24

I used to have a reference to Microsoft.IdentityModel.Tokens.JWT and everything was working fine.

I updated to use the new System.IdentityModel.Tokens.Jwt but nothing seems to work now. It cannot find the ValidateToken method of the JwtSecurityTokenHandler and the TokenValidationParameters have no AllowedAudience, SigningToken or ValidateExpiration properties.

What am I missing here? Can anyone provide with a working sample of a JWT validation with this?

My "old" code :

private static void ValidateJwt(string jwt)
{
    var handler = new JWTSecurityTokenHandler();
    var validationParameters = new Microsoft.IdentityModel.Tokens.JWT.TokenValidationParameters()
    {
        AllowedAudience = "https://my-rp.com",
        //SigningToken = new BinarySecretSecurityToken(Convert.FromBase64String(myBase64Key)),
        SigningToken = new X509SecurityToken(
           X509
           .LocalMachine
           .My
           .Thumbprint
           .Find("UYTUYTVV99999999999YTYYTYTY88888888", false)
           .First()),
        ValidIssuer = "https://my-issuer.com/trust/issuer",
        ValidateExpiration = true
    };

    try
    {
        var principal = handler.ValidateToken(jwt, validationParameters);
    }
    catch (Exception e)
    {

        Console.WriteLine("{0}\n {1}", e.Message, e.StackTrace);
    }

    Console.WriteLine();
}
Dr Rob Lang
  • 6,659
  • 5
  • 40
  • 60
Patrice Cote
  • 3,572
  • 12
  • 43
  • 72

1 Answers1

45

After a lot of research and tests, I finally found that some properties names for TokenValidationParameters had changed and JwtSecurityTokenHandler.ValidateToken() method signature too.

So here's the modified working version of the above code.

private static void ValidateJwt(string jwt)
{
    var handler = new JwtSecurityTokenHandler();   
    var validationParameters = new TokenValidationParameters()
    {
        ValidAudience = "https://my-rp.com",
        IssuerSigningTokens = new List<X509SecurityToken>() { new X509SecurityToken(
           X509
           .LocalMachine
           .My
           .Thumbprint
           .Find("UYTUYTVV99999999999YTYYTYTY88888888", false)
           .First()) },
        ValidIssuer = "https://my-issuer.com/trust/issuer",
        CertificateValidator = X509CertificateValidator.None,
        RequireExpirationTime = true
    };

    try
    {
        SecurityToken validatedToken;
        var principal = handler.ValidateToken(jwt, validationParameters, out validatedToken);
    }
    catch (Exception e)
    {

        Console.WriteLine("{0}\n {1}", e.Message, e.StackTrace);
    }

    Console.WriteLine();
}

And for the reference, the JwtSecurityTokenHandler lives in the System.IdentityModel.Tokens namespace. Don't forget to add the package "JSON Web Token Handler For the Microsoft .Net Framework 4.5" (version 4.0.0 at the time I write theses lines).

Hope it can save a few hours of search for some of you guys!

Dr Rob Lang
  • 6,659
  • 5
  • 40
  • 60
Patrice Cote
  • 3,572
  • 12
  • 43
  • 72
  • 5
    Thanks for this! Ugh, so frustrating :\ Coding in ASP.NET has been an absolute nightmare compared to other frameworks out there – ossys Jul 26 '16 at 15:50
  • @ossys Perhaps it's just the Azure part? Been using ASP.NET for a while and love it. Gotta do the Azure AD stuff now and it's a pain in the rear. – Shelby115 Aug 18 '16 at 19:01
  • @Shelby115 glad you are having better luck with ASP.NET! :) I think for RESTful development Node.js supports JSON formats natively, so it is tough trying to manage C# objects and mappings... but for this JWT problem it was a change to the API that had no documentation I could find on it :( – ossys Aug 19 '16 at 13:44
  • The `RequireExpirationTime` is set to `true` in the default constructor for `TokenValidationParameters`. – bugged87 Dec 02 '18 at 22:47
  • 4
    @ossys .NET documentation has gone downhill. I am finding it difficult to find any information on these classes. Too much trial and error. – Mark Dornian Jun 27 '20 at 01:14