c# - Not able to validate JSON Web token with .net

i have used jsonwebtoken npm module generate jot:

var jwt = require('jsonwebtoken');  var payload = {     "iss": "https://secure.example.com/",     "exp": 1410819380,     "http://example.com/orgnum": "987987987",     "http://example.com/user": "me@example.com" };  var token = jwt.sign(payload, 'secret');  console.log(token);

this gives me following output:

eyj0exaioijkv1qilcjhbgcioijiuzi1nij9.eyjpc3mioijodhrwczovl3nly3vyzs5legftcgxllmnvbs8ilcjlehaioje0mta4mtkzodasimh0dha6ly9legftcgxllmnvbs9vcmdudw0ioii5odc5odc5odcilcjodhrwoi8vzxhhbxbszs5jb20vdxnlcii6im1lqgv4yw1wbguuy29tiiwiawf0ijoxnda4mzk0mjk2fq.5x5ltg4wxdf2p49xtsrcg4s9yk4qsfw1tmeu0aqubhc

since i'm not specifying algorithm want, uses sha256.

now, try verify in c#. didn't turn out easy...

i exception key size:

idx10603: 'system.identitymodel.tokens.inmemorysymmetricsecuritykey' cannot have less than: '128' bits. parameternavn: key.keysize actual size 48.

i try extend key, new error when creating symmetric key:

invalid length base-64 char array or string

i recon has way i'm telling .net code key. since symmetrickeyissuersecuritytokenprovider constructor parameter named base64key, have tryed base64url-encode key:

        var secret =  base64urlencoder.encode("secret");         tokenvalidationparameters validationparameters = new tokenvalidationparameters         {                             validateissuer = false,             validateaudience = false,             issuersigningtokens = new symmetrickeyissuersecuritytokenprovider(issuer, secret).securitytokens         };

so, missing here?
why can jsonwebtoken generate , validate jots short keys while .net can not?
, why can't .net accept keys give it?

here's complete .net code jot signed long key:

        var jwttoken =             "eyj0exaioijkv1qilcjhbgcioijiuzi1nij9.eyjpc3mioijodhrwczovl3nly3vyzs5legftcgxllmnvbs8ilcjlehaioje0mta4mtkzodasimh0dha6ly9legftcgxllmnvbs9vcmdudw0ioii5odc5odc5odcilcjodhrwoi8vzxhhbxbszs5jb20vdxnlcii6im1lqgv4yw1wbguuy29tiiwiawf0ijoxnda4mzk1njy4fq.zceiieo_mn5_gzp5d_r68vtt33fbocn1bttznd6u3cs";         var secret = base64urlencoder.encode("super duper secret more on top");           tokenvalidationparameters validationparameters = new tokenvalidationparameters             {                 validateissuer = false,                 validateaudience = false,                 issuersigningtokens = new symmetrickeyissuersecuritytokenprovider("issuer", secret).securitytokens             };           jwtsecuritytokenhandler tokenhandler = new jwtsecuritytokenhandler()             {                 configuration = new securitytokenhandlerconfiguration()                     {                         certificatevalidationmode = x509certificatevalidationmode.none                     }             };          securitytoken validatedtoken;         var claimsprincipal = tokenhandler.validatetoken(jwttoken, validationparameters, out validatedtoken);         return claimsprincipal.claims;

updated:

i'm using microsoft-stuff in code. i'm using owin packages microsoft.owin.security.jwt version 2.1.0 system.identitymodel.tokens.jwt version 4.0.0-rc2.

there multiple blog posts out there stating you'll need manually update system.identitymodel.tokens.jwt package.

i'm not sure api using, since official microsoft one not contain properties using. guess be, using outdated version.

i took api nuget package. , code, worked me:

using system; using system.collections.generic; using system.identitymodel.selectors; using system.identitymodel.tokens; using system.security.claims; using system.servicemodel.security.tokens; using system.text;  namespace so25372035 {     class program     {         static void main()         {             const string tokenstring =  @"eyj0exaioijkv1qilcjhbgcioijiuzi1nij9.eyjpc3mioijodhrwczovl3nly3vyzs5legftcgxllmnvbs8ilcjlehaioje0mta4mtkzodasimh0dha6ly9legftcgxllmnvbs9vcmdudw0ioii5odc5odc5odcilcjodhrwoi8vzxhhbxbszs5jb20vdxnlcii6im1lqgv4yw1wbguuy29tiiwiawf0ijoxnda4nde5ntqwfq.jw9kchutcgxmdp5cntixovtqzsn4x-m-v6_4rzu8zk8";             jwtsecuritytoken tokenreceived = new jwtsecuritytoken(tokenstring);              byte[] keybytes = encoding.utf8.getbytes("secret");             if (keybytes.length < 64 && tokenreceived.signaturealgorithm == "hs256")             {                 array.resize(ref keybytes, 64);             }             tokenvalidationparameters validationparameters = new tokenvalidationparameters             {                 validateissuer = false,                 audienceurimode = audienceurimode.never,                 signingtoken = new binarysecretsecuritytoken(keybytes),             };              jwtsecuritytokenhandler tokenhandler = new jwtsecuritytokenhandler();              claimsprincipal claimsprincipal = tokenhandler.validatetoken(tokenreceived, validationparameters);             ienumerable<claim> = claimsprincipal.claims;             foreach (var claim in a)             {                 console.writeline(claim);             }         }     } }

note, had resize array containing key key length passes validation. it appears key length hmac equal block size, , sha256 it's 512 bits. there minimumsymmetrickeysizeinbits static property defines minimum length of simmetrickey, appears can't set less 128.

Search This Blog

O9

c# - Not able to validate JSON Web token with .net - key to short -

Comments

Post a Comment

Popular posts from this blog

java - How to specify maven bin in eclipse maven plugin? -

single sign on - Logging into Plone site with credentials passed through HTTP -

php - Why does AJAX not process login form? -