Closed paulinhps closed 1 year ago
@paulinhps I had same issue on my end. But I have made some tests and found out that you need to add services.AddJwksManager().UseJwtValidation();
to make the jwt work fine. Also I had another issue with the token validation but I found a solution: https://stackoverflow.com/questions/70579279/unauthorized-invalid-token-when-authenticating-with-jwt-bearer-token-after-upd
@KirillKaverin thx
@paulinhps Under the hood we are Storing and managing the Key in exact same way ASP.NET MVC does to protect his cookies. This strategy enable us to change from symetric keys with HMAC-SHA256, to Assymetric keys with RSA by default. With is way more secure than common impl out there.
To generate a secure HMAC-SHA256, you need to use the CRyptographic components from .NET. So adding a jwt key from AppSettings isn't the best approach. So it's deprecated in this component (In fact it should be deprecated from all internet blog, videos etc.)
I tried to create an authentication api without the secret key using the standard documentation on github.
My appsetting.json in Identity Provider Api
My Statup.cs in Identity Provider Api
In the other api that is authenticated by the identity provider I made the following settings:
My appsetting.json in Web Api
My Program.cs in Web Api
And for every request the answer is the same:
But, if include SecretKey parameter works fine!