Does Thinktecture.IdentityServer support encrypting the JWT tokens it issues, for example to protect the token from being used in a reply attack?
If yes, how can a client decrypt the encrypted token?
I have tried to enabling "Require Token Encryption" in the IdentityServer General Configuration, however after doing so when I try to login I get a "No encryption key available" message at the identity server web page.
Is there a problem or am I missing a required setting?
Encryption is for confidentiality, not for preventing replay attacks.
The Microsoft jwt library does not support encryption. And we rely on that library.
Related
Is there any free provider for .well-known/openid-configuration available so that we can do verification of JWT token?
You verify JWT tokens using configuration provided by the service which issued the JWT token. The service which issued the tokens and signed them is responsible for providing any public keys needed to verify the JWT. So that service exposes a .well-known/openid-configuration endpoint.
If you are issuing your own tokens then you should be in possession of everything needed to verify them.
I am planning a new microservice project. Single microservices are REST-APIs, the user should authenticate himself with JWT. I want to use the LexikJWTAuthenticationBundle for implementing JWT.
How can I make sure that the token is validated correctly on different servers?
Don't do distributed authentication, make one server be the auth server which the other servers send the token to for authentication. You can cache the authentication for a (short) period of time, but the data-of-record for the JWT token should be centralized so that if it is invalidated it is invalidated everywhere.
I can acquire a JWT token using the SPA JavaScript Microsoft Authentication Library using acquireTokenSilent.
Instead of getting a signed JWT token, is there a way I can get a signed XML SAML token?
I have a backend application (out of my control to change) which is setup to receive SAML and will read the tokens and check them against a certificate.
MSAL is a client side library that supports OAuth and OpenID Connect and it is not designed for handling SAML.
Also ,Single Sign-On SAML protocol and Federated Authentication with a SAML Identity Provider should be good starting points to implement SAML directly.
I'm trying to understand whether my Owin-hosted Web Api needs to validate the certificate used to sign a JWT-token.
I've set up an identity provider using IdentityServer. On the "relying party"-side, I have an ASP.NET WebApi hosted using Owin. On the RP-side, I'm using UseOpenIdConnectAuthentication to install the OpenIdConnectAuthenticationMiddleware in the Owin pipeline.
What's working so far:
Any unauthenticated user visiting my web app is redirected to the login page on IdentityServer
The user logs on
The user is redirected back to my web app
My web app receives the JWT containing the id token and access token
My web app calls the user info endpoint to retrieve the claims using the access token
What I'm missing is logic to validate the certificate which was used to sign the JWT containing the identity token.
Using Fiddler, I've been able to see that the OpenIdConnectAuthenticationMiddleware retrieves the keys from the identity server (by calling https://myidentityserver.example.com/core/.well-known/jwks HTTP/1.1)
Is the OpenIdConnectAuthenticationMiddleware performing some kind of validation of the certificate? Or should I be writing this code myself?
The flow you describe relies on the fact that the verification certificate is pulled from a TLS protected endpoint (JWKs URL) that presents a valid SSL server certificate. This SSL server certificate guarantees that you're talking to the right OpenID Connect provider.
Found some explanations here
For validating reference tokens we provide a simple endpoint called the access token validation endpoint. This endpoint is e.g. used by our access token validation middleware, which is clever enough to distinguish between self-contained (JWT) and reference tokens and does the validation either locally or using the endpoint. All of this is completely transparent to the API.
You simply specify the Authority (the base URL of IdentityServer) and the middleware will use that to pull the configuration (keys, issuer name etc) and construct the URL to the validation endpoint
I am Authenticating all my users through a Microsoft product using SAML 2.0 with a X509 Certificate. The certificate is close to expiration, and I am not sure if after the certificate expires, my Service Providers will continue accepting my tokens.
I am very VERY new to SAML and SSO in general, so my apologies for not using the right terms.
If your Service Providers are compliant to the specification they will stop processing your SAML messages (Responses) once your signing certificate expires.
Unfortunately, there is no easy way to tell ahead of time. You will probably need to contact each one to find out how they handle this situation -- homegrown solutions may be more lenient than commercial products in this regard and allow SSO transactions to continue.