How to verify and change a JWT Alg
I'm using the ASP.Net OpenID Connect Server project (ASOS) to create and consume JWTs for my WebAPI.
I'm now trying to perform various validations on the token.
I'd like to know how to check the "alg" type. I'm aware of an issue where "none" can be passed in, which means that someone can forge the tokens (I'm not sure if it's just specific libraries that have the issue, or if it's just generally good practice to check, but I'd feel safer if I was performing that check).
Also, how can I verify the integrity of the JWT?
Currently my token issuer and WebAPI are in the same project so I'm guessing that it's checked for me automatically? Or is it not checked at all?
My understanding is that some kind of signing credential is added for you on disk if you don't specify any (Not sure where I read that).
Would providing some kind of signing credential automatically update the "alg" property?
What if my token issuer is on 1 server and my WebAPI was somewhere completely different. How would I go about validating that the token came from my token issuer and hadn't been interfered with.
Presumably I'd have to add a certificate manually, then share the public key somehow? If that's the case, could someone point me to where I should add the public key to check the JWT integrity? Presumably this part is more about asp.net Core than OpenIDConnect Server (ASOS)?
Thanks.
I'd like to know how to check the "alg" type.
You can use a tool like jwt.io to read the header of a JWT, which contains the alg value you're looking for.
I'm aware of an issue where "none" can be passed in, which means that someone can forge the tokens (I'm not sure if it's just specific libraries that have the issue, or if it's just generally good practice to check, but I'd feel safer if I was performing that check).
ASOS relies on IdentityModel - a framework developed by Microsoft - to generate the JWT tokens (you can take a look at this other answer for more information). AFAIK, it was not impacted by the security bug you're mentioning.
To try it yourself, you can use jwt.io to alter the alg header value and send the resulting encoded JWT to your API.
Also, how can I verify the integrity of the JWT?
Currently my token issuer and WebAPI are in the same project so I'm guessing that it's checked for me automatically? Or is it not checked at all?
What if my token issuer is on 1 server and my WebAPI was somewhere completely different. How would I go about validating that the token came from my token issuer and hadn't been interfered with.
Presumably I'd have to add a certificate manually, then share the public key somehow? If that's the case, could someone point me to where I should add the public key to check the JWT integrity? Presumably this part is more about asp.net Core than OpenIDConnect Server (ASOS)?
If you use the JWT bearer middleware, then it's automatically done for you. For that, it directly downloads the public signing keys exposed by ASOS' JWK set endpoint (by default, at /.well-known/jwks).
Here's an example:
My understanding is that some kind of signing credential is added for you on disk if you don't specify any (Not sure where I read that).
This is true with the latest official version (beta6) but this feature will be removed in the next version. You'll be encouraged to register a X.509 certificate or use an ephemeral signing key (during development). An exception will be thrown if you don't.
Would providing some kind of signing credential automatically update the "alg" property?
Yes. ASOS natively supports both symmetric keys and RSA keys. For instance, if you use a SymmetricSecurityKey when calling options.SigningCredentials.AddKey(...), HS256 (HMAC-SHA256) will be returned instead of RS256 (RSA-SHA256). You can provide additional algorithms using the Add overload accepting a SigningCredentials instance.
- Dynamically replace downstream Host in Ocelot gateway
- 405 method not allowed Web API
- How to specify ContentType for Web API controller method
- How to map config in IConfigurationSection to a simple class
- AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot, NotValidTime
- When and how to use [ResponseType(typeof(...))] correctly?
- Specifying a custom DateTime format when serializing with Json.Net
- Make sure that the controller has a parameterless public constructor error
- Pass an array of integers to ASP.NET Web API?
- Difference between ApiController and Controller in ASP.NET MVC
- How to configure options to display StackTrace with AddProblemDetails() based on environment in ASP.NET Core?
- There was an error while performing this operation" error when publishing an old ASP.NET web project on IIS
- How to use Ninject with ASP.NET Web API?
- API setup missing something?
- Supporting GET *and* POST in WebApi
- Multipart form post only works if you look at it first
- Using a DelegatingHandler in HttpClient class from windows forms - Inner handler has not been set
- Unauthorised webapi call returning login page rather than 401
- Conflicting method/name for an OData Endpoint
- How to achieve strictly file size limit in Abp
- Create annotation via CRM Web API
- How can I schedule a recurring task to run at specific intervals in C#?
- Web API add a Header parameter for all Endpoints in Swagger using NSwag+Owin
- I am getting error on Post method of MVC controller using AngularJS
- How do I upload an image in ASP.NET Core WEB API with other form data?
- How to replace Swagger UI header logo in Swashbuckle
- Web API token authentication with a custom user database
- 500 Internal Server Error: Unintentional Code First Exception
- PostMan showing 500 Internal Server Error Instead of 401 Unauthorized?
- POST request working on Postman but not using jQuery POST