Web API Security: JSON Web Token/OAuth2 with Thinktecture.IdentityModel AuthenticationHandler

(OK – I only included OAuth2 in the title to get your attention – this applies to whatever framework or technology you use to work with JSON web tokens aka JWTs)

Following the pattern from my two previous posts, you can also validate JWTs with a simple extension method over the basic AddMapping functionality.

For validating a JWT you need to specify three items:

  • The name of the issuer that you expect the JWT to come from (an identity provider or authorization server)
  • The expected audience (a symbolic name of the service consuming the JWT)
  • The key material to validate the signature (either a symmetric key or a X.509 certificate)

The following method adds a mapping for an incoming Authorization header with a scheme of Bearer – the response will also contain the Bearer scheme. The key used is a symmetric key:

authentication.AddJsonWebToken(

    issuer: Constants.IdSrv.IssuerUri,

    audience: Constants.Audience,

    signingKey: Constants.IdSrv.SigningKey);

 

The current extension methods of IdentityModel uses my own JWT implementation – but in the sample (as well as in the latest IdentityServer version) I have already switched to Microsoft’s JWT handler. The signature of the extension methods stay the same.

Given the flexibility of the AuthenticationHandler, you can also fetch the JWT from other places like an alternative header or a query string. Another emerging pattern is to return the audience of the service and the URL of the token endpoint in the 401 response – again – easy to accomplish:

authentication.AddJsonWebToken(
    issuer: Constants.IdSrv.IssuerUri,
    audience: Constants.Audience,
    signingKey: Constants.IdSrv.SigningKey,
    options: AuthenticationOptions.ForAuthorizationHeader("Bearer"),
    scheme: AuthenticationScheme.SchemeAndChallenge(
        "urn:myapi", "url=https://idsrv.local/issue/token"));

 

HTH

This entry was posted in .NET Security, IdentityModel, IdentityServer, OAuth, WebAPI. Bookmark the permalink.

5 Responses to Web API Security: JSON Web Token/OAuth2 with Thinktecture.IdentityModel AuthenticationHandler

  1. Pingback: ASP.NET Web API Authentication: Using multiple (simultaneous) Authentication Methods with Thinktecture AuthenticationHandler | www.leastprivilege.com

  2. bingles says:

    This is great. Thanks for the post. Am I correct in understaning this just covers consuming a token? Where can I find resources on how to generate JWT tokens from identity server from a custom implementation of IUserRepository?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s