0

I have a webapi which is authenticated using JWT tokens.

I validate using a custom JWT protection. This is as follows;

private const string AudiencePropertyKey = "as:client_id";

private readonly string _issuer = string.Empty;

public CustomJwtFormat(string issuer)
{
    _issuer = issuer;
}

public string Protect(AuthenticationTicket data)
{
    if (data == null)
    {
        throw new ArgumentNullException("data");
    }

    Client client = null;

    string audienceId = data.Properties.Dictionary.ContainsKey(AudiencePropertyKey) ? data.Properties.Dictionary[AudiencePropertyKey] : null;

    if (string.IsNullOrWhiteSpace(audienceId)) throw new InvalidOperationException("AuthenticationTicket.Properties does not include the client_id");

    using (AuthRepository _repo = new AuthRepository())
    {
        client = _repo.FindClient(audienceId);
    }

    if (client == null) throw new InvalidOperationException("ClientId does not exist.");

    string symmetricKeyAsBase64 = client.Secret;

    var keyByteArray = TextEncodings.Base64Url.Decode(symmetricKeyAsBase64);

    var signingKey = new HmacSigningCredentials(keyByteArray);

    var issued = data.Properties.IssuedUtc;
    var expires = data.Properties.ExpiresUtc;

    var token = new JwtSecurityToken(_issuer, audienceId, data.Identity.Claims, issued.Value.UtcDateTime, expires.Value.UtcDateTime, signingKey);

    var handler = new JwtSecurityTokenHandler();

    var jwt = handler.WriteToken(token);

    return jwt;
}

Access is controlled through a database table, so the user sends across their clientid as a part of the auth service. they are rejected if the clientid doesn't exist in the database, and the ticket is encoded using the secret associated with this db entry and returned to them.

Now I am struggling with the decoding of the JWT on data requests? Now the JWT decodes just fine on jwt.io so I assume there must be someway of decoding using the JwtProtect without requiring a store on the currently dished out JWT tokens? As far as I can see the JwtProtect wants to have the Allowed audiences passed across? (I could so this by returning all from the db but is it really necessary?).

Cœur
  • 37,241
  • 25
  • 195
  • 267
Matthew Flynn
  • 3,661
  • 7
  • 40
  • 98

1 Answers1

1

JWT token is just a base64 string, you can freely decode it in multiple ways.

If you want to "unprotect" and validate the ticket you can use System.IdentityModel.Tokens.SecurityTokenHandler.

Check this answer for an example.

BTW, just a personal consideration: the first rule in security is "do not make your own security, but stick with the mass". You will find that following a clear and used path will offer you more support and you will be sure not to mess or to forget something important.

Luca Ghersi
  • 3,261
  • 18
  • 32
  • 1
    Luca, thanks for this. I'm combining Taiseer Joudahs (bitoftech.net) tutorial using roles with that of a JWT. In the case of the JWT tutorial its simply used a common secret. I'd like to retain the ability to control access by having a unique secret per client (so can be restricted easily, etc) Do you see this as drastically moving away from the mass? – Matthew Flynn Mar 29 '16 at 15:48