kevinchalet
commented
8 years ago Hey,
You could achieve what you want by using the OnSerializeAccessToken event and setting context.SigningCredentials with the signing credentials corresponding to the specific client application making the authorization/token request. ASOS would then use these credentials instead of the global ones defined in the main options.
That said, doing that is extremely unusual for at least 3 reasons:
- Access tokens are meant to be used by resource servers (client apps must consider them as opaque) so there's absolutely no reason to sign them using client app signing credentials.
- Signing these tokens with signing keys known by client apps would allow them to send virtually any token with any claim, since they'd just have to sign the JWT token with their signing key. This is obviously a major security concern.
- You don't always know which client app is requesting an access token: it's specially true with the resource owner password credentials grant when you don't require client authentication and when the client app doesn't send a
client_id.
RobinDavisNotts
Hello, Currently writing an Api which will use a jwt bearer token as an api key.
However we need to be able to sign each token with a different key, so that we can decrypt the incoming bearer token.
Is there a way of doing that in this library? I feel like possibly using the OnReceivingToken would allow for also retrieving the client id, so that we can retrieve their key.
Thanks for your help!