Authenticating with RSA using JWT on Owin

0
votes

Consider this code in my Web API 2 using Owin middleware:

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        var config = new HttpConfiguration();
        ConfigureAuthentication(app);
        app.UseCors(CorsOptions.AllowAll);
        WebApiConfig.Register(config);
        app.UseWebApi(config);
        config.Formatters.JsonFormatter.SerializerSettings.ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Ignore;    
    }

    private static void ConfigureAuthentication(IAppBuilder app)
    {
        var issuer = "<<MyIssuer>>";
        var audience = "<<MyAudience>>";

        const string publicKeyBase64 = "<<MyPublicKeyBase64>>";

        var certificate = new X509Certificate2(Convert.FromBase64String(publicKeyBase64));

        app.UseJwtBearerAuthentication(
            new JwtBearerAuthenticationOptions
            {
                AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
                AllowedAudiences = new[] { audience },
                IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
                {
                  new X509CertificateSecurityTokenProvider(issuer, certificate),
                }
            }
        );
    }
}

I can get a Bearer token from my IDP and test it in jwt.io with the following result:

Verified token

Issuer matches from code to verified token.

ClientId matches from code to verified token (sub).

Audience matches from code to verified token.

For some reason - the token is however rejected (401 Unauthorized) on every request and I just can´t get my head around why. My request includes the Authorization header with the same bearer token I can verify using jwt.io (Bearer ey..). If it makes any difference I use Auth0. I can also mention that I have tried downloading the public cert and using the file instead of just using the public key string with the same result.

1
c#asp.net-web-apirsaowinjwt
Your credentials aren't entirely obfuscated in your image; it's possible to read the key, were someone so inclined. I'd suggest revoking those tokens if they're still in circulation, if you haven't already.Rob
This was actually just a sample project and the keys expired a long time ago, but still, thank you for the concern ;)Marcus

1 Answers

1
votes

Setting TokenValidationParameters property of the JwtBearerAuthenticationOptions instance helped the issue:

private static void ConfigureAuthentication(IAppBuilder app)
{
    var issuer = "<<MyIssuer>>";
    var audience = "<<MyAudience>>";

    const string publicKeyBase64 = "<<MyPublicKeyBase64>>";

    var certificate = new X509Certificate2(Convert.FromBase64String(publicKeyBase64));

    app.UseJwtBearerAuthentication(
        new JwtBearerAuthenticationOptions
        {
            AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
            AllowedAudiences = new[] { audience },
            IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
            {
              new X509CertificateSecurityTokenProvider(issuer, certificate),
            },
            TokenValidationParameters = new TokenValidationParameters
            {
                IssuerSigningKeyResolver = (a, b, c, d) => new X509SecurityKey(certificate),
                ValidAudience = audience,
                ValidIssuer = issuer
            }           
        }
    );
}