How to encrypt jwt payload in ASP.NET Core 6?

Question

I have this code:

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>
    {
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidIssuer = AuthOptions.ISSUER,
            ValidateAudience = true,
            ValidAudience = AuthOptions.AUDIENCE,
            ValidateLifetime = true,
            IssuerSigningKey = AuthOptions.GetSymmetricSecurityKey(),
            ValidateIssuerSigningKey = true,
         };
});

app.Map("/login/{username}", (string username) => 
{
    var claims = new List<Claim> {new Claim(ClaimTypes.Name, username) };
    var jwt = new JwtSecurityToken(
            issuer: AuthOptions.ISSUER,
            audience: AuthOptions.AUDIENCE,
            claims: claims,
            expires: DateTime.UtcNow.Add(TimeSpan.FromMinutes(2)),
            signingCredentials: new SigningCredentials(AuthOptions.GetSymmetricSecurityKey(), SecurityAlgorithms.HmacSha256));
            
    return new JwtSecurityTokenHandler().WriteToken(jwt);
});

public class AuthOptions
{
    public const string ISSUER = "MyAuthServer"; 
    public const string AUDIENCE = "MyAuthClient"; 
    const string KEY = "mysupersecret_secretsecretsecretkey!123";   

    public static SymmetricSecurityKey GetSymmetricSecurityKey() => 
        new SymmetricSecurityKey(Encoding.UTF8.GetBytes(KEY));
}

How do I encrypt the payload data in my token? Perhaps TokenDecryptionKey should be added to options.TokenValidationParameters, but how do I encrypt this token initially?

Answer 1

This is how you can encrypt the payload in a token, so that you don't see it jwt.io but at the same time, you could get data from the payload in the code:

public class AuthOptions
{
    public const string ISSUER = "MyAuthServer";
    public const string AUDIENCE = "MyAuthClient";
    const string KEY = "SecretKeySecretKeySecretKeySecretKeySecretKeySecretKeySecretKeyS"; //64 symbols
    public static SymmetricSecurityKey GetSymmetricSecurityKey() =>
        new SymmetricSecurityKey(Encoding.UTF8.GetBytes(KEY));
}

Program.cs:

builder.Services.AddAuthentication(options =>
    {
        options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
        options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
    })
    .AddJwtBearer(options =>
    {
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidateAudience = true,
            ValidateLifetime = true,
            ValidateIssuerSigningKey = true,

            ValidIssuer = AuthOptions.ISSUER,
            ValidAudience = AuthOptions.AUDIENCE,
            IssuerSigningKey = AuthOptions.GetSymmetricSecurityKey(),
            TokenDecryptionKey = AuthOptions.GetSymmetricSecurityKey(),
        };
    });

Controller or another place:

string CreateJwt(string username)
{
    var claims = new[]
    {
        new Claim(ClaimTypes.Name, username),
    };

    var jwtSecurityToken = new JwtSecurityTokenHandler().CreateJwtSecurityToken(
        AuthOptions.ISSUER,
        AuthOptions.AUDIENCE,
        new ClaimsIdentity(claims),
        null,
        expires: DateTime.UtcNow.AddMinutes(5),
        null,
        signingCredentials: new SigningCredentials(AuthOptions.GetSymmetricSecurityKey(), SecurityAlgorithms.HmacSha256),
        encryptingCredentials: new EncryptingCredentials(AuthOptions.GetSymmetricSecurityKey(), JwtConstants.DirectKeyUseAlg, SecurityAlgorithms.Aes256CbcHmacSha512)
    );

    return new JwtSecurityTokenHandler().WriteToken(jwtSecurityToken);
}

Answer 2

In ASP.NET 6, you can encrypt the JWT payload by using the System.IdentityModel.Tokens.Jwt package, which provides functionality for working with JSON Web Tokens (JWTs). Here's a step-by-step guide on how to encrypt the JWT payload in ASP.NET 6:

1. Add the System.IdentityModel.Tokens.Jwt package to your project. You can do this by adding the following package reference to your project file (.csproj):

2. In your code, import the necessary namespaces:

   using System.IdentityModel.Tokens.Jwt; using System.Security.Cryptography.X509Certificates; using Microsoft.IdentityModel.Tokens;

3. Load the X.509 certificate used for encryption. You can load it from a file, store, or any other source. Here's an example of loading it from a file:

var certificate = new X509Certificate2("path_to_certificate.pfx", "certificate_password");

4. Create an instance of JwtSecurityTokenHandler to handle token processing:

var tokenHandler = new JwtSecurityTokenHandler();

5. Create a TokenValidationParameters object to specify the token validation parameters. Set the IssuerSigningKey property to the public key of the certificate:

var validationParameters = new TokenValidationParameters
{
    IssuerSigningKey = new X509SecurityKey(certificate.PublicKey),
    // Other validation parameters...
};

6. Create a JWT token with the desired claims and encrypt it using the certificate's private key:

var tokenDescriptor = new SecurityTokenDescriptor
{
    Subject = new ClaimsIdentity(new[]
    {
        new Claim("claim_name", "claim_value"),
        // Add other claims as needed...
    }),
    // Other token descriptor properties...
};

var token = tokenHandler.CreateJwtSecurityToken(tokenDescriptor);
token.EncryptingCredentials = new X509EncryptingCredentials(certificate);

var encryptedToken = tokenHandler.WriteToken(token);

7. The encryptedToken now contains the encrypted JWT payload.

Remember to handle exceptions and error cases appropriately, and customize the code according to your specific requirements.

Please note that this code assumes you have an X.509 certificate that you want to use for encryption. You'll need to obtain or create a certificate, and make sure you have access to its private key for encryption purposes.

I hope this helps you encrypt the JWT payload in ASP.NET 6! Let me know if you have any further questions.