2

I'm using the JwtBearerAuthentication Katana middleware in a .NET WebAPI project to secure my web API via JWT.

So, in my Startup class I'm just doing something simple like:

 app.UseJwtBearerAuthentication(
            new JwtBearerAuthenticationOptions
            {
                AuthenticationMode = AuthenticationMode.Active,
                AllowedAudiences = new[] { audience },
                IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
                {
                    new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret)
                }
            });

Everything works great, with one exception.

When a client passes in an invalid or missing Bearer token the WWW-Authenticate response header is just "Bearer".

I'd like to customize that header to include the address of my authorization server and the supported grant types.

Something more like: WWW-Authenticate: MyAuth href=url,grant_type="supported-grants" or whatever...

What is the best way to do this? I'm surprised the JwtBearerAuthenticationOptions class does not include a Challenge property. I can work around this, but wanted to know if there is a best practice here with the Jwt middleware or not.

Peter M
  • 472
  • 5
  • 16

1 Answers1

2

We ended up inserting the WWW-Authenticate header with the values we wanted using OnApplyChallenge within the OAuthBearerAuthenticationProvider.

Something along the lines of:

app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions ...
   Provider = new OAuthBearerAuthenticationProvider()....
      OnApplyChallenge = (context) => context.OwinContext.Response.Headers.AppendValue(WWWAuthenticateHeader,values)
Peter M
  • 472
  • 5
  • 16
  • better than authentication filter : you always set the same challenge, so you don't need the complexity of implementing a filter. the challenge is set in the oauth middleware, not in the web api middleware – Bombinosh Mar 02 '15 at 21:23