C
C#8mo ago
Natro

Migrating to Microsoft.IdentityModel.JsonWebTokens .net6 => .net8

Hi, I am migrating a project which uses Duende as identity server + Ocelot gateway from .NET 6 to .NET 8. In Ocelot AuthorizationMiddleware project uses JWT subclaims and tries to access them like this: 
var subClaimValue = user.Claims.FirstOrDefault(x => x.Type == CommonConstants.ClaimSub)?.Value; // "sub"
roleType = user.Claims.FirstOrDefault(x => x.Type == CommonConstants.ClaimRoleType)?.Value; // "roleType"
var subClaimValue = user.Claims.FirstOrDefault(x => x.Type == CommonConstants.ClaimSub)?.Value; // "sub"
roleType = user.Claims.FirstOrDefault(x => x.Type == CommonConstants.ClaimRoleType)?.Value; // "roleType"
I noticed that after migrating I was receiving error when authenticating users regarding Signature {"IDX10500: Signature validation failed. No security keys were provided to validate the signature."}. Stack overflow hinted me to removing System.IdentityModel.Tokens.Jwt package and moving to Microsoft.IdentityModel.JsonWebTokens as there has been breaking change in aspnet core. https://github.com/dotnet/aspnetcore/issues/52075#issuecomment-1815025177 ...
GitHub
.NET 8 behaves differently for JwtBearerOptions in AddJwtBearer · ...
Is there an existing issue for this? I have searched the existing issues Describe the bug Upgrading an api project with authorization around JWT Bearer tokens from .NET 7 to .NET 8 has some behavio...
1 Reply
Natro
NatroOP8mo ago
So this is how my auth schema looks like: 
services
    .AddAuthentication("api_key")
    .AddJwtBearer("api_key", options =>
    {
        options.Authority = Configuration["SecurityServerBaseAddress"];
        options.RequireHttpsMetadata = false;
        options.TokenValidationParameters.ValidateAudience = false;
        options.TokenValidationParameters.ValidateIssuerSigningKey = false;
        options.TokenValidationParameters.SignatureValidator = delegate (string token, TokenValidationParameters parameters)
        {
            var jwt = new Microsoft.IdentityModel.JsonWebTokens.JsonWebToken(token);
            return jwt;
        };
    });
services
    .AddAuthentication("api_key")
    .AddJwtBearer("api_key", options =>
    {
        options.Authority = Configuration["SecurityServerBaseAddress"];
        options.RequireHttpsMetadata = false;
        options.TokenValidationParameters.ValidateAudience = false;
        options.TokenValidationParameters.ValidateIssuerSigningKey = false;
        options.TokenValidationParameters.SignatureValidator = delegate (string token, TokenValidationParameters parameters)
        {
            var jwt = new Microsoft.IdentityModel.JsonWebTokens.JsonWebToken(token);
            return jwt;
        };
    });
Now back to the claims issue - right below my auth schema I see following lines: 
// Without map cleanup sub claim type is not available for authorization ocelot middleware
System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
// Without map cleanup sub claim type is not available for authorization ocelot middleware
System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
This function is needed to be called in order to access subclaims and authorizing users properly. I would like to avoid making change to whole authorization middleware as I don't have capacity for that currently. Is there diferent way to achieve the same? Or is there a way to keep using System.IdentityModel.Tokens.Jwt? Or is it necessary to migrate?
Want results from more Discord servers?
Add your server