2

I've used this and that link to secure my WebApi2 with tokens. When i authenticate it responds with something like this:

{
    ".expires": "Wed, 30 Jan 2019 14:14:44 GMT",
    ".issued": "Wed, 30 Jan 2019 13:44:44 GMT",
    "access_token": "ZYQm9txvb_fVqYo8Be-NQzC1o3DQM3HYwIdi_2aDNazXW3x9BlYwXqGLBf_Ptqv3azR6uSzhp3_CIjPGGDuolmC0Z1PaHOZJKHn7DJHVnJlMN4FYlE_oCAA1HgM1sWYY97-a21gUNsGLdVCA1UNVo_u2E52ef-sl9-2aOTMJcrJli--waNBBKVok5aP_H4ufdAdxkGTGYrvdTU9Tm2zduadsGeeifI522QY8EwwDNQ2T-6A9_yBuI0yRT-B-TzayUevKvITkZZBKbMAMJNDNQC_dvqiZeaVlKiaxLZsnZ6V1t49nEDQ58pXmDqfdWIF88sbcQXFR_zt5Rly7znL8bWCY1OEuLcF_wH-NHnuyd7PCTT0cxUNu75Vz0wlM5SidxqoJ1KBi2I64IqPvXEObf5NXJb9QP3ZKOGWKtHqaanj9dOS2URGfY8VxfQDpkaMc",
    "as:client_id": "5F6617AD-3364-41EB-B0F1-F538C950FA09",
    "expires_in": 1799,
    "refresh_token": "4d7e77c8c0cf4cc2bc417a6166c07d4d,
    "token_type: "bearer"
}

When i invoke authorized api methods i need to attach access_token as Bearer token to my requests - so it works as expected. Now i want to use this token to also authorize access to Hangfire's dashboard. After acquiring token from server i save it in a cookie as token_cookie. Then on server side i try to read it like this:

public class CustomAuthorizationFilter : IDashboardAuthorizationFilter
{
    public bool Authorize(DashboardContext context)
    {
        var cookies = HttpContext.Current.Request.Cookies;

        if (cookies["token_cookie"] != null)
        {
            var jwtCookie = cookies["token_cookie"];
            var jwtToken = jwtCookie.Value;
            var handler = new JwtSecurityTokenHandler();
            var token = handler.ReadToken(jwtToken);
            // check if user is in admin role etc.
        }
        return false;
    }
}

Access token has the same value as on the client. Yet, ReadToken method throws error:

IDX12741: JWT: '[PII is hidden]' must have three segments (JWS) or five segments (JWE).

How can I read this token to access user claims? Since Authorize attribute works on my controllers it would seem that the jwt middleware can somehow read it. Am I missing something?

My auth configuration looks like this:

private static void AddJwtAuthentication(IAppBuilder app)
{
    var OAuthServerOptions = new OAuthAuthorizationServerOptions
    {
        AllowInsecureHttp = false,
        TokenEndpointPath = new PathString("/token"),
        AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(30),
        Provider = new SimpleAuthorizationServerProvider(),
        RefreshTokenProvider = new SimpleRefreshTokenProvider(),
    };

    // Token Generation
    app.UseOAuthAuthorizationServer(OAuthServerOptions);
    app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
}
Krzysztof
  • 498
  • 5
  • 23
  • an OAuth bearer token is not the same as a JWT and is also not designed to be decoded by yourself. – jps Jan 30 '19 at 14:38
  • So what are You saying - i can't secure HF dashboard with OAuth bearer tokens? – Krzysztof Jan 30 '19 at 14:49
  • 1
    I'm not familiar with hangfire. I just see that you create an OAuth bearer token, which you have shown above and then try to interpret it as a JWT (which - not surprisingly - fails). You either need to create a JWT for your WebApi2 (the same author has some nice tutorials about JWT too) or implement OAuth bearer tokens for hangfire, if possible. – jps Jan 30 '19 at 14:54
  • I've used JWT implementation - now it works. Thank you. – Krzysztof Jan 30 '19 at 16:35
  • you're welcome :) – jps Jan 30 '19 at 19:40

0 Answers0