Create custom .well-known\openid-configuration in .net core
Question
I'm new in JWT authentification, so maybe what i want to do is wrong.
I'm using asymmetric RSA key pair to sign and validate JWT.
In my startup.cs I've:
public void ConfigureServices(IServiceCollection services) {
services.AddControllers();
services.AddSingleton<RsaSecurityKey>(provider => {
RSA rsa = RSA.Create();
rsa.ImportRSAPublicKey(
source: Convert.FromBase64String(configuration["Jwt:PublicKey"]),
bytesRead: out int _
);
return new RsaSecurityKey(rsa);
});
services.AddAuthentication()
.AddJwtBearer("Asymmetric", options => {
SecurityKey rsa = services.BuildServiceProvider().GetRequiredService<RsaSecurityKey>();
options.TokenValidationParameters = new TokenValidationParameters {
IssuerSigningKey = rsa,
ValidAudience = "audience-test",
ValidIssuer = "test-issuer",
RequireSignedTokens = true,
RequireExpirationTime = true,
ValidateLifetime = true,
ValidateAudience = true,
ValidateIssuer = true,
};
});
}
To generate my token I've in my controller:
[HttpPost]
[Route("Asymmetric")]
public IActionResult GenerateTokenAsymmetric()
{
using RSA rsa = RSA.Create();
rsa.ImportRSAPrivateKey(
source: Convert.FromBase64String(_configuration["Jwt:PrivateKey"]),
bytesRead: out int _);
var signingCredentials = new SigningCredentials(
key: new RsaSecurityKey(rsa),
algorithm: SecurityAlgorithms.RsaSha256
);
DateTime jwtDate = DateTime.Now;
var jwt = new JwtSecurityToken(
audience: "test-audience",
issuer: "test-issuer",
claims: new Claim[] { new Claim(ClaimTypes.NameIdentifier, "John") },
notBefore: jwtDate,
expires: jwtDate.AddMinutes(1),
signingCredentials: signingCredentials
);
string token = new JwtSecurityTokenHandler().WriteToken(jwt);
return Ok(new
{
jwt = token
});
}
As you see it, my public key is stored in my appsettings. I would like to use options.MetadataAddress so that my client can download metadata about my api and retrieve public key to validate token.
My question is:
It is possible to create a custom.well-known/openid-configuration in .net core? Or I must to use IdentityServer for example?
Thanks for help
1 answers
solution1
0 2021-12-09 19:18:58
I don't think it is is that hard to create your own static "fake". well-known/openid-configuration page. But at at the same time, having a dedicates token service like IdentityServer will give you advantages when your system grows. Don't forget you also need to create the JWKS endpoint as well. As the AddJwBearer handler makes requests to both.
Also you doing it all by your self also opens up potential security issues that is already fixed/solved in the existing solutions.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.