2

I have an ASP.NET Core 2 Web Application and I am using the [Authorize] attribute on the controllers that require authentication. As authentication mechanism, I am using JWT which I could configure in the Startup class using

.AddJwtBearer(options => {
    options.Audience = "....";
    options.Authority = "....";
});

This would work great. My problem is that I don't have the information for audience and authority at startup and I need to configure this at runtime.

Is there any way to do this?

Kirill Kobelev
  • 10,252
  • 6
  • 30
  • 51
NuhRuqa
  • 21
  • 2
  • I don't know whether is there a way or not to do what you are asking but... once the *Startup* class has executed *ConfigureServices* and *Configure* methods your Web Application will be Up&Running and ready to receive requests. So, when would you know this information about *audience and authority*? – Sebastian Inones Dec 17 '19 at 21:28
  • Basically the first user accessing the web application will do a setup. The information about audience and authority will be known at some point at runtime when this user calls a public route, which is also when I want to try and reconfigure the authentication. – NuhRuqa Dec 17 '19 at 21:40
  • @NuhRuqa give a look to this example https://github.com/aspnet/AuthSamples/tree/master/samples/DynamicSchemes – Enrico Massone Dec 17 '19 at 22:08

2 Answers2

1

You can try :

  1. Register multi jwt authentication schema and dynamically choose the needed schema based on parameter/reqeust header value in request . Click here for code sample .

  2. Config and replace your ISecurityTokenValidator. Use DI to inject IHttpContextAccessor to read data from request .Click here and here for code sample .

  3. Manually validating a JWT token with JwtSecurityTokenHandler . Click here for code sample .

Nan Yu
  • 26,101
  • 9
  • 68
  • 148
0

It is worth understanding the extensibility points also, since Microsoft provide a customizable framework. Some people (including myself) prefer a library based approach to dealing with JWTs.

This is possible via a CustomAuthenticationHandler, and its implementation can use a JWT library. My code example uses jose-jwt via this handler class.

This enables you to validate JWTs however you like and take closer control over behaviour. Hopefully it provides an idea or two for your own solution. Further details in this blog post.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24