The way ADFS implementes this is basically having the proxy generate one token as stamp of approval, and letting the traffic through to the backend ADFS server letting it add another token so you have a net of two tokens that are bundled together.As evidenced by the above code handling the combo token is sort of messy..From the client developer’s perspective this should not be noticeable..You request a token, you get something back, you present that to the API you are calling..You should not take a dependency on parsing access tokens..Parsing identity tokens is a different matter, but the access token is something you should perceive as an opaque base64 string.The API accepting the token might have a different perspective, which brings us to the next step.This wasn’t exactly validation of the token though — we just accepted an input and returned some text..What if we want to actually validate that the token is ok, and do an actual authorization?Let’s do that by modifying Startup.cs which contains the auth middlewares.There are a couple of things to note here.We’re using the JwtBearer middleware since this is an API and not an interactive flow which mean we’re not redirecting to a web page for signin.Even though we pull metadata from the openid-configuration endpoint we still need to set the valid issuer in the validation parameters..This is a quirk of ADFS where the metadata contains issuer=https://adfs.contoso.com/adfs and access_token_issuer=http://adfs.contoso.com/adfs/services/trust so we need to accept specifically for access tokens here.You will also notice that we create a policy for authentication method..The token is validated and can be found ok regardless of how you acquired the token..However since part of the point of our exercise is to use certificates we use that as an authorization parameter enabling us to reject password-based authentication attempts..(You can choose per API endpoint or controller if you want to use the policy so it doesn’t mean you’re blocked from also accepting other authentication mechanisms.)To use the policy we attach it to an API controller:Yes, this is really pretty code for parsing the token, I know ????.(You’re not likely to actually work with the token like this in real life though.)The output is still the contents of the token, but this time you’re not allowed to see the claims until you have authenticated yourself properly..(There’s nothing inherently secret about tokens, but it looks better than returning “Hello World”.)If you try to pass the same combo token to this API endpoint you will get an error in return — “invalid token”.. More details