Asp.net Jwt token validation

Question

ASP.NET Core 2.x has a really nice way to add Bearer Authentication using JWT tokens. The following code is the minimum requirement to make things work.

{
    TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = true,
        ValidIssuer = "https://issuer.com",
        ValidateLifetime = true,
    }
});

I understand the anatomy of a JWT header.payload.signature but in case we are using an Asymmetric algorithm, we need to validate the signature and for that we need to get the public keys from this url: issuer + .well-known/jwks.json.

So, is the middleware "magically" fetching the public keys and validating the signature? Also, is the middleware caching the public keys to avoid fetching the public keys in every validation?

Have you looked at TokenValidationParameters IssuerSigningKey property? — Jonathon Chase
Well, I know that property and also the IssuerSigningKeyResolver my question is about the public keys caching. — Marco Talento

Nan Yu Nan Yu · Accepted Answer · 2019-06-05T05:25:59

The ConfigurationManager object is responsible for retrieving, refreshing and caching the configuration metadata required to validate JWTs, such as the issuer and signing keys . Middleware will retire the metadata and cahche when the first time authentication begins , see source code here .

Asp.net Jwt token validation

1 Answers