2

I'm considering using authenticated encrypted JWT tokens to authenticate / authorized access to an ASP.NET Web API application.

Based on what I've read so far, it seems to me like it is an option to generate JWT tokens from a token service and pass them to Web API via the http authorization header.

I have found some good code examples on implementing the JWT creation and consumption (Pro ASP.NET Web API Security by Badrinarayanan Lakshmiraghavan).

I'm trying to understand if I need a full OAuth implementation to support this, or if I can simply pass the tokens along in the auth header.

Assuming the tokens are properly encrypted and signed, is there any inherent security flaw in keeping things simple without having to use OAuth?

Trying to keep things as simple as possible for my needs without compromising security.

Luke Puplett
  • 42,091
  • 47
  • 181
  • 266
bingles
  • 11,582
  • 10
  • 82
  • 93
  • Check my answer is here: http://stackoverflow.com/questions/40281050/jwt-authentication-for-asp-net-web-api/40284152#40284152 – cuongle Mar 10 '17 at 16:30

2 Answers2

6

It is not that you must always OAuth when you use tokens. But given the fact that your application is a JavaScript app, you would be better off implementing a 3-legged authentication. Thinktecture identity server does support implicit grant. But if the client application getting access to the user credential is not a problem for you, your JavaScript app can get the user ID and password from the user and make a token request from a token issuer ensuring the user ID and password are not stored any where in JavaScript app (including DOM). This request for token can be a simple HTTP POST as well and it does not need to be anything related to OAuth. If your end user will not enter the credentials in the client application, OAuth implicit grant is the way. BTW, you don't need to encrypt JWT. TIS issues signed JWT and that will ensure token integrity. But if you are worried about the confidentiality, you can use HTTPS to both obtain the token as well as present the token.

Badrinarayanan Lakshmiraghavan
  • 19,159
  • 4
  • 62
  • 61
  • Thank you. That is the information I needed. Your book is excellent btw. Has been a key resource for understanding security options / concerns for Web API. – bingles Jun 05 '13 at 19:33
  • Thanks. In addition to the book, do refer to Dominick's blog http://leastprivilege.com/. It has lots of information on the topic of security, specifically ASP.NET Web API. – Badrinarayanan Lakshmiraghavan Jun 06 '13 at 04:10
  • Can you please guide how to properly encrypt the JWT tokens in ASP.Net MVC 5? Please also clarify does the encrypted JWT refers to encrypted payload in JWT? – Naveed Ahmed Sep 08 '16 at 22:28
0

It looks like you don't really need auth delegation as the one provided by OAuth. Isn't HMAC authentication enough for your scenario ?. With HMAC, you will not have to deal with JWT at all. This is an implementation I made for HMAC authentication for .NET

https://github.com/pcibraro/hawknet

Pablo.

Pablo Cibraro
  • 3,769
  • 3
  • 25
  • 17
  • I don't know enough about HMAC authentication to answer. Is this suitable for a Javascript client app? – bingles Jun 04 '13 at 17:37
  • Well no, JWT might a better choice for you, but you will not able to generate it in javascript neither. You need a server to generate the token for you. – Pablo Cibraro Jun 04 '13 at 18:16
  • I guess my question is whether I can create a simple JWT token server that my javascript app can request a token from and then just pass this token in the Authorization header to my web api without having to be concerned with other OAuth details. – bingles Jun 04 '13 at 18:34
  • Simple is relative. The JS app (or rather the user) needs to authenticate obviously to request a token. Then the token needs to be generated. Right now there is no .NET implementation of JWT that does encryption. And I wonder if you need it - signing should be OK. Have a look at https://github.com/thinktecture/Thinktecture.IdentityServer.v2/wiki – leastprivilege Jun 04 '13 at 20:05