JWT Authentication in ASP.NET 5 using OAuthBearerAuthentication

Question

I am working on an ASP.NET 5 app and I would like to use JWTs to secure certain endpoints in the application. For the time being we have decided that we (as opposed to a third party) will issue the JWTs, as all of our clients are 'owned' by the application, i.e. we have no 'external' clients. In the example, I have an endpoint which creates and returns a JWT using the jwt-dotnet library as follows (I appreciate that this is a basic example, with no expiration time and a single subject claim etc.):

...
// include a single subject claim (user id)
var claims = new Dictionary<string, object>() { { "sub", "1234" } };
var key = "EXAMPLE_SECRET_KEY_TO_SIGN_JWT";
var token = JWT.JsonWebToken.Encode(claims, key, JWT.JwtHashAlgorithm.HS256);
...
// return JWT

I can encode, and decode this JWT using the same key as one would expect. In my Startup.cs file, I am using Microsoft.AspNet.Authentication.OAuthBearer middleware to Authorize the relevant routes in my controllers which have the [Authorize] attribute specified. However, after looking at a number of posts including here and here I cannot seem to find an example of how to supply this signing key to the OAuth middleware in the same fashion. The code in my Startup.cs file looks as follows:

public class Startup
{
    public void Configure(IApplicationBuilder app, ILoggerFactory loggerFactory)
    {
        app.UseErrorPage();
        app.UseOAuthBearerAuthentication();
        app.UseMvc();
    }

    ...

    public void ConfigureServices(IServiceCollection services)
    {
        services.Configure<OAuthBearerAuthenticationOptions>(bearer =>
        {
            bearer.AutomaticAuthentication = true;
            bearer.TokenValidationParameters.ValidAudience = "Example audience";
            bearer.TokenValidationParameters.ValidIssuer = "Example issuer";
            bearer.TokenValidationParameters.ValidateAudience = true;
            bearer.TokenValidationParameters.ValidateIssuer = true;
            bearer.TokenValidationParameters... // how do I set the signing key as a string literal?
        });
        services.AddMvc();
    }
}

My assumption has been that I should be able to simply supply the same string literal key to the middleware so it can validate the token signature. However this does not seem to be the case, as the examples discuss using RSA keys or certificates as opposed to providing a single key/string literal.

I appreciate that I may be missing something here, or indeed that this may be the wrong approach and I should't be able to do this!

Answer 1

EDIT: symmetric keys are now natively supported in the RC2 nightly builds:

var key = Convert.FromBase64String("base64-encoded symmetric key");

app.UseJwtBearerAuthentication(options => {
    options.AutomaticAuthenticate = true;
    options.AutomaticChallenge = true;

    options.Authority = Configuration["jwt:authority"];
    options.Audience = Configuration["jwt:audience"];

    options.TokenValidationParameters.IssuerSigningKey = new SymmetricSecurityKey(key);
});

---

You can't, at least not without a bit of plumbing: the OAuth2 bearer middleware relies on IdentityModel 5, that doesn't support symmetric keys like the one you're using in your first snippet.

Of course, symmetric keys will be eventually supported (https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/250), but in the meantime, using an asymmetric key (like a RSA key) is recommended.

You can also implement symmetric keys support yourself (see https://gist.github.com/sandorfr/4039d540b6b552154522), but using a RSA key is definitely a better option.