search

NetDevPack / Security.Identity

.NET DevPack Identity is a set of common implementations to help you implementing Identity, Jwt, claims validation and another facilities
MIT License
574 stars 50 forks source link

How does a library work without SecretKey? #22

Closed paulinhps closed 1 year ago

paulinhps commented 2 years ago

I tried to create an authentication api without the secret key using the standard documentation on github.

My appsetting.json in Identity Provider Api

"AppJwtSettings": {
    "Issuer": "MyInssuerValue",    
    "Audience": "MyAudience" 
// SecretKey is missing
}

My Statup.cs in Identity Provider Api

 public void ConfigureServices(IServiceCollection services)
        {

            services.AddControllers();

            services.AddMemoryCache(); // Add this line

            services.AddIdentityEntityFrameworkContextConfiguration(options =>
                options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection"),
                b => b.MigrationsAssembly(GetType().Namespace)));

            services.AddIdentityConfiguration();

            services.AddJwtConfiguration(Configuration)
                    .AddNetDevPackIdentity<IdentityUser>();

            services.AddSwaggerConfiguration();
        }

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
                app.UseSwaggerConfiguration();
            }

            app.UseHttpsRedirection();

            app.UseRouting();

            app.UseAuthConfiguration();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllers();
            });
        }
// [...]

In the other api that is authenticated by the identity provider I made the following settings:

My appsetting.json in Web Api

"AppJwtSettings": {
    "Issuer": "MyInssuerValue",    
    "Audience": "MyAudience" 
// SecretKey is missing
}

My Program.cs in Web Api


var builder = WebApplication.CreateBuilder(args);

builder.Services?.AddJwtConfiguration(builder.Configuration);
// more code

var app = builder.Build();

// middlewares
app.UseAuthConfiguration();
//more middlewares

app.Run();

And for every request the answer is the same: 

 content-length: 0 
 date: Thu,28 Jul 2022 18:22:22 GMT 
 server: Kestrel 
 www-authenticate: Bearer error="invalid_token",error_description="The signature key was not found"

But, if include SecretKey parameter works fine!

KirillKaverin commented 2 years ago

@paulinhps I had same issue on my end. But I have made some tests and found out that you need to add services.AddJwksManager().UseJwtValidation(); to make the jwt work fine. Also I had another issue with the token validation but I found a solution: https://stackoverflow.com/questions/70579279/unauthorized-invalid-token-when-authenticating-with-jwt-bearer-token-after-upd

brunobritodev commented 1 year ago

@KirillKaverin thx

@paulinhps Under the hood we are Storing and managing the Key in exact same way ASP.NET MVC does to protect his cookies. This strategy enable us to change from symetric keys with HMAC-SHA256, to Assymetric keys with RSA by default. With is way more secure than common impl out there.

To generate a secure HMAC-SHA256, you need to use the CRyptographic components from .NET. So adding a jwt key from AppSettings isn't the best approach. So it's deprecated in this component (In fact it should be deprecated from all internet blog, videos etc.)