Sending of Authorization header by using Azure Active Directory Authentication

Damir Dobric Posts

Next talks:



Follow me on Twitter: #ddobric




I have been using for long time OAuth based authentication with some enterprise-proprietary providers. For this reason we commonly appended the authorization header with method TryAddWithoutValidation as shown below:

client.DefaultRequestHeaders.TryAddWithoutValidation(“Bearer”, result.AccessToken);

After I started to use Active Directory Authentication Library (ADAL) to generate the token with

  AuthenticationResult result = await m_AuthContext.AcquireTokenAsync(m_ResourceId, m_ClientId);


I tried to use again the method TryAddWithoutValidation. Unfortunately this didn’t work. I figured out, that if I want to  properly send the token I have to use following method to append the token in the header:

client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(“Bearer”, result.Token);

I was a bit surprised that the previous statement didn’t work, but explanation is very simple.
The AAD (Azure Active Directory) OWIN provider hosted in my web site (WebApi) has decliened the token sent by TryAddWithoutValidation. The reason is that AAD expect the token with header “Authorization: Bearer”. The TryAddWithoutValidation sent the token “Bearer”.

Following table shows exactly what is sent in both cases

The invalid one sent by
DefaultRequestHeaders.TryAddWithoutValidation(“Bearer”, “..”)

Bearer: eyJ0eXAiOiJKV1QiLCJhbGciO…
The good one sent by
DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(“Bearer”, “..”);

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciO…

Posted Jul 29 2014, 09:03 AM by Damir Dobric is a .Net Community Blog powered by daenet GmbH.