Skip to content
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.

Certificates and Token Validation #99

Closed
pksorensen opened this issue May 25, 2014 · 9 comments
Closed

Certificates and Token Validation #99

pksorensen opened this issue May 25, 2014 · 9 comments

Comments

@pksorensen
Copy link
Contributor

Just to make sure I get this done right.

WebApi Uses app.UseJsonWebToken with a certificate to validate tokens.

And I simply just have to install the public key of the signing certificate (.cer file). (on azure cloud services that mean upload it to the management portal and make it deploy to the machines trusted people store.

Thats the only supported validation right now? If time allows, feel free to share a few lines on if there is anything to be aware of when creating the certificates? I just followed the documentation on azure for how to create it for their management portal and exported both pfx for the identity server and cer for webapi projects.

http://msdn.microsoft.com/en-us/library/azure/gg551722.aspx

@ciaranj
Copy link
Contributor

ciaranj commented May 25, 2014

Well, I think that with OIDC you can use the 'well known' discovery end-points to download the public key part directly from IDSrv3 and use that in your web token validation directly so you can control the certificate management directly from the issuing server (the endpoints are there in IDSrv3 but I've not yet hooked up to them and used them in my JWTHandlers ) [this of course assumes your validating API can reach the Idsrv's https endpoints....

@ciaranj
Copy link
Contributor

ciaranj commented May 25, 2014

nice. /me scraps a bunch of code I'd written ;)

@leastprivilege
Copy link
Member

So yeah - creating certs - pfx to idsrv, cer to consumers is the "standard" way. But you should indeed plan ahead for cert rollover scenarios.

Strictly speaking the OIDC middleware does not deal with signing keys for access tokens (only id_tokens). In Idsrv3 they are the same (at least currently).

@pksorensen
Copy link
Contributor Author

Is there then also a AppBuilder Extension in Katana that I can use to make it validate the bearer tokens by just pointing it to the idsrv3 ?

I am having a few problems with the following:

  JwtSecurityTokenHandler.InboundClaimTypeMap = ClaimMappings.None;          

            var options = new JwtBearerAuthenticationOptions
            {
                AllowedAudiences = new[] { "http://idsrv.ascend.dk/resources" },
                IssuerSecurityTokenProviders = new[] 
                    {
                        new X509CertificateSecurityTokenProvider(
                            "http://idsrv.ascend.dk",
                            X509.LocalMachine.TrustedPeople.Thumbprint.Find("44272690C50BC3E716EFFE66A8D9248B0089A100", false).First())
                    }
            };        
             app.UseJwtBearerAuthentication(options);

when trying calling the api from javascript I just get 401.

I have verified with fiddler that the the header is set: Authorization: Bearer

I took the token and the content is and iss and aud is correct and I am not sure why webapi returns 401. :

{
  "iss": "http://idsrv.ascend.dk",
  "aud": "http://idsrv.ascend.dk/resources",
  "nbf": 1401023932,
  "exp": 1401024292,
  "client_id": "6994A4A8-0E65-4FED-A82B-C684A0DD1758",
  "scope": [
    "openid",
    "data.create",
    "data.read",
    "alg.execute"
  ],
  "sub": "d0007285-5d2a-4d3d-a9e4-9cd87081e4f9",
  "amr": "external",
  "auth_time": "1401022747",
  "idp": "https://sts.windows.net/0840c760-6f7b-4556-b337-8c090e2d458d/"
}

I am not really sure where I want to start debugging.

@pksorensen
Copy link
Contributor Author

If I manually do the validation like this I get the claimprincipal as expected but in the above setup the ctx.user is just the default identity that is not authenticated.

Could it be that the authentication middleware is not triggered ? But in the sample webapi in the clients for idsrv3, nothing special is done there either.

  JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler()
                {
                    // Disable certificate validation.  Certificate validation is not necessary since the signing certificate is a self-signed certificate.
                    CertificateValidator = X509CertificateValidator.None
                };

                TokenValidationParameters validationParameters = new TokenValidationParameters
                {
                    ValidAudience = "http://idsrv.ascend.dk/resources",
                    ValidIssuer = issuer,
                    IssuerSigningTokens = new X509CertificateSecurityTokenProvider(
                             "http://idsrv.ascend.dk",
                             X509.LocalMachine.TrustedPeople.Thumbprint.Find("44272690C50BC3E716EFFE66A8D9248B0089A100", false).First()).SecurityTokens
                };

                try
                {
                    // Validate token.
                    ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(jwtToken, validationParameters);


                }

@leastprivilege
Copy link
Member

@pksorensen
Copy link
Contributor Author

Thanks.

Nothing is being logged about failed validation though.

What I am doing in the manual validation step above, do that look okay in your eyes? I just set the ctx.User = claimsPrincipal for now and can debug this more later

@pksorensen
Copy link
Contributor Author

nvm, found out why.

Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware Error: 0 : Authentication failed
System.MissingMethodException: Method not found: 'Void System.IdentityModel.Tokens.TokenValidationParameters.set_AllowedAudiences(System.Collections.Generic.IEnumerable`1<System.String>)'.
   at Microsoft.Owin.Security.Jwt.JwtFormat.Unprotect(String protectedText)
   at Microsoft.Owin.Security.Infrastructure.AuthenticationTokenReceiveContext.DeserializeTicket(String protectedData)
   at Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationHandler.<AuthenticateCoreAsync>d__0.MoveNext()
Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware Error: 0 : Authentication failed
System.MissingMethodException: Method not found: 'Void System.IdentityModel.Tokens.TokenValidationParameters.set_AllowedAudiences(System.Collections.Generic.IEnumerable`1<System.String>)'.
   at Microsoft.Owin.Security.Jwt.JwtFormat.Unprotect(String protectedText)
   at Microsoft.Owin.Security.Infrastructure.AuthenticationTokenReceiveContext.DeserializeTicket(String protectedData)
   at Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationHandler.<AuthenticateCoreAsync>d__0.MoveNext()

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants