Namespaces for .NET JWT token validation: System vs. Microsoft

Question

I am trying to use JWT to authenticate a Node application to an ASP.NET Web API.

In ASP.NET, I am using .NET 4.5.1 and nuget package System.IdentityModel.Tokens.Jwt 5.0.0

What I don't understand is, why the namespaces are mixed between Microsoft and System.

For example:

var tokenReader = new JwtSecurityTokenHandler();  tokenReader.ValidateToken(token,                  new TokenValidationParameters()             {                 ValidateAudience = false             },                 out validatedToken);     

The main JwtSecurityTokenHandler is in the System.IdentityModel.Tokens.Jwt namespace, but the TokenValidationParameters class and its dependencies are in the Microsoft.IdentityModel.Tokens namespace, and possibly collide with similar classes in the System.IdentityModel.Tokens namespace.

Is this by design or is this a possible sign of a version mismatch somewhere else?

Answer 1

If you take a look at the dependency for

nuget System.IdentityModel.Tokens.Jwt 4.0.2

vs

nuget System.IdentityModel.Tokens.Jwt 5.0

you'll see that 5.0 has a dependency on

Dependencies

.NETFramework 4.5.1

Microsoft.IdentityModel.Tokens (>=5.0.0)

that 4.0 didn't have. In fact, no previous version did.

Microsoft is re-architect-ing their frameworks to be more light weight. In a framework the size of ASP.NET, you will have many functional redundancies.

To make WIF lighter, while remaining backwards compatible, the decision was made to remove the redundant functionality from libraries like System.IdentityModel.Tokens.Jwt no longer depend on System.IdentityModel.Tokens, but instead on Microsoft.IdentityModel.Tokens. One of the unfortunate results is that both layers expose the same methods.