I have a .NET 4.52 WebAPI v5.2.6, and OWIN (OAuth & JWT) 4.0.1 which I need to authorize based on a valid JWT. The JWT is generated from an external auth server. I am using the current configuration in my Startup.cs in order to achieve this goal. I am definitely using the correct audienceSecret
string issuer = ConfigurationManager.AppSettings["Issuer"];
string audienceId = ConfigurationManager.AppSettings["AudienceId"];
string audienceSecret = TextEncodings.Base64.Encode(
Encoding.UTF8.GetBytes(
ConfigurationManager.AppSettings["AudienceSecret"]
));
uwApp.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions()
{
TokenValidationParameters = new TokenValidationParameters()
{
RequireSignedTokens = false,
RequireExpirationTime = false,
ValidateAudience = false,
ValidateLifetime = false,
ValidateIssuer = false
},
IssuerSecurityKeyProviders = new IIssuerSecurityKeyProvider[]
{
new SymmetricKeyIssuerSecurityKeyProvider(issuer, audienceSecret)
}
}
);
I added this to my WebApiConfig: config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType)); However I was unable to add
config.SuppressDefaultHostAuthentication(); as the method doesn't exist in my version, so I tried with and without the addition of config.SuppressHostPrincipal(); without success.
Its my belief that I am having the same end issue that
that claims are not passed on to Thread.CurrentPrincipal that the [Authorize] attribute is reading from
As in this thread
Cannot validate token in UseJwtBearerAuthentication. Authorization has been denied
Additionally, this is working fine when using cookie authentication to maintain the session but its just not intercepting or validating from within the middleware and I dont know exacty how to debug this. I even switch to https locally to see if that would allow the API to read the bearer but this also did not work :*(
To summarize, I have an externally generated JWT and a key to validate its integrity. What I need is to take that token sent from the request in bearer format, pass it through the API so that the middleware allows me to use the validated role and other claims in conjunction with WebAPI authorization attributes.
I have verified that the signing certs are the same by passing the token through the body instead of in the header Bearer {token} format and then checked with ValidateToken(token) and it is valid, however I cannot use this with the API's authorization attributes using the same validation settings.
Here is the complete request/response log from the transaction
POST /api/Auth/LoggedIn HTTP/1.1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIyMTIsImVtYWlsIjoiYWRtaW5AaW5maW5pdHktc29mdHdhcmUuY29tIiwidXNlcm5hbWUiOiJLZW4gQ29sc29uIiwiaXNFbXBsb3llZSI6dHJ1ZSwiYWdlbmN5SWQiOjQyMDI4MSwiYWdlbmN5TmFtZSI6IkFDSUMtYWdlbmN5LTI2MyIsInJvbGUiOjMsImV4cCI6IjEyLzEyLzIwMjUifQ.FdW2XRzPFQUSfPieICmjuQ6lyqZSXx1iolCM9OxFppg
User-Agent: PostmanRuntime/7.20.1
Accept: */*
Cache-Control: no-cache
Postman-Token: ea68c533-4d76-4c79-b7d5-cc7dfae28bcb
Host: localhost:44300
Accept-Encoding: gzip, deflate
Content-Length: 0
Connection: keep-alive
HTTP/1.1 401 Unauthorized
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
WWW-Authenticate: Bearer
X-SourceFiles: =?UTF-8?B?QzpcVXNlcnNcbmljaG9sYXNhXF9fc291cmNlX2NvZGVcdXdtYW51YWxcQUNJQy5VVy5hcGlcYXBpXEF1dGhcTG9nZ2VkSW4=?=
X-Powered-By: ASP.NET
Date: Sat, 30 Nov 2019 20:34:58 GMT
Content-Length: 68
{
"message": "Authorization has been denied for this request."
}
The the WebAPI configuration
public static class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
// Web API configuration and services
config.EnableCors();
// Web API routes
config.MapHttpAttributeRoutes();
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
}
}
Any help on this would be greatly appreciated, thank you!
