patterncsharpMinor
Web API 2 authentication with JWT
Viewed 0 times
withauthenticationwebapijwt
Problem
Please review my code for bearer token (JWT) authentication of Web API 2 (Self Hosted using OWIN)
Are there any security issues in the implementation?
Quick overview:
This is the main class to create and validate tokens:
```
public class TokenManager
{
public static string CreateJwtToken(string userName, string role)
{
var claimList = new List()
{
new Claim(ClaimTypes.Name, userName),
new Claim(ClaimTypes.Role, role) //Not sure what this is for
};
var tokenHandler = new JwtSecurityTokenHandler() { RequireExpirationTime = true };
var sSKey = new InMemorySymmetricSecurityKey(SecurityConstants.KeyForHmacSha256);
var jwtToken = tokenHandler.CreateToken(
makeSecurityTokenDescriptor(sSKey, claimList));
return tokenHandler.WriteToken(jwtToken);
}
public static ClaimsPrincipal ValidateJwtToken(string jwtToken)
{
var tokenHandler = new JwtSecurityTokenHandler() { RequireExpirationTime = true };
// Parse JWT from the Base64UrlEncoded wire form
//(..)
JwtSecurityToken parsedJwt = tokenHandler.ReadToken(jwtToken) as JwtSecurityToken;
TokenValidationParameters validationParams =
new TokenValidationParameters()
{
AllowedAudience = SecurityConstants.TokenAudience,
ValidIssuer = SecurityConstants.TokenIssuer,
ValidateIssuer = true,
SigningToken = new BinarySecretSecurityToken(SecurityConstants.KeyForHmacSha256),
};
return tokenHandler.ValidateToken(parsedJwt, validationParams);
}
Are there any security issues in the implementation?
Quick overview:
- Token creation and validation using JWT Handler
- Symmetric key encryption
- CORS support not yet checked for the authorization header
- Web traffic will be on SSL.
- The key cannot be auto-generated as it will break during a load balanced scenario. Can I save the key in config? Or switch to X509 certificates?
This is the main class to create and validate tokens:
```
public class TokenManager
{
public static string CreateJwtToken(string userName, string role)
{
var claimList = new List()
{
new Claim(ClaimTypes.Name, userName),
new Claim(ClaimTypes.Role, role) //Not sure what this is for
};
var tokenHandler = new JwtSecurityTokenHandler() { RequireExpirationTime = true };
var sSKey = new InMemorySymmetricSecurityKey(SecurityConstants.KeyForHmacSha256);
var jwtToken = tokenHandler.CreateToken(
makeSecurityTokenDescriptor(sSKey, claimList));
return tokenHandler.WriteToken(jwtToken);
}
public static ClaimsPrincipal ValidateJwtToken(string jwtToken)
{
var tokenHandler = new JwtSecurityTokenHandler() { RequireExpirationTime = true };
// Parse JWT from the Base64UrlEncoded wire form
//(..)
JwtSecurityToken parsedJwt = tokenHandler.ReadToken(jwtToken) as JwtSecurityToken;
TokenValidationParameters validationParams =
new TokenValidationParameters()
{
AllowedAudience = SecurityConstants.TokenAudience,
ValidIssuer = SecurityConstants.TokenIssuer,
ValidateIssuer = true,
SigningToken = new BinarySecretSecurityToken(SecurityConstants.KeyForHmacSha256),
};
return tokenHandler.ValidateToken(parsedJwt, validationParams);
}
Solution
Instead of keeping
I admit, I don't get why creating keys dynamically would break the load balancing scenario. We can have a key created at the back-end where we have a single service serving all the load balances servers (such as a database).
KEY in config, I would keep it with user records. A unique key for each user.I admit, I don't get why creating keys dynamically would break the load balancing scenario. We can have a key created at the back-end where we have a single service serving all the load balances servers (such as a database).
Context
StackExchange Code Review Q#45974, answer score: 2
Revisions (0)
No revisions yet.