0

So I am getting a JWT from a web call that comes from Service A to secure Service B with the same token. Unfortunately it uses a third party library so I don't know the exact key it issues but I can see it's payload just fine. Is there a way I can make my service know the token is okay somehow? I tried this in Startup.ConfigureServices

services.AddAuthentication()
            .AddJwtBearer(options =>
            {
                options.Events = new JwtBearerEvents
                {
                    OnMessageReceived = context =>
                    {
                        var accessToken = context.Request.Headers["Authorization"].FirstOrDefault()?.Split(" ")?.Last() ?? string.Empty;
                        if (!string.IsNullOrEmpty(accessToken))
                            context.Token = accessToken;

                        return Task.CompletedTask;
                    }
                };
            });

Now this gets the JWT I expect and in a test case let's say this: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0LmNvbSJ9.XzkQ9hQ0JyhQDpFZ00Ukc_5ickUmjxVUBvlMrcEeycw

enter image description here

There is nothing wrong here and the 'context.Token' is getting set, but when I do this:

[Authorize(AuthenticationSchemes = "Bearer")]
[Route("[controller]/[action]")]
public class JobsUpdateController : ControllerBase

I get a 401 no matter what when using the '[Authorize(AuthenticationSchemes="Bearer")]'. Is there anyway I can do a custom authorize? Else I was thinking of doing some long form of setting my own authentication method and maybe making a custom attribute. But I was hoping I could just get the startup working for this if I know the 'issuer' and several other keys in the payload of what I expect.

Improve this question
4
  • 1
    Why doesn't it have exp expiration time claim? You might have to disable lifetime validation (or other parameters) in options.TokenValidationParameters. It would not be as secure, if at all, given you don't have a public key to validate the signature. Commented Sep 10, 2021 at 13:01
  • @abdusco Oh it does, ultimately I just want to start small and get one thing working at a time with the smallest example possible. Ultimate I do want to validate the exp, audience, and key as well but I just want to build it one at a time to ensure it's working on the overall [Authorize(AuthenticationSchemes = "Bearer")] on the Controller. Commented Sep 10, 2021 at 16:53
  • Why do you need to hook into OnMessageReceived event? ASP.NET Core extracts the token itself. github.com/dotnet/aspnetcore/blob/… Commented Sep 10, 2021 at 17:09
  • Don't know, I saw it on a tutorial. Thus far nothing is working. Commented Sep 10, 2021 at 17:11

1 Answer 1

Reset to default
1

You can configure JWT validation in options.TokenValidationParameters.

This is NOT secure, and you're basically allowing pretty much any token. But regardless, here it is:

services
    .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(
        options => {
            options.TokenValidationParameters = new TokenValidationParameters
            {
                ValidateIssuer = true, // `iss` claim
                ValidIssuers = new []{"https://localhost:1234"},
                ValidateAudience = false, // `aud` claim
                ValidateLifetime = false, // `exp`, `nbf` claims
                ValidateIssuerSigningKey = false, // signature
                SignatureValidator = (token, parameters) => new JwtSecurityToken(token), // don't validate signature
            };
        });
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

It looks like it should work but I still get a 401. Maybe I am doing something wrong on the controller attribute? imgur.com/a/pD4P8OO
The return header says: 'Bearer error="invalid_token", error_description="The signature key was not found"'
Try adding a dummy SignatureValidator. See my answer
Yeah still not working whenever I post in at the top of the controller: [Authorize(AuthenticationSchemes = "Bearer")]. Do I need some other scheme?
@djangojazz Just tried, my code works with the token you posted when I add SignatureValidator. I can read claims just fine. i.sstatic.net/CXWV6.png. This is the configuration: i.sstatic.net/1F6Ze.png
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.