ASP.NET WebForms OAuth2 multi-tenant resource and WPF client

Most published WebAPI samples (e.g. are based on the MVC and OWin infrastructure, which is not available in WebForms applications. Following is a custom implementation of an OAuth2 access token handler presented by a WPF rich client application. The WPF is responsible for managing the OAuth code grant flow to obtain the token and present it to the WebForms application as part of an HTTP call. The code is based on the above samples but modified to support WebForms.


  1. The WebForm application is registered in an Azure AD as a multi-tenant web application. It’s application manifest is modified as per sample instructions (see for example, item 15 under the Register ToDoListServiceMT section). 
  2. To client, WPF application is registered in Azure AD as a native application. It is multi-tenant by default.
  3. The WebForms application extracts and validates the OAuth2 access token (in JWT format) in the JWTTokenValidator class. The class is also responsible for retrieving current federation metadata from the Azure AD tenant in which the ASP.NET application is defined to obtain the owning issuer id and token signing keys.
  4. Once validated, JWTTokenValidator sets the appropriate ClaimsPrincipal on the current thread.
  5. The WebForms application supports adding new tenants either through a set of web pages (RequestConsent/ProcessConsent) or via a REST API called by the rich client. In the second case, the JWTTokenValidator needs to be modified to remove the initial check for token issuer: the signup API must allow the user to be authenticated even if the user is from an as yet un-signed-up tenant. Relevant lines of code are commented appropriately.
  6. The application is currently using an in-memory array of valid issuers, which obviously does not persist between runs. For production purposes it needs to be replaced by a persistent database.

Leave a comment