0

So I implemented some bearer token authentication using this guide. It uses OWIN-based OAuth library provided by Microsoft to generate the tokens. I can't figure out what token this generates. I am asking because I am trying to migrate this to ASP.NET Core but all the articles out there are about JWT token (Yes, I do know that the JWT token can be used as bearer token with OAuth2) and this clearly is not a JWT token. The response looks like this:

{
    "access_token": "NXNps5iEafO6v2QMGOpXCGXBNVQw1DQTr9nV9JgG1XIRxEG9_3eliy4MQ3a050GKDQEBuQ_Y1vW-vEkPKx5MWlwEvpdxmWMnlxn-P2nq0gvl7oD2seiY69Yyab3uL3ZlppyI_A-PbQG-BSNJQKcbvoVBzejtXsrs3ADuvNi0EjYf3T12hpdiDzyPoAE1XDF44AL6hxFmUdJJ56pshUkPVlJUM851gfFIVvL5mf1yebWDo5gkdt9YhT1H32vD7KvgXHMMtYkxvT4lW6vXwyusKlH_MzZzHL1KlystJayc9QL-PDsLBGSfqPTQmOSw_vRaezHjMj4dSkCqrT4_RLoeeUsuSk5Q5mHGGYuJwPEPWJ5qXBjZT4U9RtjTB-EEyqINZGC_IxpM40qJPbBi2zvUsbafUroGx-tG2BNLtnvKnrqfZScLDsi7bd85Oc1S5kPuPf5LFtKr3f_ePRE0sGddvxCHcYUR_cn0zJSg1EDARXGM61ApgERTAQyy1oPeu-PgPSqqoGUvZ1-X26bQ2QarSQ3UMdAcO2eIuICM-XiVjb5lNo5FB21ZeTdYIi25WasqNJxQfIfEHqfTcdD5y7YsZA",
    "token_type": "bearer",
    "expires_in": 31535999,
    "userName": "emailuserasusername@outlook.com",
    ".issued": "Wed, 14 Mar 2018 22:26:59 GMT",
    ".expires": "Thu, 14 Mar 2019 22:26:59 GMT"
}
Stilgar
  • 22,354
  • 14
  • 64
  • 101
  • That's not a valid JWT, that's for sure. I'd say that's a completely custom token – Camilo Terevinto Mar 14 '18 at 22:36
  • why do you think its not JWT? – Hussein Salman Mar 14 '18 at 22:36
  • 3
    @Coding `userName`, `.issued` and `.expires` are not valid JWT fields. See [here](https://jwt.io/) for basic information – Camilo Terevinto Mar 14 '18 at 22:37
  • @Coding JWT has 3 parts separated by . and can't have characters like _ because it is base64 encoding. It may however be an encrypted JWT token as the code seems to use something called dataprotector that probably encrypts the ticket. – Stilgar Mar 14 '18 at 22:40
  • @CamiloTerevinto that can very well be the case. If this is a non-standard token I guess I will just replace it with a JWT token. However I want to learn the pros and cons if it is possible and why MS went with a non-standard token. – Stilgar Mar 14 '18 at 22:44
  • Not sure if I should post this as an answer: the RFC7519 (the JWT standard) is from May 2015, the post is from June 2014 so the package is at least from that date, so that's why it doesn't use the standard. Notice that there are newer ways to generate JWTs in Web API 2 from other Microsoft packages – Camilo Terevinto Mar 14 '18 at 22:48
  • One thing that worries me a bit is that the old token seems to be encrypted while JWT is not. I am not going to put anything sensitive in the token but I'd like to be on the safe side in case some other devs comes along later and adds a claim that should not be known to others but the server – Stilgar Mar 14 '18 at 22:51
  • Not really, see [this post](https://stackoverflow.com/questions/34235875/should-jwt-web-token-be-encrypted) – Camilo Terevinto Mar 14 '18 at 22:53
  • Thanks, I will try to use this encrypted version. I still want to know about the current token though so I'll leave the question :) – Stilgar Mar 14 '18 at 22:56
  • 2
    have a look at [this post](https://stackoverflow.com/questions/26766530/how-to-unencrypt-web-api-2-jwt-tokens) for more info on the token format. – iandayman Mar 14 '18 at 23:20

0 Answers0