ASP NET CORE Identity and Checktoken URL

Question

Well, I'm trying to use ASP NET CORE 2.1 with OAuth2 to authenticate in a IdP (Identity Provider), so I have the following:

 services.AddAuthentication()
                .AddJwtBearer(options =>
                {
                    // The API resource scope issued in authorization server
                    options.Audience = "resource.server.api";
                    // URL of my authorization server
                    options.Authority = "https://myidp.com.br";
                });

            // Making JWT authentication scheme the default
            services.AddAuthorization(options =>
            {
                options.DefaultPolicy = new AuthorizationPolicyBuilder(JwtBearerDefaults.AuthenticationScheme)
                    .RequireAuthenticatedUser()
                    .Build();
            });

When I try to call my API thought POSTMAN, I got following:

System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://myidp.com.br/.well-known/openid-configuration'.

Well, I don't have well-known URL in my IdP and I can't add it in this moment of project. Is there other way to configure URLs manually without well-known ?

Another important thing: We have a URL https://myidp.com.br/oauth/tokeninfo that check if JWT TOKEN is valid or not.

Answer 1

I assume you are using the Asymmetric Keys . Usually, the public key information is automatically retrieved from the discovery document. If you need to specify it manually, you’ll need to get the key parameters and create a SecurityKey object . You can refer to belwo links for code samples :

https://github.com/IdentityServer/IdentityServer4/blob/master/samples/Clients/src/MvcManual/Controllers/HomeController.cs#L148

Verifying JWT signed with the RS256 algorithm using public key in C#

You can also write the custom JwtSecurityTokenHandler in the System.IdentityModel.Tokens.Jwt package , and override the ValidateToken event to implement the custom validation logic .

You can also not using the AddJwtBearer middleware , the code sample is same as above , create your keys and apply to the validation .

Normally , the noraml process of validating token is :

• Decode token
• Validate claims(issuer,audience,expire time...)
• Validate signature
• Creating user principal and sign in user

Updated :

You can also add your own signature validation to the TokenValidationParameters :

services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;

}).AddJwtBearer(options =>
{
    options.RequireHttpsMetadata = false;
    options.SaveToken = true;
    options.TokenValidationParameters = new TokenValidationParameters
    {

        ValidateIssuer = false,
        ValidateAudience = false,
        SignatureValidator =
        delegate (string token, TokenValidationParameters parameters)
        {

            var jwt = new JwtSecurityToken(token);

            var httpClient = new HttpClient();

            var requestData = new HttpRequestMessage
            {
                Method = HttpMethod.Get,
                RequestUri = new Uri("xxxxxx"),
            };

            //pass toekn to your endpoint and check result 

            if (false)
            {
                throw new Exception("Token signature validation failed.");
            }

            return jwt;
        }
    };

});