In this POC for laborative purposes, I have set up the "security" the following way.
const string scheme = "Bearer";
services.AddAuthentication(scheme)
.AddJwtBearer(scheme, opts => { opts.Authority = "https://shazoo.moo"; ... });
I create a token (almost) manually, making sure that iss claim is set precisely as in the Authority field. According to MSDN, there's a check of that compliance.
The JWT bearer authentication middleware uses this URI to get the public key that can be used to validate the token's signature. The middleware also confirms that the iss parameter in the token matches this URI.
The thing is that the sneaky middleware actually makes the invocation trying to get the public key and, since I don't actually run a OIDC compliant server in this case, the request gets back with the sad news telling me the obvious.
System.InvalidOperationException: IDX20803: Unable to obtain configuration from:
'https://shazoo.moo/.well-known/openid-configuration'.
---> System.IO.IOException: IDX20804: Unable to retrieve document from:
'https://shazoo.moo/.well-known/openid-configuration'.
---> System.Threading.Tasks.TaskCanceledException:
The request was canceled due to the configured HttpClient. Timeout of 60 seconds elapsing.
---> System.TimeoutException: A task was canceled.
I tried to use the localhost I'm running at (including the port number) like shown here with the same unsuccessful outcome. When using a token obtained at a real provider (IdS4 powered), it works as supposed to.
Is there a way to make it ignore that verification for now? If not, is there a way to implement a dummy route ending with /.well-known/openid-config and serve a happy smile from there? (I mean, without actually implementing the security server functionality.)
At a later stage, I'll run Duende and obtain/validate my tokens there. However, for this particular case, I'd like to demonstrate only the token production and how its contents affect the validation in the project.
I've set up two dummy endpoints. One for the openid-configuration returning the following.
{ "jwks": "https://localhost:7025/.well-known/openid-configuration/jwks" }
Other one for the openid-configuration/jwks that the former points to. It produces a single-item array of JsonWebKey as suggested here.
public async Task<IActionResult> WellKnownJwks()
{
JsonWebKey[] jwks = await Service.ProduceJwks();
return new { keys = jwks };
return Ok(output);
}
public async Task<JsonWebKey[]> ProduceJwks()
{
RSA rsa = RSA.Create(2048);
RsaSecurityKey pubKey = new(rsa.ExportParameters(false)) { KeyId = "keyId1" };
JsonWebKey jwk = JsonWebKeyConverter.ConvertFromRSASecurityKey(pubKey);
JsonWebKey[] output = { jwk };
return output;
}
Still, when I try to access a secure point with the localhost set as authority (all validations turned off!), I get status code 401 and according to Postman console, there's a header like so.
WWW-Authenticate:
Bearer error="invalid_token", error_description="The signature key was not found"
When I navigate to that endpoint, I see contents resembling the looks of other authorities. What can I be missing?
