JWT web token encryption - SecurityAlgoritms.HmacSha256 vs SecurityAlgoritms.HmacSha256Signature

Question

For token based authentication Microsoft.IdentityModel.Tokens provides a list of security algorithms that can be used to create SigningCredentials:

  string secretKey = "MySuperSecretKey";
  byte[] keybytes = Encoding.ASCII.GetBytes(secretKey);
  SecurityKey securityKey = new SymmetricSecurityKey(keybytes);
  SigningCredentials signingCredentials =
                    new SigningCredentials(securityKey,
                        SecurityAlgorithms.HmacSha256);

  SigningCredentials signingCredentials =
                    new SigningCredentials(securityKey,
                        SecurityAlgorithms.HmacSha256Signature);

What is the difference between HmacSha256 and HmacSha256Signature? When would you use the signature one instead of the non-signature one?**

There are other "non signature" and "signature" algorithms as well. For example, RsaSha256 and RsaSha256Signature

Answer 1

HmacSha256 is a string constant evaluating to "HS256". HmacSha256Signature is also a string constant but evaluates to "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"

The latest definition of System.IdentityModel.Tokens.SecurityAlgorithms does not include HmacSha256 but instead allows you to separate the signature and digest algorithms for the SigningCredentials.

You should use HmacSha256Signature for future-proofing your application as HmacSha256 looks deprecated.

From the Microsoft docs...

The members that have a Signature suffix can be used to specify the signatureAlgoritm parameter and the members that have a Digest suffix can be used to specify the digestAlgorithm parameter.