Hee: .net - How to configure MIcrosoft JWT with symmetric key? -

Saturday, 15 May 2010

.net - How to configure MIcrosoft JWT with symmetric key? -

i'm trying configure asp.net app take json web token (jwt) signed symmetric key. sts isn't capable of using certificates this, we're using symmetric key support.

on end, i'm using microsoft's jwt developer preview. unfortunately, i've not seen examples of how utilize symmetric key. after digging around various tools, found namedkeyissuertokenresolver , discovered can configure utilize symmetric key. example:

<securitytokenhandlers>   <add type="microsoft.identitymodel.tokens.jwt.jwtsecuritytokenhandler,microsoft.identitymodel.tokens.jwt" />   <securitytokenhandlerconfiguration>     <certificatevalidation certificatevalidationmode="peertrust" />     <issuertokenresolver       type="microsoft.identitymodel.tokens.jwt.namedkeyissuertokenresolver,         microsoft.identitymodel.tokens.jwt">       <securitykey           symmetrickey="+zqf97fd/xyzzyplugh42ploverfeefiefoefooxqje="              name="https://localhost/testrelyingparty" />     </issuertokenresolver>   </securitytokenhandlerconfiguration> </securitytokenhandlers>

i'm not exclusively sure i'm supposed utilize name there. should audience uri, perhaps issuer uri? in case, know if don't include name, exception when programme starts because securitykey element requires attribute.

whatever case, still doesn't resolve issue. after authenticate against sts, next exception:

[securitytokenvalidationexception: jwt10310: unable validate signature. validationparameters.signingtokenresolver type: 'microsoft.identitymodel.tokens.jwt.namedkeyissuertokenresolver', unable resolve key token. securitykeyidentifier is:  'securitykeyidentifier     (     isreadonly = false,     count = 1,     clause[0] = microsoft.identitymodel.tokens.jwt.namedkeyidentifierclause     ) '. validationparameters.signingtoken null.]    microsoft.identitymodel.tokens.jwt.jwtsecuritytokenhandler.validatesignature(jwtsecuritytoken jwt, tokenvalidationparameters validationparameters) +2111    microsoft.identitymodel.tokens.jwt.jwtsecuritytokenhandler.validatetoken(jwtsecuritytoken jwt, tokenvalidationparameters validationparameters) +138    microsoft.identitymodel.tokens.jwt.jwtsecuritytokenhandler.validatetoken(securitytoken token) +599    system.identitymodel.tokens.securitytokenhandlercollection.validatetoken(securitytoken token) +135    system.identitymodel.services.tokenreceiver.authenticatetoken(securitytoken token, boolean ensurebearertoken, string endpointuri) +117    system.identitymodel.services.wsfederationauthenticationmodule.signinwithresponsemessage(httprequestbase request) +698    system.identitymodel.services.wsfederationauthenticationmodule.onauthenticaterequest(object sender, eventargs args) +123924    system.web.synceventexecutionstep.system.web.httpapplication.iexecutionstep.execute() +80    system.web.httpapplication.executestep(iexecutionstep step, boolean& completedsynchronously) +165

am missing other configuration step? putting wrong thing in name attribute? or known bug in jwt developer preview?

update 2014/02/13:

as @leastprivilege points out below, whole lot easier rtm version of jwt. suggest ignore , go illustration provides @ http://leastprivilege.com/2013/07/16/identityserver-using-ws-federation-with-jwt-tokens-and-symmetric-signatures/.

note original reply below beta version, microsoft.identitymodel.tokens.jwt. upgrading release version, system.identitymodel.tokens.jwt, required little more work. see below.

the primary problem turns out method jwtsecuritytokenhandler.validatetoken(token) not populate tokenvalidationparameters passes jwtsecuritytokenhandler.validatetoken(token, validationparameters). in particular, doesn't populate signingtoken fellow member or validissuers (or validissuer).

interestingly, configuration showed in original question loaded token resolver, , available @ runtime, can see in code below.

i don't know how specify valid issuer string in configuration file, though. suspect there's place set info, haven't yet figured out belongs.

the solution problem create custom security token handler derives jwtsecuritytokenhandler. overriding validatetoken(token, validationparameters) gives me chance set parameters need, , phone call base of operations class's validatetoken method.

public class customjwtsecuritytokenhandler: jwtsecuritytokenhandler {     // override validatesignature gets signingtoken configuration if doesn't exist in     // validationparameters object.     private const string keyname = "https://localhost/testrelyingparty";     private const string validissuerstring = "https://mystsname/trust";     public override claimsprincipal validatetoken(jwtsecuritytoken jwt, tokenvalidationparameters validationparameters)     {         // set valid issuers         if ((validationparameters.validissuer == null) &&             (validationparameters.validissuers == null || !validationparameters.validissuers.any()))         {             validationparameters.validissuers = new list<string> {validissuerstring};         }         // , signing token.         if (validationparameters.signingtoken == null)         {             var resolver = (namedkeyissuertokenresolver)this.configuration.issuertokenresolver;             if (resolver.securitykeys != null)             {                 list<securitykey> skeys;                 if (resolver.securitykeys.trygetvalue(keyname, out skeys))                 {                     var tok = new namedkeysecuritytoken(keyname, skeys);                     validationparameters.signingtoken = tok;                 }             }         }          homecoming base.validatetoken(jwt, validationparameters);     } }

in web.config, had alter security token handler:

  <securitytokenhandlers>     <!--<add type="microsoft.identitymodel.tokens.jwt.jwtsecuritytokenhandler,microsoft.identitymodel.tokens.jwt" />-->     <!-- replaces default jwtsecuritytokenhandler -->     <add type="testrelyingparty.customjwtsecuritytokenhandler,testrelyingparty" />

nothing spending 3 or 4 days researching problem solved couple dozen lines of code . . .

addition new version

in june of 2013, microsoft officially released jwt. changed namespace system.identitymodel.tokens.jwt. after upgrading that, solution above stopped working. working, had add together next customjwtsecuritytokenhandler. that's in add-on existing code.

public override claimsprincipal validatetoken(jwtsecuritytoken jwt) {     var vparms = new tokenvalidationparameters         {             allowedaudiences = configuration.audiencerestriction.allowedaudienceuris.select(s => s.tostring())         };      homecoming validatetoken(jwt, vparms); }

.net wif jwt

Hee

Saturday, 15 May 2010

.net - How to configure MIcrosoft JWT with symmetric key? -

No comments:

Post a Comment