发表新帖
发表新帖

Authorize via JWT Token

前端 未结
关注
2 1102
走了就别回头了
走了就别回头了 2020-12-18 07:41

ASP.NET Core 5 with ASP.NET Identity 3.0, I\'m using both web pages and apis. I am using OpenIddict to issue a JWT token and to authenticate. My code looks as such:

2条回答
  • 情歌与酒
    情歌与酒 (楼主)
    2020-12-18 08:00

    If I disable UseJsonWebTokens(), I can generate a token and authorise successfully. However, I am not sure that my certificate is validating the returned tokens.

    In ASOS (the OpenID Connect server framework behind OpenIddict), there are 2 different built-in serialization mechanisms to create and protect tokens:

    • One that uses IdentityModel (a library developed by Microsoft) and produces standard tokens verifiable by third parties:

    Identity tokens (JWT by definition) are always created using this process and you can call UseJsonWebTokens() to force OpenIddict to issue access tokens that use the same serialization process.

    The certificate you specify when calling AddSigningCertificate() is always used to sign these tokens.

    • One that uses the ASP.NET Core Data Protection stack (also developed by Microsoft):

    This stack exclusively produces "proprietary" tokens that are not meant to be read or verified by a third-party, as the token format is not standard and necessarily relies on symmetric signing and encryption.

    It's the mechanism we use for authorization codes and refresh tokens, that are only meant to be consumed by OpenIddict itself. It's also used for access tokens when you use the default token format.

    In this case, the certificate you specify when calling AddSigningCertificate() is not used.

    Instead, these tokens are always encrypted by the Data Protection stack using an Authenticated Encryption algorithm (by default, AES-256-CBC with HMACSHA256), that provides authenticity, integrity and confidentiality. For that, 2 keys (one for encryption, one for validation) are derived by the Data Protection stack from one of the master keys stored in the key ring.

    How can I enforce the request to be validated with my certificate to make sure the JWT token is not tampered with. What are the correct settings that will allow validation and authorisation of my JWT token, given that if I am not using JWT, I am getting authorised successfully.

    To answer these questions, it would help if you enabled logging and shared your traces.

    0 讨论(0)
 看不清?
提交回复
热议问题