I'm fairly new to JwtSecurityTokens
, and I try to understand the different aspects of it and furhtermore the whole claimsidentity
and claimprincipal
, but that's another story.
I try to generate a token in C# by using the following code:
private const string SECRET_KEY = "abcdef";
private static readonly SymmetricSecurityKey SIGNING_KEY = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(SECRET_KEY));
public static string GenerateToken(string someName)
{
var token = new JwtSecurityToken(
claims: new Claim[]
{
new Claim(ClaimTypes.Name, someName),
},
notBefore: new DateTimeOffset(DateTime.Now).DateTime,
expires: new DateTimeOffset(DateTime.Now.AddMinutes(60)).DateTime,
signingCredentials: new SigningCredentials(SIGNING_KEY, SecurityAlgorithms.HmacSha256)
);
return new JwtSecurityTokenHandler().WriteToken(token);
}
I followed a tutorial on Youtube, but I'm not sure I understand the different parts in the JwtSecurityToken. In addition, when I execute the code through a controller just to try to return a token, it returns an error, saying: "IDX10603: Decryption failed. Keys tried: '[PII is hidden]'".
Any help is appreciated.
WriteToken(SecurityToken)Serializes a JwtSecurityToken into a JWT in Compact Serialization Format. C# Copy.
JWT is JSON Web Token. It's a token that only the server can generate, and can contain a payload of data. A JWT payload can contain things like UserID or Email so that when the client sends you a JWT, you can be sure that it is issued by you.
Information Exchange: JWTs are a good way of securely transmitting information between parties because they can be signed, which means you can be sure that the senders are who they say they are. Additionally, the structure of a JWT allows you to verify that the content hasn't been tampered with.
Another technique used to steal session tokens is session sidejacking, where the attacker takes advantage of an unencrypted communication channel between a victim and application to steal session tokens. The attacker simply sniffs the unencrypted traffic on a network looking for session tokens.
The algorithm HS256 requires the SecurityKey.KeySize
to be greater than 128 bits and your key has just 48. Extend it by adding at least 10 more symbols.
As for "PII is hidden" part, it was done as a part of GDPR compliance effort to hide any stack or variable info in logs. You should enable additional details with:
IdentityModelEventSource.ShowPII = true;
You should add enough characters to your secret key, when you set your secret key here,
//your SECRET_KEY = "abcdef"
new SymmetricSecurityKey(Encoding.UTF8.GetBytes(SECRET_KEY));
change it to
new SymmetricSecurityKey(Encoding.UTF8.GetBytes("somethingyouwantwhichissecurewillworkk"));
this should work.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With