search

NetDevPack / Security.Jwt

Jwt Manager. Set of components to deal with Jwt Stuff. Automate your key rotating, add support for jwks_uri. Store your cryptography keys in a secure place.
MIT License
271 stars 38 forks source link

Question: Adding support for EncryptingCredentials #4

Closed rebeccapowell closed 3 years ago

rebeccapowell commented 3 years ago

When defining the SecurityTokenDescriptor, you can not only set the SigningCredentials, but the EncryptingCredentials as well.

Is there a way to use the same key to set the EncryptingCredentials as well. I've been trying the following, but I've been getting an exception, and I'm not sure how to solve it:

private string EncodeToken(ClaimsIdentity identityClaims)
{
    var tokenHandler = new JwtSecurityTokenHandler();
    var currentIssuer = $"{ControllerContext.HttpContext.Request.Scheme}://{ControllerContext.HttpContext.Request.Host}";
    var key = _jwksService.GetCurrent();

    var encryptingCredentials = new EncryptingCredentials(key.Key, SecurityAlgorithms.RsaOAEP, SecurityAlgorithms.Aes128CbcHmacSha256);
    var token = tokenHandler.CreateToken(new SecurityTokenDescriptor
    {
        Issuer = currentIssuer,
        Subject = identityClaims,
        Expires = DateTime.UtcNow.AddHours(1),
        SigningCredentials = key,
        EncryptingCredentials = encryptingCredentials
    });

    return tokenHandler.WriteToken(token);
}

Exception is:

Microsoft.IdentityModel.Tokens.SecurityTokenEncryptionFailedException: IDX10615: Encryption failed. No support for: Algorithm: '', SecurityKey: 'Microsoft.IdentityModel.Tokens.JsonWebKey, Use: 'sig',  Kid: '0EfgPGGNZBsnn69wrnwLzg', Kty: 'EC', InternalId: '2cIn0xM5H76UBp4u-Bx2MRU-S2YAS0XsHqe67NE4Cbk'.'.
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.CreateEncryptedToken(JwtSecurityToken innerJwt, EncryptingCredentials encryptingCredentials)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.CreateJwtSecurityTokenPrivate(String issuer, String audience, ClaimsIdentity subject, Nullable`1 notBefore, Nullable`1 expires, Nullable`1 issuedAt, SigningCredentials signingCredentials, EncryptingCredentials encryptingCredentials)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.CreateToken(SecurityTokenDescriptor tokenDescriptor)
EduardoPires commented 3 years ago

@brunohbrito Can you check this?

brunobritodev commented 3 years ago

Hi @rebeccapowell

By default this component use ECDsa to generate the Keys and by your example we can see you are trying to use a RSA

new EncryptingCredentials(key.Key, SecurityAlgorithms.RsaOAEP, SecurityAlgorithms.Aes128CbcHmacSha256);

If you go to your startup.cs and change it to:

services.AddJwksManager(options => options.Algorithm = Algorithm.RS256)

Then it should work.

This component was designed to work with JWS. The algoritms it supports are those listed at RFC 7518 - JWS section. Maybe it could have some differences between JWE alg's

I'll work in a version to support JWE algs.

brunobritodev commented 3 years ago

@rebeccapowell Hi!

There are support for Jwe now. Search for NetDevPack.Security.Jwt . And it's fully integrated with ASP.NET Core DataProtection to store keys.