Validating an access token in my ASP.NET Web API

Question

I have a mobile client (app) letting the user authenticate with google. So, the client receives an access token and some info (name, email etc) from google. Works fine!

I also created an ASP.NET Web API that the mobile app should comunicate with. On the client side I am adding the token to the HttpClient with: client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", "pretty_long_access_token_separated_by_two_dots");

Question 1: I'm trying to "decode" the access token on this site (to make sure it's all right): https://jwt.io/ The header and the payload is all right, but it seems like it's an "invalid signature" (says in the bottom). Should I worry about this?

---

On the server side, I added this to the Configuration method in the Startup class:

app.UseJwtBearerAuthentication( new JwtBearerAuthenticationOptions
{
    AuthenticationMode = AuthenticationMode.Active,
    AllowedAudiences = new List<string> {"my_client_id"},
    IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
    {
        new SymmetricKeyIssuerSecurityTokenProvider(@"https://accounts.google.com/", "my_client_secret")
    },
});

The only thing I want to do with the token, on my server side, is making sure that only validated users from my app should be able to access my API-controller.

Question 2: Is UseJwtBearerAuthentication the right thing for me, or am I going in the wrong direction?

My problem is, I constantly get 401, unauthorized, when trying to access my WEB API controller.

If I am on the right track, I can try to explain more about the server side setup...

Any helt would be very appreciated!

Answer 1

If you are using a JWT token then you will need JWT instead of Bearer

client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("JWT", "pretty_long_access_token_separated_by_two_dots");

The signature is used to validate the token as authentic and is therefore only required by the authentication server. If Google is your authentication server, then there should be an API endpoint you can call from your server to verify that the token is valid.

If your server is issuing the JWT token, then you will need to check that the token is valid by decoding the signature using the secret that was used to create it in the first place

If Google is issuing the JWT and you want your server to be able to self validate it, then you need to use another encryption type such as RS256 which will allow you to validate the signature using a public key issued by Google (I have no idea if they provide this method or not)

The reason https://jwt.io/ cannot validate your signature is because it was signed using a secret code. If you have this secret code then you are able to paste it into the textbox in the bottom right. If the secret is correct, and the token hasn't expired, it will show as being a valid JWT token.