1

I have a simple module that creates JWT tokens using RsaSha256 (RS256) asymmetric encryption.

let getSigningCredentials (rsa:RSA) (algo)=
    try
      let key                 = RsaSecurityKey(rsa)
      let signingCredentials  = SigningCredentials(key, algo)
      signingCredentials.CryptoProviderFactory <- CryptoProviderFactory(CacheSignatureProviders = false)
      Ok signingCredentials
    with ex ->
      Error ex

  let getSigningCredentialsSha256 (rsa:RSA) =
    getSigningCredentials rsa SecurityAlgorithms.RsaSha256

  let createJwtSecurityToken jwtSecurityTokenRecord =
    try
      Ok
        (JwtSecurityToken(
          issuer              = jwtSecurityTokenRecord.Issuer,
          signingCredentials  = jwtSecurityTokenRecord.SigningCredentials,
          claims              = jwtSecurityTokenRecord.Claims,
          notBefore           = Nullable jwtSecurityTokenRecord.NotBefore,
          expires             = Nullable jwtSecurityTokenRecord.Expires))
    with ex ->
      Error ex

This works well, I can create tokens. I can load them into jwt.io (i know, not production token) and verify with the public part of the keypair. I use OpenSSL to generate the keypair so I need to convert the private key to Pkcs8PrivateKey before importing it into the RSA object.

So everything works just fine. Now, I would like to verify the JWT token with the public key using F# (C# code is fine too).

Here is where it gets hairy.

I could not find any documentation on how to do so.

The only validation method I was able to find uses the signing key (private key) for the verification.


let validateJwtToken (rsa:RSA) (tokenString:string) =
    try
      let tokenValidationParameters =
            TokenValidationParameters (
              ValidateIssuerSigningKey = true,
              IssuerSigningKey = RsaSecurityKey rsa,
              ValidateIssuer = false,
              ValidateAudience = false,
              ClockSkew = TimeSpan.Zero
            )
      Ok (JwtSecurityTokenHandler().ValidateToken (tokenString, tokenValidationParameters, ref null))
    with ex ->
      Error ex

Is there a way / method to verify a JWT token with the public key?

I am using System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.Tokens.

Istvan
  • 7,500
  • 9
  • 59
  • 109
  • many examples here for C#, e.g: https://stackoverflow.com/questions/34403823/verifying-jwt-signed-with-the-rs256-algorithm-using-public-key-in-c-sharp Should be easy to translate to f#. – jps Oct 29 '20 at 19:48
  • Thanks, I have totally missed that. I am going to port it. – Istvan Oct 29 '20 at 21:00
  • I have reviewed these codes but it does not cut it to me. I need a simpler approach without splitting the token etc. I am pretty sure the library supports that in some form. – Istvan Oct 29 '20 at 21:07
  • I had posted an answer but I deleted it because it was the same thing you had. I believe the only way to validate a token is using the public key. The private key is used to generate the token. So, I think your code already does that. Of course I may be wrong. – AMieres Oct 29 '20 at 23:00

0 Answers0