how to extract info out of my JWT tokens identity

Question

I'm implmenting my own oauth authtentication system and want to use JWT tokens. The ms implementation is a little confusing. I see the following hashing algorithum all over the net

public string Protect(AuthenticationTicket data)
    {
        if (data == null)
        {
            throw new ArgumentNullException("data");
        }

        string audienceId = ConfigurationManager.AppSettings["as:AudienceId"];

        string symmetricKeyAsBase64 = ConfigurationManager.AppSettings["as:AudienceSecret"];

        var keyByteArray = TextEncodings.Base64Url.Decode(symmetricKeyAsBase64);

        var signingKey = new HmacSigningCredentials(keyByteArray);

        var issued = data.Properties.IssuedUtc;

        var expires = data.Properties.ExpiresUtc;

        var token = new JwtSecurityToken(_issuer, audienceId, data.Identity.Claims, issued.Value.UtcDateTime, expires.Value.UtcDateTime, signingKey);

        var handler = new JwtSecurityTokenHandler();

        var jwt = handler.WriteToken(token);

        return jwt;
    }

but can't seem to find out how I can then extract the user info out of the token

score 0 · Answer 1 · answered Oct 15 '15 at 18:20

0

what you are showing is a JWT protect implementation that does not come out of the box. This is for serializing & encrypting tokens not the oposite. If you have already managed that part (that's the difficult one) then reading the user claims out of a JWT token should be easy. This is usually done by the Microsoft.Owin.Security.Jwt middleware

 var issuer = "http://myidentityserverurl.com"
 var audience = ConfigurationManager.AppSettings["as:AudienceId"];
 var symmetricKey = TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["as:AudienceSecret"]);

 // Api controllers with an [Authorize] attribute will be validated with JWT
        app.UseJwtBearerAuthentication(
            new JwtBearerAuthenticationOptions {
                AuthenticationMode = AuthenticationMode.Active,
                AuthenticationType = "JWT",
                AllowedAudiences = new string[] { audience } ,
                IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[] 
                { 
                    new SymmetricKeyIssuerSecurityTokenProvider(issuer, symmetricKey)
                }
            });

Check out this github repo and the accompanying article here for a complete example end to end.

answered Oct 15 '15 at 18:20

cleftheris

4,626
38
55

for what purpose `as:AudienceId` and `as:AudienceSecret` used for? – Rahul Jan 23 '16 at 08:28
1

@Rahul AudienceId is equivalent to a relying party name or in other words the consumer of the JWT token. In the protect code above we are creating a token for a specific audienceId using a signing key. Those 2 must be known when you try to consume the tokens. – cleftheris Jan 23 '16 at 09:28
Thanks. Could you please give an example code for consuming the JWT token from a .c# client. Also if you can provide an example code to consume it from RestSharp client. Should I pass the 'AudienceId' and the 'AudienceSecret' to the server from client during the authentication process? How can I access the Claims in the client? – Rahul Jan 23 '16 at 09:53
@Rahul I think what you need is ask a new question in SO. (I would use the [IdentityModel](https://github.com/IdentityModel/IdentityModel) lib to help me do that) – cleftheris Jan 23 '16 at 20:28
FYI. I have added a new question. http://stackoverflow.com/questions/34968854/how-to-consume-jwt-access-token-and-user-claims-using-restsharp – Rahul Jan 23 '16 at 21:07

how to extract info out of my JWT tokens identity

1 Answers1