ASP.NET Core - AddJwtBearer - Authority URL, how does it work?

Question

One question I’ve had recently about how the JWT middleware in asp.net core works is related to the Authority URL you can set if you want to verify tokens using an identity providers asymmetric keys (JWKS based presumably). All examples I’ve seen completely fail to explain what this authority URL should be. Some auth0 examples say it’s just your auth0 domain - but if that’s the case then how does the middleware locate the public key from this base URL? Every provider has a different convention for the endpoint where a JWKS can be found - so how does this work?

My requirement is that I need to use a home grown identity provider where the JWKS endpoint is totally different to auth0, okla, identity 4 or whatever other providers are using.

Is there some standard discovery mechanism that all these providers use that I’m not aware of? Do I need to have this same discovery mechanism in place I’m the in house identity web app for this middleware to work?

Thanks!

Answer 1

Generally, OpenID connects provider follows the standard and provides a discovery endpoint which includes all necessary endpoints and public key location information.

OpenID connect specification: https://openid.net/specs/openid-connect-discovery-1_0.html

Auth0 exposes OIDC discovery documents (https://YOUR_DOMAIN/.well-known/openid-configuration). These can be used to automatically configure applications. https://auth0.com/docs/protocols/oidc/openid-connect-discovery

IdentityServer 4 allows to include extra endpoint to the discovery document. http://docs.identityserver.io/en/latest/topics/discovery.html