public static void ConfigureAUTH(this IServiceCollection services, IConfiguration configuration) { JwtSettings jwtSettings = new JwtSettings(); configuration.GetSection("JwtSettings").Bind(jwtSettings); services .AddAuthentication(options => { options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; options.DefaultSignInScheme = JwtBearerDefaults.AuthenticationScheme; options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; }) .AddJwtBearer(configuration => { configuration.RequireHttpsMetadata = false; configuration.SaveToken = true; configuration.TokenValidationParameters = new TokenValidationParameters { ValidIssuer = jwtSettings.Issuer, // site that makes the token ValidateIssuer = true, // TODO: change this to avoid forwarding attacks ValidAudience = jwtSettings.Audience, // site that consumes the token ValidateAudience = true, // TODO: change this to avoid forwarding attacks IssuerSigningKey = new SymmetricSecurityKey(TokenStoreSecurityService.GetSha256Hash(jwtSettings.Key)), ValidateIssuerSigningKey = true, // verify signature to avoid tampering ValidateLifetime = true, // validate the expiration ClockSkew = TimeSpan.Zero // tolerance for the expiration date }; configuration.Events = new JwtBearerEvents { OnAuthenticationFailed = context => { var logger = context.HttpContext.RequestServices.GetRequiredService <ILoggerFactory>().CreateLogger(nameof(JwtBearerEvents)); logger.LogError("Authentication failed.", context.Exception); return(Task.CompletedTask); }, OnTokenValidated = context => { ITokenValidatorService tokenValidatorService = context.HttpContext.RequestServices.GetRequiredService <ITokenValidatorService>(); return(tokenValidatorService.ValidateAsync(context)); }, OnMessageReceived = context => { return(Task.CompletedTask); }, OnChallenge = context => { var logger = context.HttpContext.RequestServices.GetRequiredService <ILoggerFactory>().CreateLogger(nameof(JwtBearerEvents)); logger.LogError("OnChallenge error", context.Error, context.ErrorDescription); return(Task.CompletedTask); } }; }); }
public TokenValidationParameters TokenValidationParameters() { TokenValidationParameters tokenValidationParameters = new TokenValidationParameters() { ValidIssuer = _jwtOptions.Issuer, // site that makes the token ValidateIssuer = true, // TODO: change this to avoid forwarding attacks ValidAudience = _jwtOptions.Audience, // site that consumes the token ValidateAudience = true, // TODO: change this to avoid forwarding attacks IssuerSigningKey = new SymmetricSecurityKey(TokenStoreSecurityService.GetSha256Hash(_jwtOptions.Key)), ValidateIssuerSigningKey = true, // verify signature to avoid tampering ValidateLifetime = true, // validate the expiration ClockSkew = TimeSpan.Zero // tolerance for the expiration date }; return(tokenValidationParameters); }
private async Task <TokenObject> CreateAccessTokenAsync(List <Claim> claims) { //generate token SymmetricSecurityKey key = new SymmetricSecurityKey(TokenStoreSecurityService.GetSha256Hash(_jwtOptions.Key)); SigningCredentials creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256); JwtSecurityToken token = new JwtSecurityToken( issuer: _jwtOptions.Issuer, audience: _jwtOptions.Audience, claims: claims, notBefore: DateTime.UtcNow, expires: DateTime.UtcNow.AddDays(5), signingCredentials: creds); TokenObject tokenObject = new TokenObject { Token = new JwtSecurityTokenHandler().WriteToken(token) }; return(await Task.FromResult(tokenObject)); }