❔ Creating a JWT through terminal and use it in production (webapi)
I've created a JWT through the terminal with "dotnet user-jwts create" inside the webapi source directory.
It returns a token I've stored.
I have added [Authorize] to a specific endpoint and it works during debug if I use the correct token (Postman, POST), otherwise it will return a 401.
Now, if I compile the project for "Release" and then run the webapi from its directory it will launch the application just fine and listen on all the ports I'd like. However, when trying to use the endpoint using [Authorize] from Postman, it'll give me a 401. The WWW-Athenticate will say "Bearer error="invalid_token", error_description="The signature key was not found"".
Adding additional log levels in the actual webapi gives me this:
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[1]
Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10500: Signature validation failed. No security keys were provided to validate the signature.
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters, BaseConfiguration configuration)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateJWS(String token, TokenValidationParameters validationParameters, BaseConfiguration currentConfiguration, SecurityToken& signatureValidatedToken, ExceptionDispatchInfo& exceptionThrown)
Summary: It works when running the application in Visual Studio (both Debug and Release) but it does not work with JWT when running the executable in the Release directory outside of Visual Studio.
I do know that the JWT is stored in %appdata%\Microsoft\UserSecrets when using dotnet user-jwts create. Do I somehow need to point the Release-version to that path or what am I missing?
And yeah, this is very basic JWT stuff. We are just scraping the surface in my education so there's a lot more that the school doesn't go into details about 🙄
6 Replies
UserSecrets is not used in PROD builds
nor should it be
the error is stating quite plainly that it was unable to retrieve a signature key from config, to use for generating and validating tokens
I agree on that. What would the best way to store these "secrets" in your opinion?
And how would I configure my app to use it?
Where should they be stored?
depends heavily on the environment
if you're deploying to Azure, I believe Azure Key Vaults are the go-to
if you're deploying to Docker, the most common practice I believe is to set ENV VARs on the container
if you're doing something more manual, your best bet might be to just have another JSON file alongside appsettings.json, for only secrets
maybe have that file be encrypted or extra-secured by the filesystem
we have something kinda like that for our web server at work, the Web.config file has a .Production transform that secrets get added to manually, during deployments. They're encrypted before being inserted into the file, and the app has to pull a cert from Windows at runtime to decrypt that. Windows is then configured to prevent access to the cert by anyone except the app itself (and admins).
This is just for educational purposes so I want it in a very basic form. So I guess I can just add the JWT into appsettings.json then?
I'm not sure how to add the JWT though. Looking into the UserSecrets the JWT comes in two .JSON files. Is that the data I want to add into appsettings.json somehow and if, how would I do that?
no, not a JWT
the signature secret for MAKING and VALIDATING JWTs
whatever settings are in the User Secrets file
Was this issue resolved? If so, run
/close - otherwise I will mark this as stale and this post will be archived until there is new activity.