I have a problem with JWT authentication with API Version.
In a .Net 6 Web Api project secured with JWT token we have added the versioning.
Whe use the api-version parameter in header of the call.
We have added a version 2.0 of one api.
If I work with api 1.0 all work fine.
If I ask for version 2.0 a receive 401.1 access denied.
If I had [AllowAnonymous] on version 2.0 api the routing work and call the right controller but the user is not identified.
Thanks for any suggestion
LSo
Related
I have two projects, one is the API, the other one is the Client to consume the API. Both are .net core 3.1. The API project has been developed inspired by this post:
https://jasonwatmore.com/post/2021/06/15/net-5-api-jwt-authentication-with-refresh-tokens#users-controller-cs
and it has JWT Authentication with refresh token and some methods with Authorize attribute.
My problems starts in the Client project. The API projects emits access token and the client should use it accessing the protected API.
I can authenticated in the API, but when the client receives token (access token and refresh token), it store it in authentication cookie and in the refresh token cookie.
My doubts are:
Is this approach correct?
how can i manage that the access token expires and use the refresh token to get a new one? Do cookies need to be regenerated?
In future development i will add Facebook auth and client auth.
If is needed more details or some implementation let me know.
Thanks in advance.
We are in the process of porting an existing classic .net webapi project to .net core. One of the obsolete libraries being used is Microsoft.Owin.Security.OAuth. Currently the best option as a replacement is openiddict-core.
One of the things I would like to implement is issuing a new access_token/refresh_token based on a refresh token that was issued by the previous version of the api. That way clients can gracefully swap out their refresh token once a new version of the api is deployed.
However, when I ask openiddict for a refresh_token with a value that was created by the previous version of the API, I get the following error:
{
"error": "invalid_grant",
"error_description": "The specified refresh token is invalid."
}
By reading the code, I can see that the request is invalidated by the ValidateReferenceTokenIdentifier here because it checks that the provided refresh_token actually exists in the database.
What would be the recommended way to approach this?
OpenIddict 3.0 includes native support for tokens produced by ASOS and OpenIddict 1.x/2.x, that use ASP.NET Core Data Protection. The Katana OAuth 2.0 authorization server middleware, when hosted on IIS/System.Web, uses ASP.NET Machine Keys, which is a completely different stack and is not supported on .NET Core/.NET 5.0.
Consider adopting the new format: users will have to re-authenticate to get a new refresh token, but it's generally not a blocking issue. Otherwise, use the events model to implement custom token validation. See https://github.com/openiddict/openiddict-core/tree/dev/src/OpenIddict.Server.DataProtection for some inspiration.
I am using JSON Web Token (Bearer) as my default Authentication. I'm then using (Cookies) as my Authentication for Google.
I am using the default Google Authentication in Asp.Net Core API to get the AccessToken. I then pass that AccessToken to my Angular application in the Url, using a redirect. This is similar to how the ASP.Net MVC 5 Web API works. From there, I'm making a call back to my Asp.Net Core API to try and get the remaining claims. I'm making the call using the AccessToken.
Does anyone know how to access the external claims using the Google AccessToken? I know how to do this in the Asp.Net MVC 5 Web API, but Asp.Net Core is much different.
I can see external claims here. This happens during the OAuth process after the User Authenticates with Google. This is in my ExternalLoginCallback method.
var result = await HttpContext.AuthenticateAsync(CookieAuthenticationDefaults.AuthenticationScheme);
Here is some information that seems to be useful, but it doesn't specifically address third party Auth.
https://learn.microsoft.com/en-us/aspnet/core/migration/claimsprincipal-current?view=aspnetcore-2.2
If I call the API using the AccecssToken, in the header, and use HttpContext.AuthenticateAsync like so....
var result = await HttpContext.AuthenticateAsync(JwtBearerDefaults.AuthenticationScheme);
I get this.
{System.Exception: No SecurityTokenValidator available for token: ya29.Glt5B_thgPhe8-FcR
Thanks in advance! Any help is much appreciated.
Here is what I ended up doing. Since I'm able to get the claims from the Cookie in my ExternalLoginCallback method, I went ahead and created a new JSON Web Token (JWT), added the extracted claims to it and then passed that over to my Angular application. Now, when I make the call back to my API, I'm able to read that Token and extract the claims using this line of code in my GetUserInfo method.
HttpContext.AuthenticateAsync(JwtBearerDefaults.AuthenticationScheme);
Bottom line, since I could not read the Google AccessToken like I could in my ASP.Net MVC 5 Web API, I just went ahead and created a new JWT Token, added in the claims and used that.
By the way, I'm having to do all of this because I can not call my ExternalLogin method directly from Angular because of a known Cors policy issue.
I want to create an angular application with an asp.net core 2.0 api as the backend.
I can see some articles saying you must use OpenIddict/Identity Server 4 to handle the JWT auth and others showing how to do it with the built in JWT middleware from Microsoft.
What is the distinction between the two? Under what circumstances would I use the built in middleware and what circumstances the JWT middleware from Microsoft?
What is the distinction between the two?
The difference is actually quite simple: OpenID Connect servers like OpenIddict or IdentityServer issue access tokens and the JWT bearer middleware validates them for your API controllers.
Does anyone have a complete example of using JWT bearer tokens with ASP.Net Core RC2 Identity? Preferably showing how to create the token also.
Thanks,
Paul
You may use OpenIdDict - a simple implementation of AspNet.Security.OpenIdConnect.Server.
Here and here is an example and article of using OpenIdDict.
Here is a discussion in Identity repo about JWT token authentication in ASP.Core
The official packages developed by Microsoft for ASP.NET Core only
support OAuth2 bearer token validation.
I'm personnaly using IdentityServer4 in ASP.NET core RC2 as an authentication app using JWT Bearer token. (very good Samples available) https://github.com/IdentityServer/IdentityServer4
For example : I have 3 projects (apps) in my solution
Login (IdentityServer4) that authenticate users and give them a JWT token when authenticated
API that is registered in IdentityServer4 as a consumer (Scope) for JWT tokens. Token attributes (Claims/Roles) are validated when accessing controller methods.
Web front end (Only HTML/AngularJS) that store the token and send it when sending a request (in the HTTP header) to the API. The front end is registered as "Client" in the Login
The big advantage to have an isolated Login app is that you can create as many API/front-end you want as long as you register them so they can communicate each other securely with the JWT token.
The samples available there https://github.com/IdentityServer/IdentityServer4.Samples are very straigtforward. If you have any question related to this project, feel free to ask.
I've ASP.NET Core 1.1 as backend and angular as front end solution with JWT bearer tokens. tokens can be easily created by lib.
https://github.com/Longfld/ASPNETcoreAngularJWT
I have a full example for ASP.NET Core with JWT auth: https://github.com/wilsonwu/netcoreauth
By the way, the database is SQL Server.