3

I'm using authentication as follows.

TokenValidationParameters parameters = new TokenValidationParameters
 {
 ValidateIssuerSigningKey = false,
 ValidateLifetime = true,
 ValidateActor = false,
 ValidateAudience = false,
 ValidateIssuer = false,
 ValidateTokenReplay = false,
 IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(...)),
 ClockSkew = TimeSpan.Zero
 };
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
 .AddJwtBearer(options =>
 {
 options.TokenValidationParameters = parameters;
 options.SecurityTokenValidators.Add(new SecurityTokenValidator());
 });

I've implemented ISecurityTokenValidator (Microsoft.IdentityModel.Tokens) and overriden ValidateToken method like this.

public ClaimsPrincipal ValidateToken(string securityToken,
 TokenValidationParameters parameters,
 out SecurityToken token)
{
 IIdentity identity = new ClaimsIdentity(new[] { new Claim("name", "donkey") });
 ClaimsPrincipal principal = new ClaimsPrincipal(identity);
 token = new JwtSecurityToken();
 return principal;
}

The code was authorizing correctly previously but now, that I specified a custom validator, I only get 401 Unauthorized. It's pretty obvious that I'm doing something wrong here and the main suspect is the token that's sparsely documented.

When I debug, I can see the contents of the token passed in but since the parameter is out I have to assign it and the compiler refuses to cooperate.

  1. Is the failure to validate due to the outed token being a dummy?
  2. Where is the method that returns a bool causing the 401 to appear?
  3. What is the point of returning a set of claims combined with validated token?

I've been googling but fail to find specific info in this regard. It all drowns in the noise from a gazillion blogs copying examples from each other (and I might be ignorant of the proper search criteria).

There's a few examples like this and this but due to complexity, I'm not certain it's the right set up to follow. Others seem to be just reusing an instance of a JwtSecurityTokenHandler, which doesn't seem like the custom validator I want.

asked Jul 24, 2019 at 20:03
8
  • What version of ASP.NET Core are you using? Core 1 and Core 2 have very different auth designs. Also, are you getting a compiler error or a runtime issue? The parameter is name token but your code-sample is assigning validatedToken. Commented Jul 24, 2019 at 20:09
  • @Dai Added the tag for Core 2.2 and corrected the typo (it got wrong when I formatted for nicer display). Commented Jul 24, 2019 at 20:11
  • can you also please post your AddAuthentication part from your Startup class? Commented Jul 24, 2019 at 20:16
  • Also, which ISecurityTokenValidator are you using? It's in multiple namespaces, like System.IdentityModel, Microsoft.IdentityModel, and others. Commented Jul 24, 2019 at 20:18
  • @Dai Well, I'll be damned - that was highly unexpected. Otherwise I'd mention that in the question. It's Microsoft.IdentityModel.Tokens;. I take they differ somehow? Commented Jul 24, 2019 at 20:21

1 Answer 1

1

You're really talking about 2 different pieces, authentication (proving who you are) and authorization (what you can do).

For the authentication,

The 401 is probably caused by the ValidFrom and ValidTo properties not being set. They get set in the constructor. You may also be able to set the ValidateLifetime property on your TokenValidationParameters to false to get around it.

Here's an example of the using the constructor: https://github.com/aspnet/AspNetCore/blob/c76cb9248de8966b25bc08b098b88d6734b96d09/src/Mvc/test/WebSites/SecurityWebSite/BearerAuth.cs#L38

I believe the 401 redirect is done in the HandleChallengeAsync method on the AuthenticationHandler Here's that method: https://github.com/aspnet/AspNetCore/blob/c76cb9248de8966b25bc08b098b88d6734b96d09/src/Security/Authentication/JwtBearer/src/JwtBearerHandler.cs#L195

This is a grey area of authentication/authorization. The 401 in my mind would be authentication, where a 403 would be authorization. The decision as to whether or not to return the 401 challenge response and 403 forbidden response I'm pretty sure is done in the AuthorizeAsync method in the PolicyEvaluator.

https://github.com/aspnet/AspNetCore/blob/6526022f6c72eb98e9afb7dd77672c4340f00312/src/Security/Authorization/Policy/src/PolicyEvaluator.cs#L77

I hope it helps.

The set of claims is used by the policy evaluators for authorization.

https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-2.2

answered Jul 25, 2019 at 16:51
Sign up to request clarification or add additional context in comments.

1 Comment

I'm not sure if I get the point of the first link. The token returned there - what is it good for? I get that the token is out'ed in the ValidateToken but I simply fail to understand why. The token (string form) is already available in the framework. Is the point to get in the (stringed) token, add som claims to it and return a new, updated version of it?

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.