❔ Having a hard time understanding how external auth providers work

I am trying to use Clerk, an auth solution that is similar to Auth0, and I want to add it to my aspnet core api. Idk where I should start tho. I believe I need this somehow? https://winning-thrush-77.clerk.accounts.dev/.well-known/jwks.json
35 Replies
snowy | switching accounts
This is the Dev Url they sent me for me to get the info regarding the key Or I don't need this at all?
JakenVeina
JakenVeina2y ago
anything in particular you can't wrap your head around, or the entire concept?
snowy | switching accounts
I kind of understood the concept, I am trying to implement it using an auth provider (clerk) and aspnet core But I just can't seem to get it right
"JwtSettings": {
"Audience": "http://localhost:5173",
"Issuer": "https://winning-thrush-77.clerk.accounts.dev"
}
"JwtSettings": {
"Audience": "http://localhost:5173",
"Issuer": "https://winning-thrush-77.clerk.accounts.dev"
}
I have this in my AppSettings, and I assumed that this would be enough, but looks like it isn't.
builder.Services.AddAuthentication(cfg =>
{
cfg.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
cfg.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
cfg.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(opt =>
{
opt.TokenValidationParameters = new TokenValidationParameters
{
ValidIssuer = builder.Configuration["JwtSettings:Issuer"],
ValidAudience = builder.Configuration["JwtSettings:Audience"],
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true
};
});
builder.Services.AddAuthentication(cfg =>
{
cfg.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
cfg.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
cfg.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(opt =>
{
opt.TokenValidationParameters = new TokenValidationParameters
{
ValidIssuer = builder.Configuration["JwtSettings:Issuer"],
ValidAudience = builder.Configuration["JwtSettings:Audience"],
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true
};
});
I also have this on my Program.cs It validates the issuer, audience, lifetime but I still get an error www-authenticate: Bearer error="invalid_token",error_description="The signature key was not found" I did not include any key, am I required to?
JakenVeina
JakenVeina2y ago
yeah, that's how digital signatures work you verify the signature by running the same encryption on it that was used by the original signer and check if the signatures match to do that, you need whatever key the algorithm requires either that, or you need to send the token to the issuer to hace THEM verify it Clerk is gonna either have that, or an asymmetric encryption key that you can hard-code in config, or call out to Clerk to retrieve it on startup or something
Unknown User
Unknown User2y ago
Message Not Public
Sign In & Join Server To View
snowy | switching accounts
I managed to do it I think, by simply setting the Authority I guess that once you set the Authority, ASP.NET looks for this endpoint and loads everything
Unknown User
Unknown User2y ago
Message Not Public
Sign In & Join Server To View
snowy | switching accounts
services.AddAuthentication(cfg =>
{
cfg.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
cfg.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
cfg.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(opt =>
{
opt.Authority = configuration["JwtSettings:Authority"];
opt.Audience = configuration["JwtSettings:Audience"];
opt.TokenValidationParameters = new TokenValidationParameters
{
ValidIssuer = configuration["JwtSettings:Issuer"],
ValidAudience = configuration["JwtSettings:Audience"],
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true
};
});
services.AddAuthentication(cfg =>
{
cfg.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
cfg.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
cfg.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(opt =>
{
opt.Authority = configuration["JwtSettings:Authority"];
opt.Audience = configuration["JwtSettings:Audience"];
opt.TokenValidationParameters = new TokenValidationParameters
{
ValidIssuer = configuration["JwtSettings:Issuer"],
ValidAudience = configuration["JwtSettings:Audience"],
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true
};
});
"JwtSettings": {
"Audience": "http://localhost:5173",
"Authority": "https://winning-thrush-77.clerk.accounts.dev",
"Issuer": "https://winning-thrush-77.clerk.accounts.dev"
},
"JwtSettings": {
"Audience": "http://localhost:5173",
"Authority": "https://winning-thrush-77.clerk.accounts.dev",
"Issuer": "https://winning-thrush-77.clerk.accounts.dev"
},
Unknown User
Unknown User2y ago
Message Not Public
Sign In & Join Server To View
snowy | switching accounts
I'm pretty sure it works since it stopped giving me the error claiming that I had an invalid signature
Unknown User
Unknown User2y ago
Message Not Public
Sign In & Join Server To View
snowy | switching accounts
adding the opt.Authority = configuration["JwtSettings:Authority"];
Unknown User
Unknown User2y ago
Message Not Public
Sign In & Join Server To View
snowy | switching accounts
Yeah I know But yep only that Now I'm struggling because Clerk doesn't use the aud claim and I don't want to hardcode it
Unknown User
Unknown User2y ago
Message Not Public
Sign In & Join Server To View
snowy | switching accounts
What do you mean?
Unknown User
Unknown User2y ago
Message Not Public
Sign In & Join Server To View
snowy | switching accounts
I didn't understand what you meant by the last phrase and you expect me to understand 3 letters and 4 when
Unknown User
Unknown User2y ago
Message Not Public
Sign In & Join Server To View
Unknown User
Unknown User2y ago
Message Not Public
Sign In & Join Server To View
snowy | switching accounts
good morning
Unknown User
Unknown User2y ago
Message Not Public
Sign In & Join Server To View
snowy | switching accounts
I solved it by hardcoding the aud as a resource I think But I was hoping I could just take advantage of the azp claim Clerk doesn't give me a way unfortunately
Unknown User
Unknown User2y ago
Message Not Public
Sign In & Join Server To View
snowy | switching accounts
I'm not sure what a resource is so I might have said it wrong azp means authorized party It is basically the origin of the token Where it was generated at
Unknown User
Unknown User2y ago
Message Not Public
Sign In & Join Server To View
snowy | switching accounts
it can be that
Unknown User
Unknown User2y ago
Message Not Public
Sign In & Join Server To View
snowy | switching accounts
I know that and azp would actually fit me well
Unknown User
Unknown User2y ago
Message Not Public
Sign In & Join Server To View
snowy | switching accounts
Since the token will always have and azp containing where it was generated if I have: myapp.com anotherapp.com and they both go to -> id.app.com, and id generates the token The token's azp would be the origin, either myapp.com and anotherapp.com it kind of fits me well as for the audience, since what validates the audience is my backend
Unknown User
Unknown User2y ago
Message Not Public
Sign In & Join Server To View
snowy | switching accounts
idp = id provider?
Accord
Accord2y ago
Was this issue resolved? If so, run /close - otherwise I will mark this as stale and this post will be archived until there is new activity.
Want results from more Discord servers?
Add your server