HiveBrain v1.2.0
Get Started
← Back to all entries
patterncsharpMinor

Authentication with JWT

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
withauthenticationjwt

Problem

Please review my code for 'JWT' authentication.

  • Are there any security issues?



  • Where should I store the secret's key, DB or InMemory?



  • What's a good 'JWT' Lifetime?



  • Should I send the 'JWT' in Header for every request?



  • What should be done when a 'JWT' Expires?



Token Manager

```
using System;
using System.Security.Cryptography;
using System.Text;
using Newtonsoft.Json;
using Procoor_V4_Model.SecurityModel;

namespace Procoor_V4_Security
{
public class TokenManager
{
public static string EncodeToken(JwtPayload jwtPayload, string secret)
{
const string algorithm = "HS256";

var header = new JwtHeader
{
Typ = "JWT",
Alg = algorithm
};

var jwt = Base64Encode(JsonConvert.SerializeObject(header)) + "." + Base64Encode(JsonConvert.SerializeObject(jwtPayload));

jwt += "." + Sign(jwt, secret);

return jwt;
}

public static JwtPayload DecodeToken(string token, string secret)
{
var segments = token.Split('.');

if(segments.Length != 3)
throw new Exception("Token structure is incorrect!");

JwtHeader header = JsonConvert.DeserializeObject(Encoding.UTF8.GetString(Base64Decode(segments[0])), typeof(JwtHeader));
JwtPayload jwtPayload = JsonConvert.DeserializeObject(Encoding.UTF8.GetString(Base64Decode(segments[1])), typeof(JwtPayload));

var rawSignature = segments[0] + '.' + segments[1];

if(!Verify(rawSignature, secret, segments[2]))
throw new Exception("Verification Failed");

return jwtPayload;
}

private static bool Verify(string rawSignature, string secret, string signature)
{
return signature == Sign(rawSignature, secret);
}

private static string Sign(string str, string key)
{
var encoding = new ASCIIEncoding();

Solution

Are there any security issues? Where should I store the secret's key,
DB or InMemory? What's a good 'JWT' Lifetime? Should I send the 'JWT'
in Header for every request? What should be done when a 'JWT' Expires?

  • The contents are merely base64 encoded and thus are simple to decode -- so don't encode your valued customers personal data.



cut and paste your token in here as evidence
https://developers.google.com/wallet/digital/docs/jwtdecoder

-
the secret key is not a session one so in memory makes no sense. buy an oracle license and then stick it in there. or theres nothing wrong with something nice and simple like this.

const string algorithm = "HS256";


-
if you're logging a user onto a site. 1 hour? its possible to copy/paste the token and gain access to data. so it depends on the nature of the data.

-
yes. its an awesome method to send to a REST server instead of some internal userid that never expires

-
kick them out of your site. make them relog in and get a new token (with another hour long token)

Code Snippets

const string algorithm = "HS256";

Context

StackExchange Code Review Q#70005, answer score: 4

Revisions (0)

No revisions yet.