The third party API I am working with is asking me to generate the JWT on client side. I understand that they use the following code to verify JWT.
using System;
using System.Text;
using Microsoft.IdentityModel.Tokens;
using Microsoft.AspNetCore.Builder;
// The key length needs to be of sufficient length, or otherwise an error will occur.
var tokenSecretKey = Encoding.UTF8.GetBytes(Configuration["TokenSecretKey"]);
var tokenValidationParameters = new TokenValidationParameters
{
// Token signature will be verified using a private key.
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(tokenSecretKey),
ValidateIssuer = false,
ValidateAudience = false
};
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options => { options.RequireHttpsMetaData = false;
options.SaveToken = true;
options.TokenValidationParameters = tokenValidationParameters;
});
In the client side the token generation I have created using is as follows using Jose JWT. Only this seems to be working for .Net 4.0 Framework I am working with.
return Jose.JWT.Encode(claims, byteArrayOfKey, Jose.JwsAlgorithm.HS256);
but the validation is failing with 401 on server side. Is there anything I can do match the server side.
Check the algorithm at both client and server uses same. and basically, don't ignore the issuer, anyone can forge the server so as a best practice use issuer as mandatory validation.