWKS signing keys and issuer value from the OpenIdConfigurationUrl which has already been set to the correct default value for Call Automation.

The token validation parameters will validate the following:

  • The iss claim must match the issuer from the JWKS URL
  • The aud claim must match the ValidAudience property of the AcsJwtBearerOptions class which was bound during startup.
  • The token's lifetime is validated (i.e. no more than 5 minutes past the expiration time)
  • All other default values from the ASP.NET TokenValidationParameters class also apply.

More information

Azure Communication Services Call Automation documentation: https://review.learn.microsoft.com/en-us/azure/communication-services/how-tos/call-automation/secure-webhook-endpoint?tabs=csharp

Product Compatible and additional computed target framework versions.
.NET net7.0 is compatible.  net7.0-android was computed.  net7.0-ios was computed.  net7.0-maccatalyst was computed.  net7.0-macos was computed.  net7.0-tvos was computed.  net7.0-windows was computed.  net8.0 was computed.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 was computed.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last updated
1.0.2 265 6/9/2023

First release.