Middleware companion packages

[dazinator]

Those wishing to use JWT are likely writing .net web applications in one of three paradigms:

1. Asp.net
2. Owin
3. Asp.net core

It would be useful to have a support package for each of those paradigms to do JWT authentication. I'd propose not worrying about legacy Asp.net or Owin for now, but an asp.net core authentication middleware could be good. Microsoft provide a Jwt authentication package using their own JWT stuff but it sucks imho.

[abatishchev]

I'd love to have this addition! Would be great if you could start and submit a draft and I'll be happy to code review, refactor, etc. - that's my specialty :)

[Weboholics]

Background We develop .net core 3.0 webapplications without EF and identity (using a micro orm for database). We are using Claims and Policy and Cookies. We are migrating to using JWT for ajax/api/rest, but it seems we need to keep cookies for page navigation?

Questions

1. Is it the best solution to use a hybrid cookie/JWT solution for non-singlepage solutions?
2. I have used your library to create JWT token and using webstorage in webbrowser. How should I work with middleware, [authorize] and policies in webapi controllers? What is your recommended best practices?

I think this questions is related dazinator's question.

[abatishchev]

Hi, I'm not sure I can give a sound advice on #1, I'm mostly a backend/service/infrastructure engineer. But regarding #2 the library will work just fine. Inject the necessary interface(s) into the attribute/middleware/filter's ctor and use it as usually.

[abatishchev]

Please come back to this great idea and start a PR, in this repo or perhaps in another one in this organization.

[abatishchev]

I still love this idea and it would be great if you (or someone else) could start a PR.

[abatishchev]

@dazinator if you'd like your idea to go live, please take a look at #231 and share how your scenario/usage looks like so I could incorporate them into the middleware(s).

[dazinator]

@abatishchev nice work. I think you've covered the main scenario of restoring the logged in users authentication context when a valid JWT token is presented in the authorization header, which is great. The second scenario where I use JWT is in order to produce a JWT token, once a user successfully logs in. Upon validating a users login credentials, I can construct a ClaimsPrincipal for the user. This can contain any claims I like. From there, I need to produce a JWT token that contains the claims that I want to include directly in the JWT (to avoid lookup from the database) as well as having the standard JWT claim values included like jti etc etc. Once I have the JWT token, I actually return that to my front end so it can cache it until expiry and append it to future requests.

So perhaps an example of performing a login (owin, asp.net core) which returns a JWT to reflect the newly logged in user would be a nice addition?

P.s sorry I never got time to work on this myself

[abatishchev]

Let's do this in chunks. I updated the readme for the authentication handler registration sample. I will complete the PR and publish NuGet packages. Would you be able to give it a try?

[abatishchev]

JWT.Extensions.AspNetCore version 6.0.0-alpha1 has been published. Please check it out and let me know what you think.

[PureKrome]

@abatishchev - heya! quick question. How is this middleware different to this:

var signingKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(secret));

            var tokenValidationParameters = new TokenValidationParameters
            {
                // Signing key must match.
                ValidateIssuerSigningKey = true,
                RequireSignedTokens = true,
                IssuerSigningKey = signingKey,

                // Iss claim.
                ValidateIssuer = true,
                ValidIssuer = issuer,

                // Aud claim.
                ValidateAudience = true,
                ValidAudience = audience,

                NameClaimType = "name" // Why? User.Identity.Name wasn't getting set.
            };

            services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                    .AddJwtBearer(options => options.TokenValidationParameters = tokenValidationParameters);

see how I've just said:

• AddAuth
• AddJwtBearer

which does some validation there...

[abatishchev]

@PureKrome the one you're using is most likely coming from Microsoft own package, which is might be a better choice for the most of the users. Until one is using this library already and/or wants to have an ability to contribute to OSS and/or control what's going inside.

[PureKrome]

I'm already using JWT nuget in a number of projects and it's working great.

so the middleware package is just another option - versus - it doesn't something specific which the MS package does...

[abatishchev]

The new middleware doesn't do anything specific, rather tries to repeat from the one by Microsoft already does but uses our library underneath. Hope this helps/explains.

Thanks for a being a loyal customer! ;)

[PureKrome]

Ah, gotcha. Yep, thanks!