6

I'm trying to work with the OAuth bearer tokens Web API 2 supplies but I don't know how to unencrypt them or get the data out.

What I'd really like to do is either find or write myself an equivalent tool to this Google Tool https://developers.google.com/wallet/digital/docs/jwtdecoder for the tokens I am getting from Web API. The Google tool allows you to paste in the string of text representing a JWT token and it splits it up and unencodes the JSON within.

In Visual Studio 2013 if you choose New ASP.NET project, and then choose the Web API template with individual user accounts you get a sample project that contains a token endpoint. If you start the project, you can then POST a request "grant_type=password&username=joe&password=joe" to /token on the built in webserver and you get a token back:

{
"access_token":"x3vHm40WUXBiMZi_3EmdmCWLLuv4fsgjsg4S5Ya8kppDY_-2ejn7qF5Y_nbQ0bYVIKl6MNzL2GtXv-MAuwjippAAv5VDaxoKdxEVxeFrQ_eXsKNaQK7IvmVs1rIZ9eeRfRGK2AQ59wWQcyTtYO0dPJx9K7PGrSKz4ADAZ9SEZqQ4IesVhYbRCwToyxoyU5L9qdU8jXdHumkIrULRQhf68rIaBrEA_Be-V0rzWJ644fRLvv3z69XoHs3Az7PineILyNwbDck9uU2jkaXnwxoCTa4qlK8bR-lEI9-VXPNdbCvfgb5H9wfYsJcw2CMzNxNhV8v9YVZEt90evylwtTCEpXq4T3zRCQvrpbCvZrXqJ8uvlFeqCsvvhlIkSfPhBY8nm2ocWtBGPZm58zLe5FMi1jept0B54U38ZxkZlrGQKar47jkmnc6gpLrkpDBp7cWz",
"token_type":"bearer",
"expires_in":1209599,
"userName":"joe",
".issued":"Fri, 01 Aug 2014 16:16:02 GMT",
".expires":"Fri, 15 Aug 2014 16:16:02 GMT"
}

What I want to find out is what format the access_token is in and what information is contained.

A clue I found was: you can choose what kind of tokens Web API uses by setting the OAuthAuthorizationServerOptions.AccessTokenFormat property in Startup.Auth.cs. The documentation for OAuthAuthorizationServerOptions says:

"The data format used to protect the information contained in the access token. If not provided by the application the default data protection provider depends on the host server. The SystemWeb host on IIS will use ASP.NET machine key data protection, and HttpListener and other self-hosted servers will use DPAPI data protection. If a different access token provider or format is assigned, a compatible instance must be assigned to the OAuthBearerAuthenticationOptions.AccessTokenProvider or OAuthBearerAuthenticationOptions.AccessTokenFormat property of the resource server."

So it's probably encoded using the MachineKey. That's fine, I can set the Machine Key OK but if I know the machine key that the token was created with, how do I decrypt it?

Dave Alperovich
  • 32,320
  • 8
  • 79
  • 101
Skippy
  • 61
  • 1
  • 3

1 Answers1

8

You are correct about the generation of the token. This token is an encrypted or signed string contains the de-serialized version of all the claims and ticket properties for the signed in user. If in IIS mode (SystemWeb), the encryption and signing is done via the "decryptionKey" and "validationKey" key values in machineKey node. If running as a self-host OWIN application, the encryption uses the DPAPI to protect it and that actually uses the 3DES algorithm.

To decrypt it you need to invoke this code in your API controller action method (not necessary but if you want to see what inside this encrypted token) :

string token = "Your token goes here";
Microsoft.Owin.Security.AuthenticationTicket ticket= Startup.OAuthBearerOptions.AccessTokenFormat.Unprotect(token);

If you need to configure your AuthZ server to issue JWT signed tokens so you can deconde them using someone line tool such as Google JWT decoder; then I recommend you to read my blog post here about JSON Web Token in ASP.NET Web API 2 using Owin

Taiseer Joudeh
  • 8,953
  • 1
  • 41
  • 45
  • This is almost what I want, and it's helped me solve what I was working on. What I really wanted is a way of decrypting the token without having to be in a ASP website (so Startup.OAuthBearerOptions isn't available). Thanks for your blog, I've read quite a few articles and they've been very helpful. – Skippy Nov 07 '14 at 11:06
  • `OAuthAuthorizationServerOptions.AccessTokenFormat` does seem to use the `Protect` method to encode and or encrypt your tokens, but the Framework doesn't seem to use the `Unprotect` method when attempting to "unwrap" the token. Is there some undocumented hook in AuthenticationServer to implement or flag for this? @HaoKung, do you have any insight into this? – Dave Alperovich Jun 30 '16 at 13:58
  • Taiseer, you have excellent posts on this topic. But you only show how to sign JWT to protect it from tampering, can you please also guide how to encrypted JWT following the JSON Web Encryption (JWE) specifications in ASP.Net MVC 5? – Naveed Ahmed Sep 08 '16 at 22:34
  • I have asked 1 question based on your tutorial.Can you please check it out and provide some insights on it please:https://stackoverflow.com/questions/47151680/how-access-token-is-validated-for-accessing-protected-resources-in-token-based-m – I Love Stackoverflow Nov 07 '17 at 12:44