✅ Authorization in ASP.NET Web Api
[Authorize("MyApiUserPolicy", AuthenticationSchemes = "Bearer")]
How exactly does it check provided token if it is valid or not?
Like does it generate similar token and based on provided token it just compares it or there is something else going on?
102 Replies
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
Depends on how you registered it, but usually somewhere you're setting up something like:
sure
i have that
so it's validating the token given the validation info you gave it - that it can decode the token with the given key, and it has a valid issuer and audience (if you specified that it should validate those things)
the authorization policy is separate, after authentication, and you set that up yourself somewhere too and I assume you're not asking about that
so it decodes the user token
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
I'm not 100% sure but, reasonably certain. It has to, in order to get the authorization info (claims from the token)
and checks ussuer and other stuff right?
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
like does it decode token, or generate one with the information that you give and compares them to each other?
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
decodes, pretty sure. Comparing them doesn't work because it doesn't know what claims and stuff are in that token
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
if it checks parts where i say ture
whats the use of SymmetricSecurityKey(Encoding.UTF8.GetBytes("YOUR_SIGNING_KEY"))
those things are publicly available in token
@TeBeCo
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
you mean the part where it check literally every part?
because if os then it is pretty much the same as craeting token and comparing it with users's
I think there's some confusion here because for some reason it seems common that both the authenticator (where this endpoint is), and the issuer of the token, both seem to have the signing key's secret
when I think usually, the authenticator would have only the public half of the symmetric token, and couldn't actually create a token itself, it can only decode
and I assume in the backend it's doing that for you, if you supply the full symmetric token, it just takes the public part for decoding and ignores the private part for encoding
so basiclly
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
it uses that token to more easily read public part?
not token but symmetric key
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
a symmetric key consists of a Public and Private key. The private key can be used to encrypt things, and nobody should ever have it except the server that's issuing tokens, or basically, the side that others need to verify that yep, this token came from this server. The public key can be used to decrypt things that were encrypted with the private key, and you can safely share it to anyone
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
whats public key ?
in my situation
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
i though what you said about public and private was asymmetric
right? Or is that RSA?
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
oh, well, nvm then
yes
so with symmetric... both sides have the 'secret'?
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
yes
and i don't get why
then yeah ignore all that stuff above :lul:
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
I guess the idea with a symmetric key is that you don't want anyone to be able to decode it except your services
no one can decode it
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
it uses ssh256
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
how can you decode that
by knowing the key
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
decode whatever you encoded/encrypted with that key
Can you decode something that is encripted by ssh256?
The whole point of encryption... or encoding... I can barely remember the difference... is that you can decode it or decrypt it if you know how, usually by knowing some secret
i geniuanly don't get how that authentication works
sure but ssh256 is one way encryption
you can't decript
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
Something somewhere makes a JWT token, which contains claims and info about the user that you can verify came from your other service and know are validated. It makes it using a symmetric key with a given secret - such that it can be decoded, if someone else (your other service or API) knows the secret. If nothing can decode it, it doesn't make sense
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
this is how i generate it
the token
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
First off, you cannot decrypt/decipher SHA-256
its from google
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
now don't i use that algorithm to encript
then what am i doing
In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and authenticity of a message. An HMAC is a type of keyed hash function that can also be used in a key derivation scheme or a key stretching scheme.
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
i have done it
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
SHA-256 is a hashing algorithm, which is one-way, but HMAC is the encryption which is reversible
i just don't understand what's going on in the background
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
yes?
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
this is the fundamental question they've been asking :lul: when verifying a JWT, does the service decode the JWT, or does it just hash the same values and check if they're the same?
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
sure
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
but didn't you say that token is decoded to udnerstand the audience and stuff?
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
But when it comes to a JWT, you do need to decrypt because you don't know the contents of the claims in that JWT at the time of validation, it might have lots of claims that you don't care about
you can't generate your own JWT and compare because you don't know what claims are in the original
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
So then, if you specified ValidateIssuer = false and all the others to false in token validation params, it would still validate the signature?
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
can one person explain it again, cuz i am confused
one says you gotta decode
other says no you don;t
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
Does that mean anyone could decode a JWT and get its contents without having to know any sort of secret? But they can't verify the signature without knowing the secret? Just out of curiosity
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
okay let me rephrease it
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
When i get user token, i get the public part of the token like, issuer etc. Then i take them with the symmetric key that i have and make a token and then check if that matches?
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
When you get a user token, you (the backend) first decodes it apparently, because it needs to split it into header/payload/signature. Then it hashes the payload (of the incoming token) with the secret, and compares that result to the signature
is this correct?
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
can someone verify it?
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
you don't make a "token" to compare to the incoming one, you just hash the decoded token and compare that to the decoded token's signature
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
@TeBeCoi have done everyhting
it works
but i don't understand fully why it works
i have that written
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
but to rehash it don't you need to make basicly a token?
you rehash the decoded content of the incoming token
Like i get the part where when incoming token is devided into 3 parts but i don't get it how you hash it so that it is the same without making it like a token
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
so localSign is the one we make from extracting payload from users token and hashing it with SymmetricKey
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
can you verify what i wrote
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
i'll take a break and then try to understand it again
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
i really don't fully understand it
like i get it but not the way i have to know
thanks for the help