jamiekurtz / jwtauthforwebapi Goto Github PK

Hi,

I think I'm missing something from the docs, and that is how to generate the token that will be sent to the client on a successful login.

I have written an SPA that the user will need to log in via a restful api call. From what I've read about JWT, this authorisation controller should validate the supplied user/pass and generate a token. Is this something outside the scope of your library?

Thanks

Hey, helpful library but thought I should point out the following (apologies if I've missed some mitigation you've added).

By allowing a cookie to be used as the authentication mechanism, you are opening up implementations to XSRF attacks.

https://auth0.com/blog/2014/01/27/ten-things-you-should-know-about-tokens-and-cookies/#token-storage

As discussed in the above post, storing a JWT in a cookie is fine as long as it can't be used for authentication. Whilst there may be an unusual use case for this, it is more likely that without an additional XSRF token, this particular feature is just opening up a security hole.

Hope this helps.

I am using Swashbuckle to render Swagger documentation for our web service and keep getting a bunch of null message entries generated at startup from the JwtAuthenticationMessageHandler. I also see at least one generated on every request.. I know Swagger makes many callbacks to get other information and I suspect it has something to do with this since there would be no token/session at that time.

Is there a way to stop these entries from showing up? Maybe an example of a log4net filter for the appender to filter null entries from the appender?

DEBUG 2015-07-28 15:10:19,673 [8]  2726ms JwtAuthForWebAPI - (null)
DEBUG 2015-07-28 15:10:19,781 [6]  2834ms JwtAuthForWebAPI - (null)
DEBUG 2015-07-28 15:10:19,880 [6]  2933ms JwtAuthForWebAPI - (null)
DEBUG 2015-07-28 15:10:19,886 [8]  2939ms JwtAuthForWebAPI - (null)
DEBUG 2015-07-28 15:10:19,886 [7]  2939ms JwtAuthForWebAPI - (null)
DEBUG 2015-07-28 15:10:19,893 [9]  2946ms JwtAuthForWebAPI - (null)
DEBUG 2015-07-28 15:10:19,942 [6]  2995ms JwtAuthForWebAPI - (null)
DEBUG 2015-07-28 15:10:19,994 [8]  3047ms JwtAuthForWebAPI - (null)
DEBUG 2015-07-28 15:10:20,047 [10]  3100ms JwtAuthForWebAPI - (null)
DEBUG 2015-07-28 15:10:20,047 [7]  3100ms JwtAuthForWebAPI - (null)
DEBUG 2015-07-28 15:10:20,097 [9]  3150ms JwtAuthForWebAPI - (null)
DEBUG 2015-07-28 15:10:20,143 [8]  3196ms JwtAuthForWebAPI - (null)
DEBUG 2015-07-28 15:10:20,191 [10]  3244ms JwtAuthForWebAPI - (null)
DEBUG 2015-07-28 15:10:20,239 [7]  3292ms JwtAuthForWebAPI - (null)
DEBUG 2015-07-28 15:10:20,287 [8]  3340ms JwtAuthForWebAPI - (null)
DEBUG 2015-07-28 15:10:20,383 [9]  3436ms JwtAuthForWebAPI - (null)
DEBUG 2015-07-28 15:10:20,404 [10]  3457ms JwtAuthForWebAPI - (null)
DEBUG 2015-07-28 15:10:20,697 [10]  3750ms JwtAuthForWebAPI - (null)
DEBUG 2015-07-28 15:10:20,759 [9]  3812ms JwtAuthForWebAPI - (null)
DEBUG 2015-07-28 15:10:20,968 [9]  4021ms JwtAuthForWebAPI - (null)
DEBUG 2015-07-28 15:10:20,968 [6]  4021ms JwtAuthForWebAPI - (null)
DEBUG 2015-07-28 15:10:20,971 [7]  4024ms JwtAuthForWebAPI - (null)
DEBUG 2015-07-28 15:10:20,981 [10]  4034ms JwtAuthForWebAPI - (null)

JWT: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuYW1laWQiOiIxIiwidW5pcXVlX25hbWUiOiJyb0Byb25uLmlvIiwiZW1haWwiOiJyb0Byb25uLmlvIiwicm9sZSI6IkFkbWluIiwiYXBwLnBlcm0iOlsiTWFuYWdlVXNlcnMiLCJFZGl0T3RoZXJVc2Vyc1RpbWUiXSwiaXNzIjoic2VsZiIsImF1ZCI6Imh0dHA6Ly93d3cuZXhhbXBsZS5jb20iLCJleHAiOjE0NjYwMTIyNzksIm5iZiI6MTQ2NjAxMjI2OX0.ccTeFosbKPglJelekTS47RXCPMDIltN8Q8EXTgYn4r8

Decoded payload:

{
  "nameid": "1",
  "unique_name": "[email protected]",
  "email": "[email protected]",
  "role": "Admin",
  "app.perm": [
    "ManageUsers",
    "EditOtherUsersTime"
  ],
  "iss": "self",
  "aud": "http://www.example.com",
  "exp": 1466012279,
  "nbf": 1466012269
}

NBF, EXP converted to UTC times, respectively:
6/15/2016 5:37:49 PM
6/15/2016 5:37:59 PM

Epoch seconds to UTC conversion via:

new DateTime(1970,1,1,0,0,0,0,DateTimeKind.Utc).AddSeconds(numberOfSeconds)
// not sure if this complies with what I saw in RFC about ignoring leap seconds
// somehow I think the CLR AddSeconds method does account for leap seconds

I created my JWT via

        private string CreateJwt(DbUser user)
        {
            var securityKey = new SecurityTokenBuilder()
                .CreateFromKey(new AppSettings().JwtSecret) // byte[]
                .SecurityKeys.Single();

            var tokenHandler = new JwtSecurityTokenHandler();
            var now = DateTime.UtcNow;

            var claims = /* omitted */;

            var tokenDescriptor = new SecurityTokenDescriptor
            {
                Subject = new ClaimsIdentity(claims),
                TokenIssuerName = "self",

                AppliesToAddress = "http://www.example.com",
                Lifetime = new Lifetime(now, now.AddSeconds(10)), // small expiration for testing
                SigningCredentials = new SigningCredentials(
                    securityKey,
                    SecurityAlgorithms.HmacSha256Signature,
                    SecurityAlgorithms.Sha256Digest),
            };

            var token = tokenHandler.CreateToken(tokenDescriptor);

            var tokenString = tokenHandler.WriteToken(token);
            return tokenString;
        }

Anyway, when testing, the token seems to last much longer than 10 seconds when validating using your library.

Any thoughts?

Do you see anything wrong with what I'm doing?

@jamiekurtz - This is related to [https://github.com//issues/9](Authentication Failure).

I've re-written everything and token is working fine. Unfortunately, I met with another issue: I created a token for 30-days. Its strange but once client restart his/her machine then same token (which validated earlier) got invalid. Interestingly, I am able to validate the token using http://jwt.io.

Are Tokens depend upon client machines rather than Server?

I believe the reason is the the principle needs to be set on the current owin context:

request.GetRequestContext().Principal = principal;

I made the changes above, and it worked as expected

see http://stackoverflow.com/a/21420794 for more information

Hi
At first glance it's seems to be easy to use this package, but then when it goes to development it become hard, would you please add a simple basic asp.net web api 2 example?

I am using your library and I successfully generate a JWT token using the System.IdentityModel.Tokens.Jwt official library to generate a token:

var tokenHandler = new JwtSecurityTokenHandler();
var symmetricKey = secretKey.GetBytes();
var now = DateTime.UtcNow;

var tokenDescriptor = new SecurityTokenDescriptor
{
    Subject = new ClaimsIdentity(
        new[]{
            new Claim(JwtClaimKeys.Audience, SessionManager.Current.AppName), 
            new Claim(JwtClaimKeys.Subject, userLoginRequest.UserName),
            new Claim(JwtClaimKeys.Roles, GetRoles(userLoginRequest))
        }),
    TokenIssuerName = "My Company",
    Lifetime = new Lifetime(now, now.AddMinutes(tokenLifetimeInMinutes)),
    SigningCredentials = new SigningCredentials(
        new InMemorySymmetricSecurityKey(symmetricKey),
        "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",
        "http://www.w3.org/2001/04/xmlenc#sha256")
};

var token = tokenHandler.CreateToken(tokenDescriptor);
return tokenHandler.WriteToken(token);

But it says "Authorization has been denied for this request.". I configured the following in my WebAPI startup:

var keyBuilder = new SecurityTokenBuilder();

var jwtHandler = new JwtAuthenticationMessageHandler
{
    Issuer = "My Company",
    AllowedAudience = ConfigurationManager.AppSettings[AppSettingKeys.ApplicationId],
    SigningToken = keyBuilder.CreateFromKey(JsonWebTokenSecretKey),
    PrincipalTransformer = new MyUserPrincipleTransformer()
};

config.MessageHandlers.Add(jwtHandler);