search

dvsekhvalnov / jose-jwt

Ultimate Javascript Object Signing and Encryption (JOSE), JSON Web Token (JWT) and Json Web Keys (JWK) Implementation for .NET and .NET Core
MIT License
940 stars 184 forks source link

How to validate and decode a Jwt token from microsoft identity server 4? #134

Open fabriziodb opened 4 years ago

fabriziodb commented 4 years ago

Please, can anyone help me to understand how to validate and decode a jwt access token release from m$ IS4?

this is a token from the server, thanks.

eyJhbGciOiJSUzI1NiIsImtpZCI6InVVaENEMWZtLUp4OGdIeDRZX2djM1EiLCJ0eXAiOiJhdCtqd3QifQ.eyJuYmYiOjE1OTMwODk3OTMsImV4cCI6MTU5MzA5MzM5MywiaXNzIjoiaHR0cDovL2lkZW50aXR5c2VydmVyLmRldi4yNG9yZXByby5pbi5pbHNvbGUyNG9yZS5pdCIsImF1ZCI6InN3Z19lbnRpdGxlbWVudHMiLCJjbGllbnRfaWQiOiJtdmMiLCJzdWIiOiJmZGIxIiwiYXV0aF90aW1lIjoxNTkzMDg5NzkyLCJpZHAiOiJsb2NhbCIsInJvbGUiOlsiZGF0YUV2ZW50UmVjb3Jkcy5hZG1pbiIsImRhdGFFdmVudFJlY29yZHMudXNlciJdLCJ1c2VybmFtZSI6ImZkYjEiLCJ1c2VySWRlbnRpdHkiOiJQWjVmbThzTStYZS9hbWE0cmlnMXBPOEE3TnI3RVRxSU5DWTNyZzJQc1I0PSIsInNjb3BlIjpbInByb2ZpbGUiLCJvcGVuaWQiLCJzd2dfZW50aXRsZW1lbnRzIiwib2ZmbGluZV9hY2Nlc3MiXSwiYW1yIjpbInB3ZCJdfQ.ml-Jy8wwwC4MtncH_PisVj2H7Ro6kiU8hOs2HfeoPNJ6ExNhHjRxGgXua2GoYPmqBNYBJLSzmiZGHHXVB4pToJ2ETL8nqWhU46hvtpPV1IS6aVjPm2yHcTj2ooDwTDt35xT8sLmvar96_dYPmjkiIWQt9QvI15XqYJ9XF3znudG7dMU7RmWfLo_v_S0U1tz4-90xNMEqxEyoGFkEeB9xes74hfu_Ptd_0k7jOxdYebd1tz2IX3XDDXbBjQyZzxn77Jr2Xs5MCgdCFspDUYCAjnBMpo0hj4I5TAADMGOI7zZFkxmmLArzzmxadcul-475QkmOpw-nmrnKRMs0vriTMg

dvsekhvalnov commented 4 years ago

Hi @fabriziodb ,

this is RS256 signed token, you can decode / verify signature via: https://github.com/dvsekhvalnov/jose-jwt#verifying-and-decoding-tokens

string token = "your-token-here";
var privateKey = ... ; // your private key

string json = Jose.JWT.Decode(token, privateKey);

Then apply whatever checks you need, like token not expired, intended audience, e.t.c.

fabriziodb commented 4 years ago

hi, is this the right way to pass the privato key? get always the same error. thanks.

string token = "eyJhbGciOiJSUzI1NiIsImtpZCI6InVVaENEMWZtLUp4OGdIeDRZX2djM1EiLCJ0eXAiOiJhdCtqd3QifQ.eyJuYmYiOjE1OTMwODk3OTMsImV4cCI6MTU5MzA5MzM5MywiaXNzIjoiaHR0cDovL2lkZW50aXR5c2VydmVyLmRldi4yNG9yZXByby5pbi5pbHNvbGUyNG9yZS5pdCIsImF1ZCI6InN3Z19lbnRpdGxlbWVudHMiLCJjbGllbnRfaWQiOiJtdmMiLCJzdWIiOiJmZGIxIiwiYXV0aF90aW1lIjoxNTkzMDg5NzkyLCJpZHAiOiJsb2NhbCIsInJvbGUiOlsiZGF0YUV2ZW50UmVjb3Jkcy5hZG1pbiIsImRhdGFFdmVudFJlY29yZHMudXNlciJdLCJ1c2VybmFtZSI6ImZkYjEiLCJ1c2VySWRlbnRpdHkiOiJQWjVmbThzTStYZS9hbWE0cmlnMXBPOEE3TnI3RVRxSU5DWTNyZzJQc1I0PSIsInNjb3BlIjpbInByb2ZpbGUiLCJvcGVuaWQiLCJzd2dfZW50aXRsZW1lbnRzIiwib2ZmbGluZV9hY2Nlc3MiXSwiYW1yIjpbInB3ZCJdfQ.ml-Jy8wwwC4MtncH_PisVj2H7Ro6kiU8hOs2HfeoPNJ6ExNhHjRxGgXua2GoYPmqBNYBJLSzmiZGHHXVB4pToJ2ETL8nqWhU46hvtpPV1IS6aVjPm2yHcTj2ooDwTDt35xT8sLmvar96_dYPmjkiIWQt9QvI15XqYJ9XF3znudG7dMU7RmWfLo_v_S0U1tz4-90xNMEqxEyoGFkEeB9xes74hfu_Ptd_0k7jOxdYebd1tz2IX3XDDXbBjQyZzxn77Jr2Xs5MCgdCFspDUYCAjnBMpo0hj4I5TAADMGOI7zZFkxmmLArzzmxadcul-475QkmOpw-nmrnKRMs0vriTMg"; Jose.JWT.Decode(token,"secret");

Da: DV notifications@github.com Inviato: venerdì 26 giugno 2020 15:30 A: dvsekhvalnov/jose-jwt jose-jwt@noreply.github.com Cc: fabriziodb fabriziodb@live.it; Mention mention@noreply.github.com Oggetto: Re: [dvsekhvalnov/jose-jwt] How to validate and decode a Jwt token from microsoft identity server 4? (#134)

Hi @fabriziodbhttps://github.com/fabriziodb ,

this is RS256 signed token, you can decode / verify signature via: https://github.com/dvsekhvalnov/jose-jwt#verifying-and-decoding-tokens

string token = "your-token-here"; var privateKey = ... ; // your private key

string json = Jose.JWT.Decode(token, privateKey);

Then apply whatever checks you need, like token not expired, intended audience, e.t.c.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/dvsekhvalnov/jose-jwt/issues/134#issuecomment-650180083, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAJMNZXFYKINE6LDUCGOPJTRYSPIPANCNFSM4OIQOAJQ.

dvsekhvalnov commented 4 years ago

No. For RS256 you normally read your private key from .p12 file or windows truststore, like

var privateKey=new X509Certificate2("key.p12", "password", X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet).PrivateKey as RSACryptoServiceProvider;

https://github.com/dvsekhvalnov/jose-jwt#verifying-and-decoding-tokens - covers all cases

fabriziodb commented 4 years ago

thanks, i've to create a file named key.p12 containing the secret inside?

Da: DV notifications@github.com Inviato: venerdì 26 giugno 2020 16:13 A: dvsekhvalnov/jose-jwt jose-jwt@noreply.github.com Cc: fabriziodb fabriziodb@live.it; Mention mention@noreply.github.com Oggetto: Re: [dvsekhvalnov/jose-jwt] How to validate and decode a Jwt token from microsoft identity server 4? (#134)

No. For RS256 you normally read your private key from .p12 file or windows truststore, like

var privateKey=new X509Certificate2("key.p12", "password", X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet).PrivateKey as RSACryptoServiceProvider;

https://github.com/dvsekhvalnov/jose-jwt#verifying-and-decoding-tokens - covers all cases

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/dvsekhvalnov/jose-jwt/issues/134#issuecomment-650201661, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAJMNZSJ2WTLWZRSJDCSRULRYSUH7ANCNFSM4OIQOAJQ.

dvsekhvalnov commented 4 years ago

no, you actually should have private key, because you registered public part of it microsoft identity server.