token is created using
public class AppTokenHandler : TokenValidator, IAppTokenHandler
{
private readonly JwtSecurityTokenHandler _handler = new JwtSecurityTokenHandler();
private readonly AppTokenConfiguration _appTokenConfiguration;
private readonly RsaSecurityKey _publicKey;
private readonly ECDsa _key;
public AppTokenHandler(IOptions<AppTokenConfiguration> appTokenConfiguration, RsaSecurityKey publicKey, ECDsa key)
{
_appTokenConfiguration = appTokenConfiguration.Value;
_publicKey = publicKey;
_key = key;
}
public string Create(Dictionary<string, object> claims)
{
var name = claims["name"].ToString();
////create token security key used to sign token from app's rsa private key
//using var rsa = RSA.Create();
//var rsaKey = _appTokenConfiguration.RsaKey;
//rsa.ImportRSAPrivateKey(Convert.FromBase64String(rsaKey), out _);
//RsaSecurityKey rsaSecurityKey = new(rsa);
////create signing credentials, specifying not to cache signature provider
//SigningCredentials signingCredentials = new(rsaSecurityKey, SecurityAlgorithms.RsaSha256)
//{
// CryptoProviderFactory = new CryptoProviderFactory { CacheSignatureProviders = false }
//};
SigningCredentials signingCredentials = new(new ECDsaSecurityKey(_key), SecurityAlgorithms.EcdsaSha256);
// create token
var tokenDescriptor = new SecurityTokenDescriptor
{
Audience = _appTokenConfiguration.Audience,
Claims = claims,
Expires = DateTime.UtcNow.AddDays(2),
IssuedAt = DateTime.UtcNow,
Issuer = _appTokenConfiguration.Issuer,
SigningCredentials = signingCredentials,
Subject = new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.NameIdentifier, name),
})
};
var encodedJwt = _handler.CreateEncodedJwt(tokenDescriptor);
return encodedJwt;
}
public override bool Validate(string tokenString, out JwtSecurityToken token, out SecurityTokenValidationException validationException)
{
validationException = null;
token = null;
var publicKey = ECDsa.Create(_key.ExportParameters(false));
var validationParameters = new TokenValidationParameters
{
// validate lifetime
RequireExpirationTime = true,
ValidateLifetime = true,
// validate audience
RequireAudience = true,
ValidateAudience = true,
ValidAudience = _appTokenConfiguration.Audience,
// validate issuer
ValidateIssuer = true,
ValidIssuer = _appTokenConfiguration.Issuer,
// set source of name
NameClaimType = "name",
// validate signing key
RequireSignedTokens = true,
ValidateIssuerSigningKey = true,
//IssuerSigningKey = _publicKey
IssuerSigningKey = new ECDsaSecurityKey(publicKey)
};
try
{
var validate = _handler.ValidateToken(tokenString, validationParameters, out var validatedSecurityToken);
token = _handler.ReadJwtToken(tokenString);
}
catch (SecurityTokenValidationException ex)
{
validationException = ex;
return false;
}
catch
{
throw;
}
return true;
}
public Dictionary<string, object> MapClaims(JwtSecurityToken accessToken, JwtSecurityToken idToken)
{
List<string> claimKeys = new()
{
"name",
"preferred_username",
"oid",
"tid",
"azp",
"family_name",
"given_name",
"email"
};
var claims = accessToken?
.Claims
.Where(x=>claimKeys.Contains(x.Type))
.ToDictionary(x => x.Type, x => x.Value as object)
??
new Dictionary<string, object>();
var idTokenClaims = idToken
.Claims
.Where(x => claimKeys.Contains(x.Type))
.ToDictionary(x => x.Type, x => x.Value as object);
foreach (var claim in idTokenClaims.Where(x => !claims.ContainsKey(x.Key)))
claims.Add(claim.Key, claim.Value);
claims.Add("scp", "app_authorized_user");
return claims;
}
}
token is configured using
public class AppTokenOptions
{
public static Action<JwtBearerOptions> ConfigureToken(IServiceCollection services)
{
return options =>
{
var serviceProvider = services.BuildServiceProvider();
var authConfig = serviceProvider.GetRequiredService<IOptions<AppTokenConfiguration>>();
var publicKey = serviceProvider.GetRequiredService<RsaSecurityKey>();
var privkey = serviceProvider.GetRequiredService<ECDsa>();
//var key = ECDsa.Create(privkey.ExportParameters(false));
options.IncludeErrorDetails = true;
options.TokenValidationParameters = new TokenValidationParameters
{
// validate lifetime
RequireExpirationTime = true,
ValidateLifetime = true,
// validate audience
RequireAudience = true,
ValidateAudience = true,
ValidAudience = authConfig.Value.Audience,
// validate issuer
ValidateIssuer = true,
ValidIssuer = authConfig.Value.Issuer,
// set source of name
NameClaimType = "name",
// validate signing key
RequireSignedTokens = true,
ValidateIssuerSigningKey = true,
//IssuerSigningKey = publicKey
IssuerSigningKey = new ECDsaSecurityKey(ECDsa.Create(privkey.ExportParameters(false)))
};
options.Events = new JwtBearerEvents();
options.Events.OnTokenValidated = async context =>
{
(context.Principal?.Identity as ClaimsIdentity)?.AddClaim(new Claim("cpcb", "test"));
};
};
}
}
auth is added immediately in ConfigureServices of Startup.cs using
public static class AuthServicesRegistration
{
public static IServiceCollection ConfigureApplicationAuthServices(this IServiceCollection services, IConfiguration Configuration)
{
// get relevant config sections
IConfiguration appAuth= Configuration.GetSection("Auth:app");
IConfiguration aadIdTokenAuth = Configuration.GetSection("Auth:AADIdToken");
// create keys for app token
using (RSA rsa = RSA.Create(3072))
{
string rsaKey = Convert.ToBase64String(rsa.ExportRSAPrivateKey());
string rsaPublicKey = Convert.ToBase64String(rsa.ExportRSAPublicKey());
appAuth["RsaKey"] = rsaKey;
appAuth["RsaPublicKey"] = rsaPublicKey;
}
// bind auth configs
services.Configure<AppTokenConfiguration>(appAuth);
services.Configure<AzureAdIdTokenConfiguration>(aadIdTokenAuth);
// add public key instance as singleton
// so it can be used in .net's token validation middleware
// otherwise if just declared when defined token validation parameters
// the RSA instance will be prematurely disposed and you will get misleading 401s
services.AddSingleton(provider => {
RSA rsa = RSA.Create();
rsa.ImportRSAPublicKey(Convert.FromBase64String(appAuth["RsaPublicKey"]), out _);
return new RsaSecurityKey(rsa);
});
services.AddSingleton(provider =>
{
return ECDsa.Create(ECCurve.NamedCurves.nistP256);
});
// add provider for microsoft openidconnect config
services.AddSingleton<IOpenIdConnectConfigurationProvider>(provider =>
{
var stsDiscoveryEndpoint = "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration";
var configProvider = new OpenIdConnectConfigurationProvider(stsDiscoveryEndpoint, new OpenIdConnectConfigurationRetriever());
configProvider.AutomaticRefreshInterval = TimeSpan.FromHours(1);
return configProvider;
});
// add authentication schemes
// default is app token
services.AddAuthentication("app")
.AddJwtBearer("app", AppTokenOptions.ConfigureToken(services))
.AddMicrosoftIdentityWebApi(Configuration, "Auth:AzureAd", "aad");
// configure aad token options
services.Configure("aad", AzureAdTokenOptions.ConfigureAadToken());
// add authorization
services.AddAuthorization();
// add auth related services
services.AddScoped<IAppTokenHandler, AppTokenHandler>();
services.AddScoped<ITokenValidator, MicrosoftIdTokenValidator>();
return services;
}
}
token generation endpoint and test endpoint to validate token
[ApiController]
[Route("api/auth")]
public class AuthController : ControllerBase
{
private readonly IAppTokenHandler _appTokenHandler;
private readonly ITokenValidator _idTokenValidator;
public AuthController(IAppTokenHandler tokenHandler, ITokenValidator idTokenValidator) : base()
{
_appTokenHandler = tokenHandler;
_idTokenValidator = idTokenValidator;
}
/// <summary>
/// Returns token for requested resource verifying using msal accesstoken
/// </summary>
/// <returns></returns>
[Authorize(AuthenticationSchemes = "aad")]
[RequiredScope(AcceptedScope = new[] { "app_login" })]
[Route("token")]
[HttpGet]
public async Task<IActionResult> token()
{
if (!Request.Headers.TryGetValue("identity", out var idTokenString)) return Unauthorized("No identity present to verify");
var aadToken = await HttpContext.GetTokenAsync("aad", "access_token");
JwtSecurityToken accessToken = null;
if (aadToken != null)
{
accessToken = new JwtSecurityToken(aadToken);
}
// verify idToken
if (!_idTokenValidator.Validate(idTokenString, out var idToken, out var validationException))
{
return Unauthorized($"invalid id token: {validationException.Message}");
}
// get / verify user
// get claims from tokens
var claims = _appTokenHandler.MapClaims(accessToken, idToken);
// generate token
var encodedJwt = _appTokenHandler.Create(claims);
return Ok(encodedJwt);
}
/// <summary>
/// Test authorize endpoint
/// </summary>
/// <returns></returns>
[Authorize]
[RequiredScope(AcceptedScope = new[] { "app_authorized_user" })]
[Route("validate/{token}")]
[HttpGet]
public async Task<IActionResult> validate(string token)
{
var authorization = Request.Headers.Authorization.ToString().Substring("Bearer ".Length).Trim();
try
{ // both validate calls are successful when authorize attribute is commented out
if (_appTokenHandler.Validate(token, out _, out var ex))
{
Debug.WriteLine("valid token");
}
else
{
Debug.WriteLine("invalid token", ex.Message);
}
if (_appTokenHandler.Validate(authorization, out _, out var ex2))
{
Debug.WriteLine("valid auth header");
}
else
{
Debug.WriteLine("invalid auth header", ex2.Message);
}
}
catch (Exception exc)
{
Debug.WriteLine(exc.Message);
}
return Ok(token);
}
}
if i swap out ES256 for RSA I had previously wired up, no issues. However, when I tried swapping out RSA for ES256, I got the error "The signature key was not found". If I remove the authorize attribute on the validate endpoint, get a token from the token endpoint and then verify the token using the app token handler, it's valid. There seems to be an issue with the jwt bearer middleware?? I have tried using the full ECDsa instead of just the public key, a singleton of an ECDsaSecurityKey with a key id and without a key id, a singleton of a jsonwebkey, and now a singleton of just the ecdsa. All same result. app token handler instance validates it with same token validation parameters, but jwt bearer middleware fails authorization. And again, if I swap out the signing credentials to use the RSA credentials, everything works just fine.
Am I creating the signing keys incorrectly?
Am I providing the public / private keys incorrectly to jwt bearer middleware?
Am I missing something in token creation?
How do I hook into jwt bearer middleware to get a better idea of what is going on? I see there is the ontokenvalidated event but that is not being hit obviously, is there an event I can hook into that might provide more info into what is going wrong?
Thanks!
I think the ecdsa instance used to create private key was getting displosed too early (?)
Ended up creating the ecdsa and saving the ecparams to config (similar as with rsa keys), created singleton of ecdsasecuritykey with just q and curve (so just public key), used serviceprovider to get ecdsasecuritykey to set as issuersigningkey for token validation in configure jwtbeareroptions, then used all ecparams from config (bound in apptokenconfiguration class) to create private key ecdsasecuritykey when creating the token
in configureapplicationauthservices
// create keys for app tokens
using (RSA rsa = RSA.Create(3072))
using (ECDsa ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP256))
{
// rsa
string rsaKey = Convert.ToBase64String(rsa.ExportRSAPrivateKey());
string rsaPublicKey = Convert.ToBase64String(rsa.ExportRSAPublicKey());
appAuth["RsaKey"] = rsaKey;
appAuth["RsaPublicKey"] = rsaPublicKey;
appAuth["RsaKid"] = Guid.NewGuid().ToString();
// ecdsa
ECParameters ecParams = ecdsa.ExportParameters(true);
appAuth["D"] = Convert.ToBase64String(ecParams.D);
appAuth["QX"] = Convert.ToBase64String(ecParams.Q.X);
appAuth["QY"] = Convert.ToBase64String(ecParams.Q.Y);
appAuth["EcKid"] = Guid.NewGuid().ToString();
}
// bind auth configs
services.Configure<AppTokenConfiguration>(appAuth);
services.Configure<AzureAdIdTokenConfiguration>(aadIdTokenAuth);
// add rsa public key instance as singleton
// so it can be used in .net's token validation middleware
// otherwise if just declared when defined token validation parameters
// the RSA instance will be prematurely disposed and you will get misleading 401s
services.AddSingleton(provider => {
RSA rsa = RSA.Create();
rsa.ImportRSAPublicKey(Convert.FromBase64String(appAuth["RsaPublicKey"]), out _);
return new RsaSecurityKey(rsa);
});
// add ecdsa public key same way as rsa
services.AddSingleton(provider =>
{
ECParameters ecParams = new ECParameters();
ecParams.Curve = ECCurve.NamedCurves.nistP256;
ecParams.Q = new ECPoint()
{
X = Convert.FromBase64String(appAuth["QX"]),
Y = Convert.FromBase64String(appAuth["QY"])
};
ECDsa ecdsa = ECDsa.Create(ecParams);
return new ECDsaSecurityKey(ecdsa);
});
token configuration for middleware
public static Action<JwtBearerOptions> ConfigureToken(IServiceCollection services)
{
return options =>
{
var serviceProvider = services.BuildServiceProvider();
var authConfig = serviceProvider.GetRequiredService<IOptions<AppTokenConfiguration>>();
var publicKey = serviceProvider.GetRequiredService<RsaSecurityKey>();
var ecpublicKey = serviceProvider.GetRequiredService<ECDsaSecurityKey>();
options.IncludeErrorDetails = true;
options.TokenValidationParameters = new TokenValidationParameters
{
// validate lifetime
RequireExpirationTime = true,
ValidateLifetime = true,
// validate audience
RequireAudience = true,
ValidateAudience = true,
ValidAudience = authConfig.Value.Audience,
// validate issuer
ValidateIssuer = true,
ValidIssuer = authConfig.Value.Issuer,
// set source of name
NameClaimType = "name",
// validate signing key
RequireSignedTokens = true,
ValidateIssuerSigningKey = true,
IssuerSigningKey = ecpublicKey
//IssuerSigningKey = publicKey
};
options.Events = new JwtBearerEvents();
options.Events.OnTokenValidated = async context =>
{
(context.Principal?.Identity as ClaimsIdentity)?.AddClaim(new Claim("cpcb", "test"));
};
options.Validate();
};
}
token creation (and validation for manual testing)
public class AppTokenHandler : TokenValidator, IAppTokenHandler
{
//private readonly JsonWebTokenHandler _handler = new();
private readonly JwtSecurityTokenHandler _handler = new();
private readonly AppTokenConfiguration _appTokenConfiguration;
private readonly RsaSecurityKey _publicKey;
private readonly ECDsaSecurityKey _ecdsaPublicKey;
public AppTokenHandler(IOptions<AppTokenConfiguration> appTokenConfiguration, RsaSecurityKey publicKey, ECDsaSecurityKey ecdsaPublicKey)
{
_appTokenConfiguration = appTokenConfiguration.Value;
_publicKey = publicKey;
_ecdsaPublicKey = ecdsaPublicKey;
}
public string Create(Dictionary<string, object> claims)
{
var name = claims["name"].ToString();
//create token security key used to sign token from app's rsa private key
//using var rsa = RSA.Create();
//var rsaKey = _appTokenConfiguration.RsaKey;
//rsa.ImportRSAPrivateKey(Convert.FromBase64String(rsaKey), out _);
//RsaSecurityKey rsaSecurityKey = new(rsa);
////create signing credentials, specifying not to cache signature provider
//SigningCredentials signingCredentials = new(rsaSecurityKey, SecurityAlgorithms.RsaSha256)
//{
// CryptoProviderFactory = new CryptoProviderFactory { CacheSignatureProviders = false }
//};
ECParameters ecParams = new ECParameters();
ecParams.Curve = ECCurve.NamedCurves.nistP256;
ecParams.D = Convert.FromBase64String(_appTokenConfiguration.D);
ecParams.Q = new ECPoint()
{
X = Convert.FromBase64String(_appTokenConfiguration.QX),
Y = Convert.FromBase64String(_appTokenConfiguration.QY)
};
using ECDsa ecdsa = ECDsa.Create(ecParams);
ECDsaSecurityKey ecdsaSecurityKey = new(ecdsa);
SigningCredentials signingCredentials = new(ecdsaSecurityKey, SecurityAlgorithms.EcdsaSha256)
{
CryptoProviderFactory = new CryptoProviderFactory { CacheSignatureProviders = false }
};
// create token
var tokenDescriptor = new SecurityTokenDescriptor
{
Audience = _appTokenConfiguration.Audience,
Claims = claims,
Expires = DateTime.UtcNow.AddDays(2),
IssuedAt = DateTime.UtcNow,
Issuer = _appTokenConfiguration.Issuer,
Subject = new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.NameIdentifier, name),
}),
SigningCredentials = signingCredentials
};
var encodedJwt = _handler.CreateEncodedJwt(tokenDescriptor);
return encodedJwt;
}
public override bool Validate(string tokenString, out JwtSecurityToken token, out SecurityTokenValidationException validationException)
{
validationException = null;
token = null;
var validationParameters = new TokenValidationParameters
{
// validate lifetime
RequireExpirationTime = true,
ValidateLifetime = true,
// validate audience
RequireAudience = true,
ValidateAudience = true,
ValidAudience = _appTokenConfiguration.Audience,
// validate issuer
ValidateIssuer = true,
ValidIssuer = _appTokenConfiguration.Issuer,
// set source of name
NameClaimType = "name",
// validate signing key
RequireSignedTokens = true,
ValidateIssuerSigningKey = true,
IssuerSigningKey = _ecdsaPublicKey
//IssuerSigningKey = _publicKey
};
try
{
var validate = _handler.ValidateToken(tokenString, validationParameters, out var validatedSecurityToken);
token = _handler.ReadJwtToken(tokenString);
}
catch (SecurityTokenValidationException ex)
{
validationException = ex;
return false;
}
catch
{
throw;
}
return true;
}
}
gonna clean this up a bit, but at least it is working correctly now :)
Related
I'm developing a multi-tenant application with asp.net core 3.1 as the backend. I used JWT to authenticate users. I'm passing the tenantId along with the http request and I would like to validate JWT against tenantIds. To do this, I must pass the tenantIds to JwtBearerOptions.ValidAudience at each client request.
I set options at startup as follows...
public void ConfigureServices(IServiceCollection services){
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(configureOptions =>
{
configureOptions.ClaimsIssuer = jwtOptions["Issuer"];
configureOptions.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidIssuer = jwtOptions["Issuer"],
ValidAudience = tenantId,
ValidateIssuerSigningKey = true,
IssuerSigningKey = accessKey,
RequireExpirationTime = true,
ValidateLifetime = true,
ClockSkew = TimeSpan.Zero
};
});
}
Please note that I don't want to pass all tenantIds to ValidateAudiences because each tenant should receive an unique token. e.g. I don't want tenant X's token works for tenant Y.
How do I achieve this?
Thanks in advance!
I'm not sure why you want to set tenant id as Audience , but you can use custom audience validator to implement the logic in TokenValidationParameters :
AudienceValidator = (audiences, securityToken, validationParameters) =>
{
//return true/false based on your requirement
return true;
},
I ended up using below for validating tenderid and I'm quite happy with the outcome. please let me know if there are drawbacks to approch below, thanks!
ValidAudiences = tenants.Value.Select(x=>x.TenantId).ToList(),
IssuerSigningKeyResolver = (string token, SecurityToken securityToken, string kid, TokenValidationParameters validationParameters) =>
{
var tenant = tenants.Value.Where(t => t.TenantId == kid).FirstOrDefault();
List<SecurityKey> keys = new List<SecurityKey>();
if (tenant != null && kid == tenantsResolver.GetCurrentTenantId())
{
var signingKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(tenant.SecretKey));
keys.Add(signingKey);
}
return keys;
}
I am currently getting following error:
IDX10630: The 'Microsoft.IdentityModel.Tokens.RsaSecurityKey, KeyId: '...', InternalId: '5a946596-9fe6-4c91-8c52-9b140849c7a4'.' for signing cannot be smaller than '2048' bits. KeySize: '512'
I use the following method:
public string GetIdTokenString(Dictionary<string, string> inputClaims, string privateKey)
{
string result = null;
try
{
var tokenHandler = new JwtSecurityTokenHandler();
privateKey = privateKey.Replace("-----BEGIN ENCRYPTED PRIVATE KEY-----", String.Empty).Replace("-----END ENCRYPTED PRIVATE KEY-----", String.Empty);
var privateKeyBytes = Convert.FromBase64String(privateKey);
byte[] privateKeyPasswordBytes = Encoding.UTF8.GetBytes(mypassword);
List<Claim> claims = new List<Claim>();
foreach (var o in inputClaims)
{
claims.Add(new Claim(o.Key, o.Value));
}
int length = 0;
RSA rSA = RSA.Create();
rSA.ImportEncryptedPkcs8PrivateKey(privateKeyPasswordBytes, privateKeyBytes, out length);
RsaSecurityKey securitykey = new RsaSecurityKey(rSA)
{
KeyId = "......"
};
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(claims),
Expires = DateTime.UtcNow.AddSeconds(60 * 5),
Audience = ...,
Issuer = .....
};
tokenDescriptor.SigningCredentials = new SigningCredentials(securitykey, SecurityAlgorithms.RsaSha256Signature);
var token = tokenHandler.CreateToken(tokenDescriptor);
if (token != null && token is JwtSecurityToken)
{
result = (token as JwtSecurityToken).RawData;
}
}
catch (Exception ex)
{
Logger.Fatal(ex);
}
return result;
}
there is a code mentioned in post
Error Creating JWT Token using RSA Security Key with key size less than 2048
but I'm not able to run it in .net core 3.1
One more thing is about over riding value in
AsymmetricSignatureProvider.DefaultMinimumAsymmetricKeySizeInBitsForSigningMap
Any way i can change value of particular Key?
One thing i have tried which didn't work is
var mainclass = typeof(AsymmetricSignatureProvider)
.GetField(nameof(AsymmetricSignatureProvider.DefaultMinimumAsymmetricKeySizeInBitsForSigningMap), BindingFlags.Public | BindingFlags.Static );
var field = mainclass.GetValue(null) as Dictionary<string, int>;
if (field != null)
{
field["RS256"] = 512;
}
var mainclass2 = typeof(AsymmetricSignatureProvider).GetField(nameof(AsymmetricSignatureProvider.DefaultMinimumAsymmetricKeySizeInBitsForVerifyingMap), BindingFlags.Public | BindingFlags.Static);
var field2 = mainclass2.GetValue(null) as Dictionary<string, int>;
if (field2 != null)
{
field2["RS256"] = 512;
}
Following is the solution i have used
var mainclass = typeof(AsymmetricSignatureProvider)
.GetField(nameof(AsymmetricSignatureProvider.DefaultMinimumAsymmetricKeySizeInBitsForSigningMap), BindingFlags.Public | BindingFlags.Static);
var field = mainclass.GetValue(null) as Dictionary<string, int>;
if (field != null)
{
field["RS256"] = 512;
}
var mainclass2 = typeof(AsymmetricSignatureProvider).GetField(nameof(AsymmetricSignatureProvider.DefaultMinimumAsymmetricKeySizeInBitsForVerifyingMap), BindingFlags.Public | BindingFlags.Static);
var field2 = mainclass2.GetValue(null) as Dictionary<string, int>;
if (field2 != null)
{
field2["RS256"] = 512;
}
I am creating my jwt from following code. What i needed is auth_time claim which would be like something like
"nbf": 1582109929,
"exp": 1582110229,
"iat": 1582109929,
but I don't know how can I assign time value in above format or any way this claim automatically added with iat like value
public string GetIdTokenString(Dictionary<string, object> inputClaims, string secret)
{
string result = null;
try
{
var tokenHandler = new JwtSecurityTokenHandler();
var key = Encoding.ASCII.GetBytes(secret);
List<Claim> claims = new List<Claim>();
foreach (var o in inputClaims)
{
string val = null;
if (o.Value != null)
{
Type t = o.Value.GetType();
bool isDict = t.IsGenericType /*&& t.GetGenericTypeDefinition() == typeof(Dictionary<,>)*/;
if (isDict)
{
val = JsonSerializer.Serialize(o.Value);
}
else
{
val = o.Value.ToString();
}
}
claims.Add(new Claim(o.Key, val));
}
claims.Add(new Claim("sub", Guid.NewGuid().ToString()));
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(claims),
Expires = DateTime.Now.AddSeconds(60 * 5),
SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature),
Audience = ObjInitialRequest.JwtData.ContainsKey("client_id") ? ObjInitialRequest.JwtData["client_id"] : null,
Issuer = "...",//from well known configuration issuer
};
var token = tokenHandler.CreateToken(tokenDescriptor);
if (token != null && token is JwtSecurityToken)
{
result = (token as JwtSecurityToken).RawData;
}
}
catch (Exception ex)
{
//Logger
}
return result;
}
I were able to add it like following
new Claim("auth_time", ((int)DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc)).TotalSeconds).ToString(), ClaimValueTypes.Integer)
A short code
new Claim("auth_time", DateTimeOffset.UtcNow.ToUnixTimeSeconds().ToString(),ClaimValueTypes.Integer)
With Microsoft.Owin.Security.Jwt, you could do something like this:
public static void ConfigureOAuth(IAppBuilder app)
{
OAuthConfiguration oAuthConfiguration = OAuthConfiguration.GetConfig("oauth");
List<string> audiences = new List<string>();
List<byte[]> secrets = new List<byte[]>();
foreach (var oAuthAudienceElement in /*configuration*/)
{
audiences.Add(/*configuration thingy*/);
secrets.Add(TextEncodings.Base64Url.Decode(/*configuration thingy*/));
}
// Api controllers with an [Authorize] attribute will be validated with JWT
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new List<string>(audiences),
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new SymmetricKeyIssuerSecurityTokenProvider(oAuthConfiguration.Issuer.Domain, secrets)
}
});
}
But I am unable to find an equivalent of that in ASP.NET Core 2.X. Is that not supported or am I missing something? I mean, services.AddJwtBearer doesn't provide much:
services.AddAuthentication("oauth")
.AddOAuth("oauth", options =>
{
// something?
})
.AddJwtBearer("oauth", options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
// These don't exist as in the Microsoft.Owin.Security.Jwt example above...
// AuthenticationMode = AuthenticationMode.Active,
// AllowedAudiences = new List<string>(audiences),
// IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
// {
// new SymmetricKeyIssuerSecurityTokenProvider(oAuthConfiguration.Issuer.Domain, secrets)
// }
};
});
You should be using AddJwtBearer() and not AddOAuth().
In TokenValidationParameters, audiences, issuers and signing keys can all accept an IEnumerable as input, so you can specify multiple values (note that all property names are in plural form):
options.TokenValidationParameters = new TokenValidationParameters
{
ValidAudiences = new [] {"audience1", "audience2" },
ValidIssuers = new[] { "issuer1", "issuer2" },
IssuerSigningKeys = secrets.Select(secret => new SymmetricSecurityKey(secret))
};
Is it possible to decode a SessionSecurityToken?
I've set up a site to work with ThinkTecture IdentityServer using MachineKeySessionSecurityTokenHandler, and everything works as expected.
But now I need to pass the token to another service, but in an Authorization HTTP header instead of a cookie.
I've tried the following:
var cookie = HttpContext.Current.Request.Cookies[FederatedAuthentication.FederationConfiguration.CookieHandler.Name];
if (cookie != null)
{
var t = MachineKey.Unprotect(Convert.FromBase64String(cookie.Value), "System.IdentityModel.Services.MachineKeyTransform");
}
but this throws a System.Security.Cryptography.CryptographicException
Found the solution.
The only (easy) way of sending the data across the wire is to convert the SessionSecurityToken to a JwtSecurityToken and use the RawData property.
Sample implementation (dependent on ThinkTecture.IdentityModel):
public JwtSecurityToken ConvertSessionToJsonWebSecurityToken(SessionSecurityToken sessionToken)
{
var h = FederatedAuthentication.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlers[typeof(JwtSecurityToken)] as JwtSecurityTokenHandler;
if (h != null)
{
var issuer = ((ValidatingIssuerNameRegistry)h.Configuration.IssuerNameRegistry).IssuingAuthorities.First().Name;
var audience = h.Configuration.AudienceRestriction.AllowedAudienceUris.First().AbsoluteUri;
var signingKey = ((ValidatingIssuerNameRegistry)h.Configuration.IssuerNameRegistry).IssuingAuthorities.First().SymmetricKeys.First();
var securityKey = ((NamedKeyIssuerTokenResolver)h.Configuration.IssuerTokenResolver).SecurityKeys.First().Value.First();
// Create token
var t = h.CreateToken(
null,
null,
(ClaimsIdentity)sessionToken.ClaimsPrincipal.Identity,
new Lifetime(sessionToken.ValidFrom, sessionToken.ValidTo),
new SigningCredentials(
securityKey,
Algorithms.HmacSha256Signature,
Algorithms.Sha256Digest));
// Serialize token for validaiton
var s = h.WriteToken(t);
// Validate token
var validationParameters = new TokenValidationParameters()
{
AllowedAudience = audience,
ValidIssuer = issuer,
SigningToken = new BinarySecretSecurityToken(Convert.FromBase64String(signingKey))
};
h.ValidateToken(s, validationParameters);
// Return token with correct type
return h.ReadToken(s) as JwtSecurityToken;
}
return null;
}
[Test]
public void GetToken_WhenValidSessionTokenExist_ShouldReturnValidJwtToken()
{
JwtSecurityToken c;
FederatedAuthentication.SessionAuthenticationModule.TryReadJwtTokenFromCookie(container.GetInstance<ISecurityTokenOperations>(), out c)
Assert.That(!string.IsNullOrEmpty(c.RawData));
}