validate JWT without public key (RSA) .net core webapi

Question

I am new JWT in DOTNet core web Api. In our application, we are getting access_token from the Microsoft site. https://login.microsoftonline.com/

We would like to validate the token (RS256 algo) in the .net core (Api) but we don't have the PUBLIC KEY.

Note: I already have a token. How can we validate JWT with our public key and any other thing? I only have an access token.

Maxim Zabolotskikh · Accepted Answer · 2023-02-10T08:53:25.470

1

With JWT you basically have two scenarios:

you created your JWT yourself and you know the keys used for it. Than you can write the validation, or pass the parameters to .net core pipeline.
you got the JWT from external authority. In this case the authority (in your particular case - Microsoft) knows how to validate the JWT.

Authority will implement the JWT protocol and expose it via a URL. Normally you need to know two things: authority and audience (recipient of the token).

Now good news is that .net core handles the protocol details for you, all you need to do is to set up the authentication pipeline. This is what it boils down to:

 services.AddAuthentication()
        .AddJwtBearer("schemeName", options =>
        {
            options.Audience = "your audience";
            options.TokenValidationParameters = new TokenValidationParameters
            {
                ValidateIssuer = true,
                ValidIssuer = "your domain",
                ValidateAudience = true,
                ValidAudience = "your audience",
                ValidateIssuerSigningKey = true,
                IssuerSigningKeys = jwks, // use "Keys" as JsonWebKeySet or "Key" (below), just one of them
                IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key)), // your encoding etc may differ
                RequireSignedTokens = true,
                RequireExpirationTime = true,
                ValidateLifetime = true,
                ClockSkew = TimeSpan.Zero,
                ValidAlgorithms = new[] { SecurityAlgorithms.EcdsaSha256, }, // your algorithm may differ
            };
        })

For details, do some reading on JWT authentication in .net core, e.g. JWT Validation and Authorization in ASP.NET Core. There are a lot of articles on the topic.

edited Feb 10 '23 at 08:53

answered Jun 22 '21 at 08:23

Maxim Zabolotskikh

3,091
20
21

I'm the issuer and when I try to access an `Action` with `Authorize` in my client app I get the error `System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII of type 'System.String' is hidden. ` --> because `options.Authority = "https://localhost:7206/"` (which is my token generator WEB API) seems to be incorrect. Audience an Authority are set the same in token generator web api and in client app – sTx Feb 08 '23 at 20:36
Now that I activated ShowPII, my error is this : `System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://localhost:7206/.well-known/openid-configuration'` and I understand that the real issue is the lack of 'https://localhost:7206/.well-known/openid-configuration' which doesn't exist --> can I implement a mechanism to return what it expectes to receive from OpenID Connect Discovery ? – sTx Feb 08 '23 at 21:01
@sTx Try not to set "Authority" in options. If this works, please comment, I'll revise my answer. Authority sets basically all that OpenID things rolling, for custom validation you actually do not needed, because you validate the Issuer yourself (as Issuer is often the Authority) – Maxim Zabolotskikh Feb 09 '23 at 13:02
You say to implement with TokenValidationParameters? You can check my post here and how I managed to solve it for the moment: https://stackoverflow.com/questions/75303148/jwt-token-authentication-fetch-public-key-from-api-and-use-it-in-tokenvalidati – sTx Feb 09 '23 at 19:03
If I only remove the `Authority` I get this error: `Bearer error="invalid_token", error_description="The signature key was not found"` which is expected because it doesn't know where to get the public key – sTx Feb 09 '23 at 19:08
@sTx You have to provide your key in options, see updated answer – Maxim Zabolotskikh Feb 10 '23 at 08:53
Where do you get `IssuerSigningKey` or `IssuerSigningKeys` ; because if you use `TokenValidationParameters ` you need to have secret key or public somewhere hardcoded or in `appsettings.json` or in an external file on same server – sTx Feb 10 '23 at 11:55
I get them from an Azure KeyVault. Hardcoded or in appsettings.json is not a good idea. There is secrets.json also (https://learn.microsoft.com/en-us/aspnet/core/security/app-secrets?view=aspnetcore-7.0&tabs=windows) but for a production environment you will need something more. – Maxim Zabolotskikh Feb 10 '23 at 13:01
yeah...I'm in a closed environment and cannot use any external deposit server – sTx Feb 10 '23 at 13:34
This may be interesting for you: https://stackoverflow.com/questions/12461484/is-it-secure-to-store-passwords-as-environment-variables-rather-than-as-plain-t – Maxim Zabolotskikh Feb 13 '23 at 08:13

validate JWT without public key (RSA) .net core webapi

1 Answers1