Verify JWT Claims in WebAPI

Question

Given the Thinktecture AuthenticationConfiguration below:

var authConfig = new AuthenticationConfiguration
{
    EnableSessionToken = true,
    SendWwwAuthenticateResponseHeaders = true,
    RequireSsl = false,
    ClaimsAuthenticationManager = new ClaimsTransformation(),
    SessionToken = new SessionTokenConfiguration
    {
        EndpointAddress = "/api/token",
        SigningKey = CryptoRandom.CreateRandomKey(32),
        DefaultTokenLifetime = new TimeSpan(1, 0, 0)
    }
};

It would return an example JWT of eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJzZXNzaW9uIGlzc3VlciIsImF1ZCI6Imh0dHA6Ly9zZXNzaW9uLnR0IiwibmJmIjoxNDIwMzk2ODgyLCJleHAiOjE0MjA0MDA0ODIsInVuaXF1ZV9uYW1lIjoicGFzcyIsImF1dGhtZXRob2QiOiJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvYXV0aGVudGljYXRpb25tZXRob2QvcGFzc3dvcmQiLCJhdXRoX3RpbWUiOiIyMDE1LTAxLTA0VDE4OjQxOjA0LjAxOVoiLCJyb2xlIjoiVmVyaWZpZWQifQ.h7curaLrqkMT4Btg-AAoEpNYqUIYNQA_y-eUdEwQBqs

Which is:

{
    "alg": "HS256", 
    "typ": "JWT"
}

{
    "unique_name": "pass", 
    "aud": "http://session.tt", 
    "iss": "session issuer", 
    "authmethod": "http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password", 
    "role": "Verified", 
    "exp": 1420400482, 
    "auth_time": "2015-01-04T18:41:04.019Z", 
    "nbf": 1420396882
}

How would I verify that the JWT was issued from a trusted machine, can we use a symmetric key for the private signing key and the same key on the remote machine to verify against?

How could I wire up the WebAPI so that it automatically does this for us (assuming the AuthenticationConfiguration is on a different machine dedicated to account security api).

score 2 · Accepted Answer · answered Jan 04 '15 at 19:02

2

You can use a shared symmetric key or a private key to sign the JWT and that use that same symmetric key or respectively the associated public key to verify it.

The algorithm in use for this JWT (HS256) suggests that a shared symmetric key was used so you need to know that symmetric key at the receiving end in order to verify the JWT.

answered Jan 04 '15 at 19:02

Hans Z.

50,496
12
102
115

Thanks Hans, I updated my question I am using `SigningKey = CryptoRandom.CreateRandomKey(32)` everything else is default with the thinktecture AuthenticationConfiguration library - I know the private key but i cant seem where to find the shared key – morleyc Jan 04 '15 at 19:07
You're generating a random shared symmetric key. You should save that value and send it (probably base64encoded) to the receiver, out of band so he can verify the JWT. There is **no** private key involved in the signing of *this* JWT. – Hans Z. Jan 04 '15 at 19:10
@HansZ. - do you have any experience using keys with the newest rc1 release of mvc6 ? If you have a minute please see my question http://stackoverflow.com/questions/34348704/jwtbearer-bearer-token-with-rc-1-update-to-asp-net-5 – Scott Selby Dec 19 '15 at 03:59

Verify JWT Claims in WebAPI

1 Answers1