For token based authentication Microsoft.IdentityModel.Tokens
provides a list of security algorithms that can be used to create SigningCredentials
:
string secretKey = "MySuperSecretKey";
byte[] keybytes = Encoding.ASCII.GetBytes(secretKey);
SecurityKey securityKey = new SymmetricSecurityKey(keybytes);
SigningCredentials signingCredentials =
new SigningCredentials(securityKey,
SecurityAlgorithms.HmacSha256);
SigningCredentials signingCredentials =
new SigningCredentials(securityKey,
SecurityAlgorithms.HmacSha256Signature);
What is the difference between HmacSha256 and HmacSha256Signature? When would you use the signature one instead of the non-signature one?**
There are other "non signature" and "signature" algorithms as well. For example, RsaSha256 and RsaSha256Signature
HmacSha256
is a string constant evaluating to "HS256". HmacSha256Signature
is also a string constant but evaluates to "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"
The latest definition of System.IdentityModel.Tokens.SecurityAlgorithms
does not include HmacSha256 but instead allows you to separate the signature and digest algorithms for the SigningCredentials
.
You should use HmacSha256Signature
for future-proofing your application as HmacSha256
looks deprecated.
From the Microsoft docs...
The members that have a Signature suffix can be used to specify the signatureAlgoritm parameter and the members that have a Digest suffix can be used to specify the digestAlgorithm parameter.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With