Decoding and verifying JWT token using System IdentityModel Tokens Jwt

Question

I ve been using the JWT library to decode a Json Web Token  and would like to switch to Microsoft s official JWT implementation  System IdentityModel Tokens Jwt   The documentation is very sparse  so I m having a hard time figuring how to accomplish what I ve been doing with the JWT library   With the JWT library  there is a Decode method that takes the base64 encoded JWT and turns it into JSON which can then be deserialized  I d like to do something similar using System IdentityModel Tokens Jwt  but after a fair amount of digging  cannot figure out how     For what it s worth  I m reading the JWT token from a cookie  for use with Google s identity framework   Any help would be appreciated

User · Accepted Answer

Within the package there is a class called JwtSecurityTokenHandler which derives from System.IdentityModel.Tokens.SecurityTokenHandler. In WIF this is the core class for deserialising and serialising security tokens.

The class has a ReadToken(String) method that will take your base64 encoded JWT string and returns a SecurityToken which represents the JWT.

The SecurityTokenHandler also has a ValidateToken(SecurityToken) method which takes your SecurityToken and creates a ReadOnlyCollection<ClaimsIdentity>. Usually for JWT, this will contain a single ClaimsIdentity object that has a set of claims representing the properties of the original JWT.

JwtSecurityTokenHandler defines some additional overloads for ValidateToken, in particular, it has a ClaimsPrincipal ValidateToken(JwtSecurityToken, TokenValidationParameters) overload. The TokenValidationParameters argument allows you to specify the token signing certificate (as a list of X509SecurityTokens). It also has an overload that takes the JWT as a string rather than a SecurityToken.

The code to do this is rather complicated, but can be found in the Global.asax.cx code (TokenValidationHandler class) in the developer sample called "ADAL - Native App to REST service - Authentication with ACS via Browser Dialog", located at

http://code.msdn.microsoft.com/AAL-Native-App-to-REST-de57f2cc

Alternatively, the JwtSecurityToken class has additional methods that are not on the base SecurityToken class, such as a Claims property that gets the contained claims without going via the ClaimsIdentity collection. It also has a Payload property that returns a JwtPayload object that lets you get at the raw JSON of the token. It depends on your scenario which approach it most appropriate.

The general (i.e. non JWT specific) documentation for the SecurityTokenHandler class is at

http://msdn.microsoft.com/en-us/library/system.identitymodel.tokens.securitytokenhandler.aspx

Depending on your application, you can configure the JWT handler into the WIF pipeline exactly like any other handler.

There are 3 samples of it in use in different types of application at

http://code.msdn.microsoft.com/site/search?f%5B0%5D.Type=SearchText&f%5B0%5D.Value=aal&f%5B1%5D.Type=User&f%5B1%5D.Value=Azure%20AD%20Developer%20Experience%20Team&f%5B1%5D.Text=Azure%20AD%20Developer%20Experience%20Team

Probably, one will suite your needs or at least be adaptable to them.

User · Answer

I am just wondering why to use some libraries for JWT token decoding and verification at all   Encoded JWT token can be created using following pseudocode  var headers   base64URLencode myHeaders   var claims   base64URLencode myClaims   var payload   header         claims   var signature   base64URLencode HMACSHA256 payload  secret     var encodedJWT   payload         signature    It is very easy to do without any specific library  Using following code   using System  using System Text  using System Security Cryptography   public class Program             More info  https   stormpath com blog jwt-the-right-way      public static void Main                            var header       typ     JWT     alg     HS256              var claims       sub     1047986     email     jon doe eexample com     given name     John     family name     Doe     primarysid     b521a2af99bfdc65e04010ac1d046ff5     iss     http   example com     aud     myapp     exp   1460555281   nbf   1457963281             var b64header   Convert ToBase64String Encoding UTF8 GetBytes header                Replace       -                Replace                        Replace                   var b64claims   Convert ToBase64String Encoding UTF8 GetBytes claims                Replace       -                Replace                        Replace                    var payload   b64header         b64claims          Console WriteLine  JWT without sig         payload            byte   key   Convert FromBase64String  mPorwQB8kMDNQeeYO35KOrMMFn6rFVmbIohBphJPnp4             byte   message   Encoding UTF8 GetBytes payload            string sig   Convert ToBase64String HashHMAC key  message                Replace       -                Replace                        Replace                    Console WriteLine  JWT with signature      payload         sig                      private static byte   HashHMAC byte   key  byte   message                var hash   new HMACSHA256 key           return hash ComputeHash message             The token decoding is reversed version of the code above To verify the signature you will need to the same and compare signature part with calculated signature   UPDATE  For those how are struggling how to do base64 urlsafe encoding decoding please see another SO question  and also wiki and RFCs

[.net] Decoding and verifying JWT token using System.IdentityModel.Tokens.Jwt

Examples related to .net

Examples related to wif

Examples related to jwt