Menu
The security concerns: According to https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ a lot of JWT libraries use the token itself in order to determine the algorithm for the signature.
This is our use case: We want to create a login mechanism that validates a user with the hard credentials (username/password) and then return a JWT token with e.g. 3 Days lifetime. The token should contain the username and a signature should guarantee that the token cannot be "faked".
What library can we use in Web API / MVC 6? It is important that the signature algorithm can be specified on decoding to avoid the vulnerability.
If possible we would like to avoid integrating complex OAuth components.
637
I am using the System.IdentityModel.Tokens.Jwt library, and I just checked for this issue. I Generated a token and validated it in one of my tests, then I removed the signingCredentials which changes the alg to none. The JWT generated with the "alg":"none" failed validation.
Here is how I am generating the token:
public string GenerateToken(SSOContext context, SignatureSettings settings)
{
var token = new JwtSecurityToken(
issuer: "MyIssuer",
audience: "MyAudience",
claims: GetClaims(context),
//comment the below line to generate a 'none' alg
signingCredentials: new X509SigningCredentials(settings.Certificate),
notBefore: DateTime.UtcNow,
expires: DateTime.UtcNow.AddHours(1)
);
return new JwtSecurityTokenHandler().WriteToken(token);
}
When I validate the token I get an exception as expected with the message
IDX10504: Unable to validate signature, token does not have a signature:
199
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
