0

It seems that my problem is exactly as described here: Verifying JWT signed with the RS256 algorithm using public key in C# But, I fail to understand the reply. Hoping somebody can help.

my c# code gets from external server token and key (in json file). after extract them, I can read the token but must verify that key is valid. How can I verify the key?

in the example above, Dmitry writes that he has token and key, but in the solution I don't find using the key...

That is my code:

public JwtSecurityToken getUnsignedProperies(string signedUserProperties)
    {
        string json;
        try
        {
            JsonSerializer serializer = new JsonSerializer();
            JObject jsonNode = JObject.Parse(signedUserProperties);
            if (jsonNode["error"] != null)
            {
                throw new Exception(jsonNode["error"].ToString());
            }
            key= jsonNode["publicKey"].ToString();

            string signature = jsonNode["token"].ToString();

            JwtSecurityToken token = new JwtSecurityToken(signature);
            return token;
            ---

and I have to verify the key, before return it...

Thanks!

R_B
  • 41
  • 5
  • AFAIK the public key must be retrieved through a different channel (aka request) from the owner. If the key would come with the message itself a man-in-the-middle-attack would be possible. For example to validate a JWT from Microsoft take a look at https://github.com/MicrosoftDocs/azure-docs/issues/89481 – Oliver Mar 21 '23 at 14:55
  • Thanks @Oliver regard your comment - it's how it's implemented now, I get it from other application and currently can't change it. But anyway, even if I'll get the token and key separately, yet need a way to verify the key. seems that link asks how to get the key, and not how to verify it. Am I wrong? – R_B Mar 21 '23 at 16:28
  • How about [this answer](https://stackoverflow.com/a/36175562/1838048)? – Oliver Mar 22 '23 at 06:14
  • Thanks @Oliver, I found the answer, updating in new post. Thanks – R_B Mar 22 '23 at 06:18

1 Answers1

1

I would like to share the solution for beginners (like me) that can find it not clear enough.

The point is that I had to extract "e" part and "n" part from my key string, and use them in:

Modulus = FromBase64Url("w7Zdfmece8iaB0kiTY8pCtiBtzbptJmP28nSWwtdjRu0f2GFpajvWE4VhfJAjEsOcwYzay7XGN0b-X84BfC8hmCTOj2b2eHT7NsZegFPKRUQzJ9wW8ipn_aDJWMGDuB1XyqT1E7DYqjUCEOD1b4FLpy_xPn6oV_TYOfQ9fZdbE5HGxJUzekuGcOKqOQ8M7wfYHhHHLxGpQVgL0apWuP2gDDOdTtpuld4D2LK1MZK99s9gaSjRHE8JDb1Z4IGhEcEyzkxswVdPndUWzfvWBBWXWxtSUvQGBRkuy1BHOa4sP6FKjWEeeF7gm7UMs2Nm2QUgNZw6xvEDGaLk4KASdIxRQ"),
Exponent = FromBase64Url("AQAB")
Jen
  • 1,964
  • 9
  • 33
  • 59
R_B
  • 41
  • 5