10
votes

I'm currently trying to create a proof of concept for claims based authentication for a new app using a combination of the following technologies: Web API 2, OWIN middleware and JWT.

To keep things simple I started with the Web API 2 project template and changed the authentication to 'Individual User Accounts'. The sample client I created was then able to get a token by calling /Token and was able to call a sample endpoint with the OAuth bearer token. So far so good. I then added the following code to Startup.Auth.cs to try and enable JwtBearerAuthentication:

    var jwtOptions = new JwtBearerAuthenticationOptions
    {
        AllowedAudiences = audiences,
        IssuerSecurityTokenProviders = new[] { 
            new SymmetricKeyIssuerSecurityTokenProvider(issuer, signingKey) }
    };

    app.UseJwtBearerAuthentication(jwtOptions);

I expected that Web API 2 would start returning JWTs from the call to /Token, but it doesn't appear to have done anything. I've been banging my head against this for a few days with no success and the Microsoft documents aren't very forthcoming.

I also tried adding the following to my OAuthAuthorizationServerOptions

AuthorizationCodeFormat = new JwtFormat(audience, new SymmetricKeyIssuerSecurityTokenProvider(issuer, signingKey))

I could also be trying to doing the completely wrong thing.

Any ideas would be greatly appreciated.

4
I'm currently in the process of creating my own ISecureDataFormat<AuthenticationTicket> and assigning it to AccessTokenFormatJames O'Sullivan
Did you work out a way to change to issuing JWT using your own custom ISecureDataFormat implementation?Lukie
Did you ever solve this? I'm starting to look at doing the same thing now.ChrisC
@ChrisC yes. Ended up creating a custom AccessTokenFormat based on ISecureDataFormat<AuthenticationTicket>. The unprotect method was similar to the following: katanaproject.codeplex.com/SourceControl/latest#src/… and we implemented an appropriate protect method.James O'Sullivan

4 Answers

6
votes

Well, now there is a setting on OAuthAuthorizationServerOptions that you can specify the format of your access token, not the authorization code, like you're doing on you example.

So, instead of:

AuthorizationCodeFormat = new JwtFormat(audience, new SymmetricKeyIssuerSecurityTokenProvider(issuer, signingKey))

You should have:

AccessTokenFormat = new JwtFormat(audience, new SymmetricKeyIssuerSecurityTokenProvider(issuer, signingKey))
5
votes

The Windows Identity Foundation uses a proprietary token format, not JWT. The JWT code you see above is for consuming tokens, not generating them. There is a helpful discussion on the ASP.NET forums.

However, in the second half of 2014 Microsoft officially released support for JWT in Windows Identity foundation, with the JSON Web Token Handler. You should be able to install and use that package to solve the problem you have described.

0
votes

I don't think there's any current way to override how the token is output in the response. I took a look at the OAuthAuthorizationServerHandler in the Katana source code repository.

You'll see that in the InvokeTokenEndpointAsync method, there is a section that creates a JsonTextWriter which generates the response. It is not done in such a way that any kind of extension would affect it.

I find this frustrating too. Microsoft's library should have some way to easily override the response serialization. You can't even add your own custom parameters to the response.

-2
votes

You can use this sample https://github.com/thinktecture/Thinktecture.IdentityModel/tree/master/samples/OAuth2/EmbeddedResourceOwnerFlow

for writting authentication logic in your project. After it you must add [Authorize] attribute to each controller or action which requires authorization(OWIN Katana contains the logic of validating token, authorization and some other useful things).