Startup file for bootstrapping client certificates / signed JWTs from ADFS (or Azure AD)

Startup.cs

public void ConfigureServices(IServiceCollection services)
{
  services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
  .AddJwtBearer(options =>
  {                
    options.MetadataAddress = "https://adfs.contoso.com/adfs/.well-known/openid-configuration";
    options.Validate();                
 
    options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
    {
      ValidIssuer = "http://adfs.contoso.com/adfs/services/trust",
      ValidateAudience = true,
      ValidateIssuerSigningKey = true,
      ValidateLifetime = true,
      ValidAudience = "https://contoso.com/api",
      RequireSignedTokens = true,
      ValidateActor = true,                 
    };
  });                       
 
  services.AddAuthorization(options =>
  {
    options.AddPolicy("Certificate", policy =>
      policy.RequireAssertion(context =>
      context.User.HasClaim(c =>
        (c.Type == System.Security.Claims.ClaimTypes.AuthenticationMethod &&
        c.Value == "http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/tlsclient" ||
        c.Value == "http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509" ))));
  });
 
  services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
}
 
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
  if (env.IsDevelopment())
  {
    app.UseDeveloperExceptionPage();
  }
  else
  {
    app.UseHsts();
  }
 
  app.UseHttpsRedirection();
  app.UseAuthentication();            
  app.UseMvc();
}