- Notifications
You must be signed in to change notification settings - Fork5
aloji/JwtSecurity
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
The object is to allow using a token generated in an OWIN OAuth 2.0 Server in AspNet.Core projects.
We have the authorization server implemented withOWIN OAuth 2.0, but the new developments are with AspNetCore
The first idea was to use the machine keys
If the authorization server and the resource server are not on the same computer, the OAuth middleware will use the different machine keys to encrypt and decrypt bearer access token. In order to share the same private key between both projects, we add the same machinekey setting in both web.config files.
The problem is that machinekey does not exist in AspNetCore, but MS gives us acompatibility solution to replace the machinekey settings in AspNetWebApi2 and using akey storge provider like redis we can be shared the keys.
After several hours trying to implement this solution, I realized that it was easier, cleaner and cheaper to change the token generator to use JWT and dont use any external provider.
How to setup the JwtSecurity in OWIN OAuth 2.0 Server (full sample code)
publicclassStartup{publicvoidConfiguration(IAppBuilderappBuilder){appBuilder.UseOAuthAuthorizationServer(newOAuthAuthorizationServerOptions{AccessTokenFormat=newJwtSecureDataFormat(newJwtSecurityOptions{Issuer="yourIssuerCode",IssuerSigningKey="yourIssuerSigningKeyCode"})});}}
How to setup the JwtSecurity in Resource Server .NetFramework (full sample code)
publicclassStartup{publicvoidConfiguration(IAppBuilderappBuilder){appBuilder.UseOAuthBearerAuthentication(newOAuthBearerAuthenticationOptions{AccessTokenFormat=newJwtSecureDataFormat(newJwtSecurityOptions{Issuer="yourIssuerCode",IssuerSigningKey="yourIssuerSigningKeyCode"})});}}
How to setup the JwtSecurity in Resource Server .NetFramework with Owin Auth Compatibility
publicclassStartup{publicvoidConfiguration(IAppBuilderappBuilder){appBuilder.UseOAuthBearerAuthentication(newOAuthBearerAuthenticationOptions{AccessTokenFormat=newMachineKeyCompatibilityDataFormat(newJwtSecurityOptions{Issuer="yourIssuerCode",IssuerSigningKey="yourIssuerSigningKeyCode"})});}}
How to setup the JwtSecurity in Resource Server .NetCore (full sample code)
publicclassStartup{publicvoidConfigureServices(IServiceCollectionservices){services.AddJwtBearerAuthentication(options=>{options.Issuer="yourIssuerCode";options.IssuerSigningKey="yourIssuerSigningKeyCode";});}publicvoidConfigure(IApplicationBuilderapp,IHostingEnvironmentenv){app.UseAuthentication();}}
I developed a middleware to create a JwtServer with AspNetCore very similar to OwinOAuth2 settings
How to setup the JwtServer in AspNetCore (full sample code)
publicclassStartup{publicvoidConfigureServices(IServiceCollectionservices){services.AddJwtServer();}publicvoidConfigure(IApplicationBuilderapp,IHostingEnvironmentenv){app.UseJwtServer(options=>{options.TokenEndpointPath="/token";options.AccessTokenExpireTimeSpan=newTimeSpan(1,0,0);options.Issuer="yourIssuerCode";options.IssuerSigningKey="yourIssuerSigningKeyCode";options.AuthorizationServerProvider=newAuthorizationServerProvider{OnGrantResourceOwnerCredentialsAsync=async(context)=>{if(context.UserName!=context.Password){context.SetError("Invalid user authentication");return;}varclaims=newList<Claim>{newClaim(ClaimTypes.Surname,context.UserName)};context.Validated(claims);awaitTask.FromResult(0);}};});}}