4

I've been following a number of sources to try and implement JWT authentication into my WebApi2 project and have also started using swagger.io and Swashbuckle to both document and test my API. I've been inspired by how exceptionless supports an /auth/login method to generate an api_key which is then used to call other methods requiring authorisation.

I should also say my development has been based on the ASP.NET Web API 2 book which introduces Token-Based security using JwtAuthForWebAPI package and so I have my JWT Delegating Handler implemented for me as follows:

// Add Jwt Authentication Web Handler
var builder = new SecurityTokenBuilder();
var reader = new ConfigurationReader();
GlobalConfiguration.Configuration.MessageHandlers.Add(
    new JwtAuthenticationMessageHandler
    {
        AllowedAudience = reader.AllowedAudience,
        Issuer = reader.Issuer,
        SigningToken = builder.CreateFromKey(reader.SymmetricKey),
        //SigningToken = builder.CreateFromKey(reader.SubjectCertificateName),
        CookieNameToCheckForToken = reader.CookieNameToCheckForToken
    });

(I've set up web.config credentials and the code steps through fine)

The problem is:

  1. Unlike exceptionless, when I call a method after entering my api_key, swagger is putting the key onto the querystring instead of in a "Bearer" authorisation header
  2. I don't know if the above code checks the querystring for the JWT (and even if it did, it doesn't sound that sensible for lots of reasons (security, long URL)
  3. Because the above code builds the Delegating Handler for me, I can't debug it to see what it is actually doing (can I link log4net into it?)
  4. And as a result, my controller method doesn't get hit because [Authorise] fails.

My suppose my question at this point is to resolve item 1 above which will make 2 a non-issue and (hopefully) make 4 work! Thanks.

Chris Walsh
  • 3,423
  • 2
  • 42
  • 62
  • My GET request mentione in item 1 looks like this: `http://localhost:57618/api/UserProfile?api_key=eyJ0eXAiOi...` and unsuprisingly returns a 401 status code. – Chris Walsh Oct 07 '15 at 23:41
  • OK, so I've found and implemented a solution (http://stevemichelotti.com/customize-authentication-header-in-swaggerui-using-swashbuckle/) for item 1 by Steve Michelotti (thanks Steve!) but as there is nowhere in the above code where you state the header "name" that contains the value, I still don't understand how the Delegated Handler can find my key. (e.g. "apiKey" or "key" etc). Is it because I should actually be setting "Authorization: Bearer ..." instead? – Chris Walsh Oct 08 '15 at 00:35
  • You can do it the way provided here - http://stackoverflow.com/questions/39729188/im-not-getting-a-scope-checkbox-when-the-authorize-tag-doesnt-contain-roles-a/39750143#39750143 – Silly John Oct 05 '16 at 11:36
  • I work on the exceptionless project and implemented the oauth flow. I'm glad you got it working and was inspired by our project :). I really like how we are setup and I think it's dead simple. – Blake Niemyjski Jul 07 '17 at 02:15

0 Answers0