6

What I want is a method of JWT Generation and JWT Consumption in ASP.NET Core.

No OAuth2 flow, I do have the IdentityServerv3 working with OAuth2 but it is just overkill for a single app accessing an API when I own both sides.

The main source of difficulty I am having is finding out the equivalent of Microsoft.Owin.Security.Jwt in ASP.NET Core. Nothing in this list https://www.myget.org/gallery/aspnetvnext seems to relate. Or is that package actually to stay relevant in with ASP.NET Core?

Set
  • 47,577
  • 22
  • 132
  • 150
Adam
  • 16,089
  • 6
  • 66
  • 109
  • https://gist.github.com/siacomuzzi/1832edeb905a9582a7dd ? – adaam Jun 02 '15 at 22:22
  • thanks. I have already come across this and was using it in the meantime but it is only for JWT consumption, not generation and uses the Microsoft.Owin packages that seem to have been deprecated in asp.net5. They are usable its just they don't use the Microsoft.AspNet.Authentication ones which is where everything seems to be moving to. – Adam Jun 03 '15 at 03:53

2 Answers2

5

If you're looking for a (simple) way to generate your own JWT tokens, you should directly use the JwtSecurityTokenHandler. You can find it in the System.IdentityModel.Tokens package on the MyGet repository you mentioned (but the version is a bit old now) or directly on the Azure AD repository, in the System.IdentityModel.Tokens.Jwt package: https://www.myget.org/gallery/azureadwebstacknightly

Of course, using a standard protocol to issue and retrieve your JWT tokens is more than recommended and OAuth2 and OpenID Connect are probably the best candidates for that.

Note that IdentityServer is not the only server that works on ASP.NET 5. I'm personally working on an advanced fork of the OAuth2 authorization server middleware that comes with Katana 3 and that offers a different approach: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server

app.UseOAuthBearerAuthentication(new JwtBearerOptions
{
    AutomaticAuthenticate = true,
    AutomaticChallenge = true,
    Audience = "http://localhost:54540/",
    Authority = "http://localhost:54540/"
});

app.UseOpenIdConnectServer(options =>
{
    options.Provider = new AuthorizationProvider();
});

To learn more about this project, I'd recommend reading http://kevinchalet.com/2016/07/13/creating-your-own-openid-connect-server-with-asos-introduction/.

Feel free to ping me on https://jabbr.net/#/rooms/AspNetCore if you need more information.

Kévin Chalet
  • 39,509
  • 7
  • 121
  • 131
  • `JwtSecurityTokenHandler`'s last parameter is `SigningCredentials`. But how do I create an instance of that? – Sean Nov 04 '15 at 20:00
2

I've started using OpenIddict and I think it is exactly what you need.

This is essentially all the configuration I needed:

ConfigureServices:

services.AddIdentity<ApplicationUser, ApplicationRole>()
            .AddEntityFrameworkStores<ApplicationDbContext>()
            .AddDefaultTokenProviders()
            .AddOpenIddictCore<Application>(config => config.UseEntityFramework());

Configure

app.UseOpenIddictCore(builder =>
{
    // tell openiddict you're wanting to use jwt tokens
    builder.Options.UseJwtTokens();
    // NOTE: for dev consumption only! for live, this is not encouraged!
    builder.Options.AllowInsecureHttp = true;
    builder.Options.ApplicationCanDisplayErrors = true;
});

// use jwt bearer authentication
app.UseJwtBearerAuthentication(options =>
{
    options.AutomaticAuthenticate = true;
    options.AutomaticChallenge = true;
    options.RequireHttpsMetadata = false;
    options.Audience = "http://localhost:58292/";
    options.Authority = "http://localhost:58292/";
});

There are one or two other minor things, such as your DbContext needs to derive from OpenIddictContext<ApplicationUser, Application, ApplicationRole, string>.

You can see a full length explanation (including links to the github repo) on this blog post of mine: http://capesean.co.za/blog/asp-net-5-jwt-tokens/

Sean
  • 14,359
  • 13
  • 74
  • 124