search

daviddesmet / paseto-dotnet

🔑 Paseto.NET, a Paseto (Platform-Agnostic Security Tokens) implementation for .NET
MIT License
99 stars 8 forks source link

Improve documentation #75

Open daviddesmet opened 2 years ago

daviddesmet commented 2 years ago

Improve the documentation, especially around the use of the keys.

See here for an example.

Excerpt:

...

I'm using Paseto.Core Nuget from https://github.com/daviddesmet/paseto-dotnet, and I'm trying to create v4 public PASETO token with this. My code:

public async Task<TokenResponse> GenerateAsync(Client client, TokenRequest tokenRequest, string issuer, string audience)
    {
        var privateEd25519Key = await File.ReadAllBytesAsync("private.pem");

        var pasetoToken = new PasetoBuilder()
            .Use(ProtocolVersion.V4, Purpose.Public)
            .WithKey(privateEd25519Key, Encryption.AsymmetricSecretKey)
            .Issuer(issuer)
            .Subject(tokenRequest.ClientId)
            .Audience(audience)
            .NotBefore(DateTime.UtcNow)
            .IssuedAt(DateTime.UtcNow)
            .Expiration(DateTime.UtcNow.AddSeconds(client.AccessTokenLifetime))
            .TokenIdentifier(Guid.NewGuid().ToString())
            .AddClaim("client_id", tokenRequest.ClientId)
            .AddClaim("scopes", tokenRequest.Scopes)
            .Encode();

        return new TokenResponse
        {
            AccessToken = pasetoToken,
            Lifetime = client.AccessTokenLifetime,
            Scope = tokenRequest.Scopes
        };
    }
}

Besides, due to the rather unclear documentation, I don't know if I'm really creating a token signed with a private key or encrypted.

...

Here is my solution:

public async Task<TokenResponse> GenerateAsync(Client client, TokenRequest tokenRequest, string issuer, string audience)
    {
        var ed25519pkcs8 = await File.ReadAllTextAsync("private.pem");

        var privatePemReader = new PemReader(new StringReader(ed25519pkcs8));
        var ed25519pkcs8Parameters = (Ed25519PrivateKeyParameters)privatePemReader.ReadObject();
        ISigner signer = new Ed25519Signer();
        signer.Init(true, ed25519pkcs8Parameters);

        var pasetoToken = new PasetoBuilder()
            .Use(ProtocolVersion.V4, Purpose.Public)
            .WithKey(signer.GenerateSignature(), Encryption.AsymmetricSecretKey)
            .Issuer(issuer)
            .Subject(tokenRequest.ClientId)
            .Audience(audience)
            .NotBefore(DateTime.UtcNow)
            .IssuedAt(DateTime.UtcNow)
            .Expiration(DateTime.UtcNow.AddSeconds(client.AccessTokenLifetime))
            .TokenIdentifier(Guid.NewGuid().ToString())
            .AddClaim("client_id", tokenRequest.ClientId)
            .AddClaim("scopes", tokenRequest.Scopes)
            .Encode();

        return new TokenResponse
        {
            AccessToken = pasetoToken,
            Lifetime = client.AccessTokenLifetime,
            Scope = tokenRequest.Scopes
        };
    }

It turned out that WithKey doesn't support PEM files, so you had to get the private key out of PKCS#8.