search

jwt-dotnet / jwt

Jwt.Net, a JWT (JSON Web Token) implementation for .NET
Other
2.12k stars 462 forks source link

JwtBuilder Cannot Decode with RSA256 #237

Closed groogiam closed 4 years ago

groogiam commented 4 years ago

The JwtBuilder does not seem to support RS256Algorithm. The following code gives this error message.

For algorithm RS256 please create custom factory by implementing IAlgorithmFactory

If the .WithSecret is removed it throws a null reference exception. It seems that you should not have to pass a secret as the public key is passed to the algorithm.

new JwtBuilder()
                    .WithAlgorithm(new RS256Algorithm(config.Security.JwtRsaPublicKey.Rsa))
                    .WithSecret(config.Security.JwtRsaPublicKey.Rsa.ExportRSAPublicKey()) //does not work if this is removed as well
                    .MustVerifySignature()
                    .Decode<AuthToken>(jwtCtx.SecurityToken);
abatishchev commented 4 years ago

Hi! Can you please post the stack trace when you don't specify WithSecret()?

abatishchev commented 4 years ago

On general yes, secret is for hashing algorithms. For asymmetric algorithms it's ignored, at least on encoding.

Oh, wait. You're actually decoding. And that's where it's still needed. You're doing it right and the check that throws the said exception should be simplify removed.

It's totally a bug. Can you please submit a PR that removes that line? I'll approve and release and update.

abatishchev commented 4 years ago

Ping. Please help making this library better.

abatishchev commented 4 years ago

I checked more closely and apparently JwtBuilder uses ctor of JwtDecoder without supplying IAlgorithmFactory what creates HMACSHA factory which doesn't support RS. I removed that ctor in #246.

abatishchev commented 4 years ago

Please try 6.0.0-beta4.