public static IServiceCollection JwtAuthenticationForAPI( this IServiceCollection services, TokenOptions tokenOptions) { if (tokenOptions == null) { throw new ArgumentNullException($"{nameof(tokenOptions)} is a required parameter. " + $"Please make sure you've provided a valid instance with the appropriate values configured."); } services.AddScoped <IJwtTokenGenerator, JwtTokenGenerator>( serviveProvider => new JwtTokenGenerator(tokenOptions)); services.AddAuthentication(options => { options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; options.DefaultSignInScheme = JwtBearerDefaults.AuthenticationScheme; options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; }). AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, options => { options.SaveToken = true; options.TokenValidationParameters = tokenOptions.ToTokenValidationParams(); }); return(services); }
public static IServiceCollection AddJwtAuthenticationForApi( this IServiceCollection services, IConfiguration configuration) { var tokenOptions = new TokenOptions( configuration["Token:Audience"], configuration["Token:Issuer"], configuration["Token:SigningKey"], configuration["Token:ExpiryInMinutes"]); services.AddScoped <IJwtTokenGenerator, JwtTokenGenerator>(serviceProvider => new JwtTokenGenerator(tokenOptions)); services.AddAuthentication(options => { options.DefaultAuthenticateScheme = "JwtBearer"; options.DefaultChallengeScheme = "JwtBearer"; }) .AddJwtBearer("JwtBearer", options => { options.TokenValidationParameters = tokenOptions.ToTokenValidationParams(); }); return(services); }
public TokenWithClaimsPrincipal GetAccessTokenWithClaimsPrincipal(AuthenticatedUser user) { var accessToken = user.AccessToken; var validationParams = _tokenOptions.ToTokenValidationParams(); var claimsPrincipal = ValidateToken(accessToken, validationParams); return(new TokenWithClaimsPrincipal() { AccessToken = accessToken, ClaimsPrincipal = claimsPrincipal, AuthenticationProperties = CreateAuthenticationProperties(accessToken) }); }
public static IServiceCollection AddJwtAuthenticationWithProtectedCookie( this IServiceCollection services, TokenOptions tokenOptions, string applicationDiscriminator = null, AuthUrlOptions authUrlOptions = null) { if (tokenOptions == null) { throw new ArgumentNullException( $"{nameof(tokenOptions)} is a required parameter. " + $"Please make sure you've provided a valid instance with the appropriate values configured."); } var hostingEnvironment = services.BuildServiceProvider() .GetService <IHostingEnvironment>(); // The JwtAuthTicketFormat representing the cookie needs an IDataProtector and // IDataSerialiser to correctly encrypt/decrypt and serialise/deserialise the payload // respectively. This requirement is enforced by ISecureDataFormat interface in ASP.NET // Core. Read more about ASP.NET Core Data Protection API here: // https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/ // NB: This is only required if you're using JWT with Cookie based authentication, for // cookieless auth (such as with a Web API) the data protection and serialisation // dependencies won't be needed. You simply need to set the validation params and add // the token generator dependencies and use the right authentication extension below. services.AddDataProtection(options => options.ApplicationDiscriminator = $"{applicationDiscriminator ?? hostingEnvironment.ApplicationName}") .SetApplicationName( $"{applicationDiscriminator ?? hostingEnvironment.ApplicationName}"); services.AddScoped <IDataSerializer <AuthenticationTicket>, TicketSerializer>(); services.AddScoped <IJwtTokenGenerator, JwtTokenGenerator>( serviceProvider => new JwtTokenGenerator( tokenOptions)); services.AddAuthentication(options => { options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme; }) .AddCookie(options => { // cookie expiration should be set the same as the token expiry (the default is 5 // mins). The token generator doesn't provide auto-refresh of an expired token so the // user will be logged out the next time they try to access a secured endpoint. They // will simply have to re-login and acquire a new token and by extension a new cookie. // Perhaps in the future I can add some kind of hooks in the token generator that can // let the referencing application know that the token has expired and the developer // can then request a new token without the user having to re-login. options.Cookie.Expiration = TimeSpan.FromMinutes(1); // Specify the TicketDataFormat to use to validate/create the ASP.NET authentication // ticket. Its important that the same validation parameters are passed to this class // so that the token validation works correctly. The framework will call the // appropriate methods in JwtAuthTicketFormat based on whether the cookie is being // sent out or coming in from a previously authenticated user. Please bear in mind // that if the incoming token is invalid (may be it was tampered or spoofed) the // Unprotect() method in JwtAuthTicketFormat will simply return null and the // authentication will fail. options.TicketDataFormat = new JwtAuthTicketFormat( tokenOptions.ToTokenValidationParams(), services.BuildServiceProvider() .GetService <IDataSerializer <AuthenticationTicket> >(), services.BuildServiceProvider() .GetDataProtector(new[] { $"{applicationDiscriminator ?? hostingEnvironment.ApplicationName}-Auth1" })); options.LoginPath = authUrlOptions != null ? new PathString(authUrlOptions.LoginPath) : new PathString("/Account/Login"); options.LogoutPath = authUrlOptions != null ? new PathString(authUrlOptions.LogoutPath) : new PathString("/Account/Logout"); options.AccessDeniedPath = options.LoginPath; options.ReturnUrlParameter = authUrlOptions?.ReturnUrlParameter ?? "returnUrl"; }); return(services); }
public static IServiceCollection AddJwtAuthenticationWithProtectedCookie( this IServiceCollection services, TokenOptions tokenOptions, string applicationDiscriminator = null, AuthUrlOptions authUrlOptions = null) { if (tokenOptions == null) { throw new ArgumentNullException( $"{nameof(tokenOptions)} is a required parameter. " + $"Please make sure you've provided a valid instance with the appropriate values configured."); } var hostingEnvironment = services.BuildServiceProvider() .GetService <IHostingEnvironment>(); services.AddDataProtection(options => options.ApplicationDiscriminator = $"{applicationDiscriminator ?? hostingEnvironment.ApplicationName}") .SetApplicationName( $"{applicationDiscriminator ?? hostingEnvironment.ApplicationName}"); services.AddScoped <IDataSerializer <AuthenticationTicket>, TicketSerializer>(); services.AddScoped <IJwtTokenGenerator, JwtTokenGenerator>( serviceProvider => new JwtTokenGenerator( tokenOptions)); services.AddAuthentication(options => { options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme; }) .AddCookie(options => { options.Cookie.Expiration = TimeSpan.FromDays(1); options.TicketDataFormat = new JwtAuthTicketFormat( tokenOptions.ToTokenValidationParams(), services.BuildServiceProvider() .GetService <IDataSerializer <AuthenticationTicket> >(), services.BuildServiceProvider() .GetDataProtector(new[] { $"{applicationDiscriminator ?? hostingEnvironment.ApplicationName}-Auth1" })); options.LoginPath = authUrlOptions != null ? new PathString(authUrlOptions.LoginPath) : new PathString("/Account/Login"); options.LogoutPath = authUrlOptions != null ? new PathString(authUrlOptions.LogoutPath) : new PathString("/Account/Logout"); options.AccessDeniedPath = options.LoginPath; options.ReturnUrlParameter = authUrlOptions?.ReturnUrlParameter ?? "returnUrl"; }); return(services); }