Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I validate a JWT using JwtSecurityTokenHandler and a JWKS endpoint?

Tags:

asp.net

openid-connect

oauth-2.0

jwt

identityserver4

I am prototyping the use of IdentityServer4 to secure several services, with the caveat that those services will likely not be migrated (in the forseeable future) to use the OWIN middleware idiom of ASP.NET Core. Consequently, I can not leverage the many middleware helpers that automate the validation of a JWT by simply providing the well-known JWKS endpoint of IdentityServer, among other things.

It would be nice if I could reconstruct this behavior, and I'd like to leverage Microsoft's JwtSecurityTokenHandler implementation if possible. However, I can not figure out how to utilize the JsonWebKeySet and JsonWebKey types provided via IdentityServer's discovery endpoint to extract keys and perform the validation.

JwtSecurityTokenHandler uses TokenValidationParameters to validate a JWT, and those parameters require an instance of one or more SecurityKey objects to perform the validation.

ClaimsPrincipal ValidateJwt(string token, IdentityModel.Client.DiscoveryResponse discovery)
{
    JwtSecurityToken jwt = new JwtSecurityToken(token);

    TokenValidationParameters validationParameters = new TokenValidationParameters
    {
        ValidateAudience = true,
        ValidateIssuer = true,
        RequireSignedTokens = true,
        ValidIssuer = "expected-issuer",
        ValidAudience = "expected-audience",
        IssuerSigningKeys = discovery.KeySet.Keys /* not quite */
    };

    JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
    SecurityToken validatedToken;
    return handler.ValidateToken(jwt, validationParameters, out validatedToken);
}

How do I perform the necessary translation from JsonWebKeySet to IEnumerable<SecurityKey> so that the validation can occur? Is there another method (apart from OWIN middleware) that will also work using the DiscoveryResponse data above?

(Sadly, the documentation for System.IdentityModel.Tokens.Jwt is not up to date.)

like image 646
Steve Guidi Avatar asked Nov 16 '16 02:11

Steve Guidi

1 Answers

var jwks = "{ keys: [..." // your jwks json string
var signingKeys = new JsonWebKeySet(jwks).GetSigningKeys();

Then simply assign it to the IssuerSigningKeys property of your TokenValidationParameters.

If you are reading the jwks from a web service, then you would need a http client to read it first.

like image 152
Daniel B Avatar answered Oct 05 '22 23:10

Daniel B
Sign in to Comment

Related questions

StackOverflow like URL Routing
Authorize attribute vs authorization node in web.config
how to get URL path on local host and on server?
Get report from jasperserver using REST webservice and asp.net C#
10,000 + records on html to render quickly
Access web storage from server side - possible?
How to get access token for google oauth?
Strongly typed data binding and generics?
How can I integrate spell-checking to redactor?
Uploadify swf requesting URL on page load
Grouping Data in Asp.Net Gridview
How to cache output of action method that returns image to the view in asp.net mvc?
What is difference between Parent and NamingContainer in a Gridview
HttpContext.Response.Filter
AfterPublish script doesn't run when I publish a web app
Facebook login throws "Given URL is not allowed by the Application configuration.: One or more of the given URLs is not allowed
Simple BackgroundWorker is not updating label on web page
MVC ASP.NET is using a lot of memory
How to properly use IRegisteredObject to block app domain shutdown / recycle for web app?
Using POCOs when persisting to Azure Table Storage

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!