Is there any JSON Web Token JWT example in C

Question

I feel like I m taking crazy pills here  Usually there s always a million library and samples floating around the web for any given task  I m trying to implement authentication with a Google  Service Account  by use of JSON Web Tokens  JWT  as described here   However there is only client libraries in PHP  Python  and Java  Even searching for JWT examples outside of Google s authentication  there is only crickets and drafts on the JWT concept  Is this really so new and possibly a Google proprietary system    The java sample which is the closest I could manage to interpret looks pretty intensive and intimidating  There s got to be something out there in C  that I could at least start with  Any help with this would be great

User · Answer

It would be better to use standard and famous libraries instead of writing the code from scratch.

JWT for encoding and decoding JWT tokens
Bouncy Castle supports encryption and decryption, especially RS256 get it here

Using these libraries you can generate a JWT token and sign it using RS256 as below.

    public string GenerateJWTToken(string rsaPrivateKey)
    {
        var rsaParams = GetRsaParameters(rsaPrivateKey);
        var encoder = GetRS256JWTEncoder(rsaParams);

        // create the payload according to the Google's doc
        var payload = new Dictionary<string, object>
        {
            { "iss", ""},
            { "sub", "" },
            // and other key-values according to the doc
        };

        // add headers. 'alg' and 'typ' key-values are added automatically.
        var header = new Dictionary<string, object>
        {
            { "kid", "{your_private_key_id}" },
        };

        var token = encoder.Encode(header,payload, new byte[0]);

        return token;
    }

    private static IJwtEncoder GetRS256JWTEncoder(RSAParameters rsaParams)
    {
        var csp = new RSACryptoServiceProvider();
        csp.ImportParameters(rsaParams);

        var algorithm = new RS256Algorithm(csp, csp);
        var serializer = new JsonNetSerializer();
        var urlEncoder = new JwtBase64UrlEncoder();
        var encoder = new JwtEncoder(algorithm, serializer, urlEncoder);

        return encoder;
    }

    private static RSAParameters GetRsaParameters(string rsaPrivateKey)
    {
        var byteArray = Encoding.ASCII.GetBytes(rsaPrivateKey);
        using (var ms = new MemoryStream(byteArray))
        {
            using (var sr = new StreamReader(ms))
            {
                // use Bouncy Castle to convert the private key to RSA parameters
                var pemReader = new PemReader(sr);
                var keyPair = pemReader.ReadObject() as AsymmetricCipherKeyPair;
                return DotNetUtilities.ToRSAParameters(keyPair.Private as RsaPrivateCrtKeyParameters);
            }
        }
    }

ps: the RSA private key should have the following format:

-----BEGIN RSA PRIVATE KEY----- {base64 formatted value} -----END RSA PRIVATE KEY-----

User · Answer

Here is a working example   http   zavitax wordpress com 2012 12 17 logging-in-with-google-service-account-in-c-jwt   It took quite some time to collect the pieces scattered over the web  the docs are rather incomplete

User · Answer

Here is the list of classes and functions   open System open System Collections Generic open System Linq open System Threading Tasks open Microsoft AspNetCore Mvc open Microsoft Extensions Logging open Microsoft AspNetCore Authorization open Microsoft AspNetCore Authentication open Microsoft AspNetCore Authentication JwtBearer open Microsoft IdentityModel Tokens open System IdentityModel Tokens open System IdentityModel Tokens Jwt open Microsoft IdentityModel JsonWebTokens open System Text open Newtonsoft Json open System Security Claims     let theKey    VerySecretKeyVerySecretKeyVerySecretKey      let securityKey   SymmetricSecurityKey Encoding UTF8 GetBytes theKey       let credentials   SigningCredentials securityKey  SecurityAlgorithms RsaSsaPssSha256      let expires   DateTime UtcNow AddMinutes 123 0    gt  Nullable     let token   JwtSecurityToken                       lahoda-pro-issuer                         lahoda-pro-audience                       claims   null                      expires    expires                      signingCredentials   credentials                let tokenString   JwtSecurityTokenHandler   WriteToken token

User · Answer

This is my implementation of  Google  JWT Validation in  NET  It is based on other implementations on Stack Overflow and GitHub gists   using Microsoft IdentityModel Tokens  using System  using System Collections Generic  using System IdentityModel Tokens Jwt  using System Linq  using System Net Http  using System Security Claims  using System Security Cryptography X509Certificates  using System Text  using System Threading Tasks   namespace QuapiNet Service       public class JwtTokenValidation               public async Task lt Dictionary lt string  X509Certificate2 gt  gt  FetchGoogleCertificates                         using  var http   new HttpClient                                  var response   await http GetAsync  https   www googleapis com oauth2 v1 certs                     var dictionary   await response Content ReadAsAsync lt Dictionary lt string  string gt  gt                     return dictionary ToDictionary x   gt  x Key  x   gt  new X509Certificate2 Encoding UTF8 GetBytes x Value                                      private string CLIENT ID    xxx apps googleusercontent com            public async Task lt ClaimsPrincipal gt  ValidateToken string idToken                        var certificates   await this FetchGoogleCertificates                 TokenValidationParameters tvp   new TokenValidationParameters                                 ValidateActor   false     check the profile ID                  ValidateAudience   true     check the client ID                 ValidAudience   CLIENT ID                   ValidateIssuer   true     check token came from Google                 ValidIssuers   new List lt string gt     accounts google com    https   accounts google com                      ValidateIssuerSigningKey   true                  RequireSignedTokens   true                  IssuerSigningKeys   certificates Values Select x   gt  new X509SecurityKey x                    IssuerSigningKeyResolver    token  securityToken  kid  validationParameters    gt                                        return certificates                      Where x   gt  x Key ToUpper      kid ToUpper                         Select x   gt  new X509SecurityKey x Value                                       ValidateLifetime   true                  RequireExpirationTime   true                  ClockSkew   TimeSpan FromHours 13                              JwtSecurityTokenHandler jsth   new JwtSecurityTokenHandler                SecurityToken validatedToken              ClaimsPrincipal cp   jsth ValidateToken idToken  tvp  out validatedToken                return cp                      Note that  in order to use it  you need to add a reference to the NuGet package System Net Http Formatting Extension  Without this  the compiler will not recognize the ReadAsAsync lt  gt  method

User · Answer

After all these months have passed after the original question  it s now worth pointing out that Microsoft has devised a solution of their own  See http   blogs msdn com b vbertocci archive 2012 11 20 introducing-the-developer-preview-of-the-json-web-token-handler-for-the-microsoft-net-framework-4-5 aspx for details

User · Answer

I ve never used it but there is a JWT implementation on NuGet   Package  https   nuget org packages JWT  Source  https   github com johnsheehan jwt   NET 4 0 compatible  https   www nuget org packages jose-jwt   You can also go here  https   jwt io  and click  libraries

User · Answer

Here is another REST-only working example for Google Service Accounts accessing G Suite Users and Groups  authenticating through JWT  This was only possible through reflection of Google libraries  since Google documentation of these APIs are beyond terrible  Anyone used to code in MS technologies will have a hard time figuring out how everything goes together in Google services    iss     lt name gt   lt serviceaccount gt  iam gserviceaccount com     The email address of the service account   sub    impersonate user mydomain com     The user to impersonate  required    scope    https   www googleapis com auth admin directory user readonly https   www googleapis com auth admin directory group readonly    certPath    D  temp mycertificate p12    grantType    urn ietf params oauth grant-type jwt-bearer      Auxiliary functions function UrlSafeEncode  String   Data        return  Data Replace       String   Empty  Replace       -   Replace               function UrlSafeBase64Encode   String   Data        return  UrlSafeEncode -Data   Convert   ToBase64String  System Text Encoding   UTF8 GetBytes  Data         function KeyFromCertificate  System Security Cryptography X509Certificates X509Certificate2   Certificate         privateKeyBlob    Certificate PrivateKey ExportCspBlob  true        key   New-Object System Security Cryptography RSACryptoServiceProvider       key ImportCspBlob  privateKeyBlob       return  key     function CreateSignature   Byte     Data   System Security Cryptography X509Certificates X509Certificate2   Certificate         sha256    System Security Cryptography SHA256   Create         key    KeyFromCertificate  Certificate        assertionHash    sha256 ComputeHash  Data        sig    Convert   ToBase64String  key SignHash  assertionHash   2 16 840 1 101 3 4 2 1          sha256 Dispose        return  sig     function CreateAssertionFromPayload   String   Payload   System Security Cryptography X509Certificates X509Certificate2   Certificate         header        alg   RS256   typ   JWT            assertion   New-Object System Text StringBuilder        assertion Append  UrlSafeBase64Encode  header   Append      Append  UrlSafeBase64Encode  Payload     Out-Null       signature    CreateSignature -Data   System Text Encoding   ASCII GetBytes  assertion ToString     -Certificate  Certificate        assertion Append      Append  UrlSafeEncode  signature     Out-Null      return  assertion ToString        baseDateTime   New-Object DateTime 1970  1  1  0  0  0   DateTimeKind   Utc    timeInSeconds    Math   Truncate  DateTime   UtcNow Subtract  baseDateTime  TotalSeconds     jwtClaimSet        scope    scope   email verified  false  iss    iss   sub    sub   aud   https   oauth2 googleapis com token   exp     timeInSeconds   3600   iat   timeInSeconds         cert   New-Object System Security Cryptography X509Certificates X509Certificate2  certPath   notasecret    System Security Cryptography X509Certificates X509KeyStorageFlags   Exportable    jwt   CreateAssertionFromPayload -Payload  jwtClaimSet -Certificate  cert      Retrieve the authorization token   authRes   Invoke-WebRequest -Uri  https   oauth2 googleapis com token  -Method Post -ContentType  application x-www-form-urlencoded  -UseBasicParsing -Body    assertion  jwt amp grant type    Uri   EscapeDataString  grantType        authInfo   ConvertFrom-Json -InputObject  authRes Content    resUsers   Invoke-WebRequest -Uri  https   www googleapis com admin directory v1 users domain  lt required domain name dont trust google documentation on this gt   -Method Get -Headers         Authorization        authInfo token type     authInfo access token       users   ConvertFrom-Json -InputObject  resUsers Content    users users   ft primaryEmail  isAdmin  suspended

User · Answer

Take a look at Google Client Library for  NET

User · Answer

Thanks everyone  I found a base implementation of a Json Web Token and expanded on it with the Google flavor  I still haven t gotten it completely worked out but it s 97  there  This project lost it s steam  so hopefully this will help someone else get a good head-start   Note  Changes I made to the base implementation  Can t remember where I found it   are         Changed HS256 -  RS256    Swapped the JWT and  alg order in the header  Not sure who got it wrong  Google or the spec  but google takes it the way It is below according to their docs       public enum JwtHashAlgorithm       RS256      HS384      HS512    public class JsonWebToken       private static Dictionary lt JwtHashAlgorithm  Func lt byte    byte    byte   gt  gt  HashAlgorithms       static JsonWebToken                 HashAlgorithms   new Dictionary lt JwtHashAlgorithm  Func lt byte    byte    byte   gt  gt                                  JwtHashAlgorithm RS256   key  value    gt    using  var sha   new HMACSHA256 key     return sha ComputeHash value                            JwtHashAlgorithm HS384   key  value    gt    using  var sha   new HMACSHA384 key     return sha ComputeHash value                            JwtHashAlgorithm HS512   key  value    gt    using  var sha   new HMACSHA512 key     return sha ComputeHash value                                   public static string Encode object payload  string key  JwtHashAlgorithm algorithm                return Encode payload  Encoding UTF8 GetBytes key   algorithm              public static string Encode object payload  byte   keyBytes  JwtHashAlgorithm algorithm                var segments   new List lt string gt             var header   new   alg   algorithm ToString    typ    JWT              byte   headerBytes   Encoding UTF8 GetBytes JsonConvert SerializeObject header  Formatting None            byte   payloadBytes   Encoding UTF8 GetBytes JsonConvert SerializeObject payload  Formatting None              byte   payloadBytes   Encoding UTF8 GetBytes     iss   761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5 developer gserviceaccount com   scope   https   www googleapis com auth prediction   aud   https   accounts google com o oauth2 token   exp  1328554385  iat  1328550785              segments Add Base64UrlEncode headerBytes            segments Add Base64UrlEncode payloadBytes             var stringToSign   string Join      segments ToArray              var bytesToSign   Encoding UTF8 GetBytes stringToSign            byte   signature   HashAlgorithms algorithm  keyBytes  bytesToSign           segments Add Base64UrlEncode signature             return string Join      segments ToArray                public static string Decode string token  string key                return Decode token  key  true              public static string Decode string token  string key  bool verify                var parts   token Split               var header   parts 0           var payload   parts 1           byte   crypto   Base64UrlDecode parts 2             var headerJson   Encoding UTF8 GetString Base64UrlDecode header            var headerData   JObject Parse headerJson           var payloadJson   Encoding UTF8 GetString Base64UrlDecode payload            var payloadData   JObject Parse payloadJson            if  verify                        var bytesToSign   Encoding UTF8 GetBytes string Concat header       payload                var keyBytes   Encoding UTF8 GetBytes key               var algorithm    string headerData  alg                 var signature   HashAlgorithms GetHashAlgorithm algorithm   keyBytes  bytesToSign               var decodedCrypto   Convert ToBase64String crypto               var decodedSignature   Convert ToBase64String signature                if  decodedCrypto    decodedSignature                                throw new ApplicationException string Format  Invalid signature  Expected  0  got  1    decodedCrypto  decodedSignature                                     return payloadData ToString               private static JwtHashAlgorithm GetHashAlgorithm string algorithm                switch  algorithm                        case  RS256   return JwtHashAlgorithm RS256              case  HS384   return JwtHashAlgorithm HS384              case  HS512   return JwtHashAlgorithm HS512              default  throw new InvalidOperationException  Algorithm not supported                             from JWT spec     private static string Base64UrlEncode byte   input                var output   Convert ToBase64String input           output   output Split      0      Remove any trailing    s         output   output Replace       -       62nd char of encoding         output   output Replace               63rd char of encoding         return output                from JWT spec     private static byte   Base64UrlDecode string input                var output   input          output   output Replace  -            62nd char of encoding         output   output Replace               63rd char of encoding         switch  output Length   4     Pad with trailing    s                       case 0  break     No pad chars in this case             case 2  output          break     Two pad chars             case 3  output         break     One pad char             default  throw new System Exception  Illegal base64url string                       var converted   Convert FromBase64String output      Standard base64 decoder         return converted            And then my google specific JWT class   public class GoogleJsonWebToken       public static string Encode string email  string certificateFilePath                var utc0   new DateTime 1970 1 1 0 0 0 0  DateTimeKind Utc           var issueTime   DateTime Now           var iat    int issueTime Subtract utc0  TotalSeconds          var exp    int issueTime AddMinutes 55  Subtract utc0  TotalSeconds     Expiration time is up to 1 hour  but lets play on safe side          var payload   new                       iss   email              scope    https   www googleapis com auth gan readonly               aud    https   accounts google com o oauth2 token               exp   exp              iat   iat                     var certificate   new X509Certificate2 certificateFilePath   notasecret             var privateKey   certificate Export X509ContentType Cert            return JsonWebToken Encode payload  privateKey  JwtHashAlgorithm RS256

[c#] Is there any JSON Web Token (JWT) example in C#?

Examples related to c#

Examples related to oauth

Examples related to oauth-2.0

Examples related to jwt