Web API从自定义身份验证提供程序验证JWT承载令牌

Question

I've been looking for an example or tutorial for a few hours and thought I should post something at this point.

I'm trying to validate a bearer token from a custom Auth provider inside my .Net 4.7.2 Web Api 2 project. I have a SPA app that gets a bearer token from this auth provider, and sends the bearer token to my WebApi endpoints. I need to turn around and validate the token in each request. I thought there would be a way to point the classes in the Microsoft.Owin.Security.Jwt namespace to validate the token based on the auth providers well known discovery information url .

Has anyone done this before or point me towards a good library/documentation/tutorial?

I know I can write my own auth request filter and go out and pull down the public certificate from the auth server and parse the token and validate the signature, but it seems like a horrible idea for me to write that myself vs using the appropriate libraries.

Answer 1

Ok turns out I found a good example here

The following code sets up our webapi to validate tokens with our custom auth provider while discovering the public key through the OIDC discovery url.

   var issuer = "https://my-auth-provider-here/";

    IConfigurationManager<OpenIdConnectConfiguration> configurationManager = 
        new ConfigurationManager<OpenIdConnectConfiguration>($"{issuer}.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());

    OpenIdConnectConfiguration openIdConfig = configurationManager.GetConfigurationAsync(CancellationToken.None).Result;

    appBuilder.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions()
    {
        AuthenticationMode = AuthenticationMode.Active,
        TokenValidationParameters = new TokenValidationParameters()
        {
            AuthenticationType = "Bearer",
            ValidIssuer = issuer,
            ValidateAudience = false,
            IssuerSigningKeys = openIdConfig.SigningKeys
        }
    });