How to unencrypt Web API 2 JWT tokens?

Question

I'm trying to work with the OAuth bearer tokens Web API 2 supplies but I don't know how to unencrypt them or get the data out.

What I'd really like to do is either find or write myself an equivalent tool to this Google Tool https://developers.google.com/wallet/digital/docs/jwtdecoder for the tokens I am getting from Web API. The Google tool allows you to paste in the string of text representing a JWT token and it splits it up and unencodes the JSON within.

In Visual Studio 2013 if you choose New ASP.NET project, and then choose the Web API template with individual user accounts you get a sample project that contains a token endpoint. If you start the project, you can then POST a request "grant_type=password&username=joe&password=joe" to /token on the built in webserver and you get a token back:

{
"access_token":"x3vHm40WUXBiMZi_3EmdmCWLLuv4fsgjsg4S5Ya8kppDY_-2ejn7qF5Y_nbQ0bYVIKl6MNzL2GtXv-MAuwjippAAv5VDaxoKdxEVxeFrQ_eXsKNaQK7IvmVs1rIZ9eeRfRGK2AQ59wWQcyTtYO0dPJx9K7PGrSKz4ADAZ9SEZqQ4IesVhYbRCwToyxoyU5L9qdU8jXdHumkIrULRQhf68rIaBrEA_Be-V0rzWJ644fRLvv3z69XoHs3Az7PineILyNwbDck9uU2jkaXnwxoCTa4qlK8bR-lEI9-VXPNdbCvfgb5H9wfYsJcw2CMzNxNhV8v9YVZEt90evylwtTCEpXq4T3zRCQvrpbCvZrXqJ8uvlFeqCsvvhlIkSfPhBY8nm2ocWtBGPZm58zLe5FMi1jept0B54U38ZxkZlrGQKar47jkmnc6gpLrkpDBp7cWz",
"token_type":"bearer",
"expires_in":1209599,
"userName":"joe",
".issued":"Fri, 01 Aug 2014 16:16:02 GMT",
".expires":"Fri, 15 Aug 2014 16:16:02 GMT"
}

What I want to find out is what format the access_token is in and what information is contained.

A clue I found was: you can choose what kind of tokens Web API uses by setting the OAuthAuthorizationServerOptions.AccessTokenFormat property in Startup.Auth.cs. The documentation for OAuthAuthorizationServerOptions says:

"The data format used to protect the information contained in the access token. If not provided by the application the default data protection provider depends on the host server. The SystemWeb host on IIS will use ASP.NET machine key data protection, and HttpListener and other self-hosted servers will use DPAPI data protection. If a different access token provider or format is assigned, a compatible instance must be assigned to the OAuthBearerAuthenticationOptions.AccessTokenProvider or OAuthBearerAuthenticationOptions.AccessTokenFormat property of the resource server."

So it's probably encoded using the MachineKey. That's fine, I can set the Machine Key OK but if I know the machine key that the token was created with, how do I decrypt it?

Answer 1

You are correct about the generation of the token. This token is an encrypted or signed string contains the de-serialized version of all the claims and ticket properties for the signed in user. If in IIS mode (SystemWeb), the encryption and signing is done via the "decryptionKey" and "validationKey" key values in machineKey node. If running as a self-host OWIN application, the encryption uses the DPAPI to protect it and that actually uses the 3DES algorithm.

To decrypt it you need to invoke this code in your API controller action method (not necessary but if you want to see what inside this encrypted token) :

string token = "Your token goes here";
Microsoft.Owin.Security.AuthenticationTicket ticket= Startup.OAuthBearerOptions.AccessTokenFormat.Unprotect(token);

If you need to configure your AuthZ server to issue JWT signed tokens so you can deconde them using someone line tool such as Google JWT decoder; then I recommend you to read my blog post here about JSON Web Token in ASP.NET Web API 2 using Owin