Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

JwtSecurityToken understanding and exception

I'm fairly new to JwtSecurityTokens, and I try to understand the different aspects of it and furhtermore the whole claimsidentity and claimprincipal, but that's another story.

I try to generate a token in C# by using the following code:

private const string SECRET_KEY = "abcdef";
private static readonly SymmetricSecurityKey SIGNING_KEY = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(SECRET_KEY));

    public static string GenerateToken(string someName)
    {
        var token = new JwtSecurityToken(
            claims: new Claim[]
            {
                new Claim(ClaimTypes.Name, someName), 
            },
            notBefore: new DateTimeOffset(DateTime.Now).DateTime,
            expires: new DateTimeOffset(DateTime.Now.AddMinutes(60)).DateTime,
            signingCredentials: new SigningCredentials(SIGNING_KEY, SecurityAlgorithms.HmacSha256)
        );

        return new JwtSecurityTokenHandler().WriteToken(token);
    }

I followed a tutorial on Youtube, but I'm not sure I understand the different parts in the JwtSecurityToken. In addition, when I execute the code through a controller just to try to return a token, it returns an error, saying: "IDX10603: Decryption failed. Keys tried: '[PII is hidden]'".

Any help is appreciated.

like image 863
Frederik Avatar asked Oct 01 '18 09:10

Frederik


People also ask

What is Jwtsecuritytokenhandler () WriteToken?

WriteToken(SecurityToken)Serializes a JwtSecurityToken into a JWT in Compact Serialization Format. C# Copy.

What is a JwtSecurityToken C#?

JWT is JSON Web Token. It's a token that only the server can generate, and can contain a payload of data. A JWT payload can contain things like UserID or Email so that when the client sends you a JWT, you can be sure that it is issued by you.

Is JSON Web Token Secure?

Information Exchange: JWTs are a good way of securely transmitting information between parties because they can be signed, which means you can be sure that the senders are who they say they are. Additionally, the structure of a JWT allows you to verify that the content hasn't been tampered with.

What is token Sidejacking?

Another technique used to steal session tokens is session sidejacking, where the attacker takes advantage of an unencrypted communication channel between a victim and application to steal session tokens. The attacker simply sniffs the unencrypted traffic on a network looking for session tokens.


2 Answers

The algorithm HS256 requires the SecurityKey.KeySize to be greater than 128 bits and your key has just 48. Extend it by adding at least 10 more symbols. As for "PII is hidden" part, it was done as a part of GDPR compliance effort to hide any stack or variable info in logs. You should enable additional details with:

IdentityModelEventSource.ShowPII = true;
like image 177
Alex Riabov Avatar answered Sep 24 '22 19:09

Alex Riabov


You should add enough characters to your secret key, when you set your secret key here,

//your SECRET_KEY = "abcdef"
new SymmetricSecurityKey(Encoding.UTF8.GetBytes(SECRET_KEY));

change it to

new SymmetricSecurityKey(Encoding.UTF8.GetBytes("somethingyouwantwhichissecurewillworkk"));

this should work.

like image 27
Chanaka Anuradh Caldera Avatar answered Sep 26 '22 19:09

Chanaka Anuradh Caldera