C
C#9mo ago
Dachi

✅ Authorization in ASP.NET Web Api

[Authorize("MyApiUserPolicy", AuthenticationSchemes = "Bearer")] How exactly does it check provided token if it is valid or not? Like does it generate similar token and based on provided token it just compares it or there is something else going on?
102 Replies
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
D.Mentia
D.Mentia9mo ago
Depends on how you registered it, but usually somewhere you're setting up something like:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateIssuerSigningKey = true,
ValidIssuer = "YOUR_ISSUER",
ValidAudience = "YOUR_AUDIENCE",
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("YOUR_SIGNING_KEY"))
};
});
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateIssuerSigningKey = true,
ValidIssuer = "YOUR_ISSUER",
ValidAudience = "YOUR_AUDIENCE",
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("YOUR_SIGNING_KEY"))
};
});
Dachi
DachiOP9mo ago
sure i have that
D.Mentia
D.Mentia9mo ago
so it's validating the token given the validation info you gave it - that it can decode the token with the given key, and it has a valid issuer and audience (if you specified that it should validate those things) the authorization policy is separate, after authentication, and you set that up yourself somewhere too and I assume you're not asking about that
Dachi
DachiOP9mo ago
so it decodes the user token
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
D.Mentia
D.Mentia9mo ago
I'm not 100% sure but, reasonably certain. It has to, in order to get the authorization info (claims from the token)
Dachi
DachiOP9mo ago
and checks ussuer and other stuff right?
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
like does it decode token, or generate one with the information that you give and compares them to each other?
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
D.Mentia
D.Mentia9mo ago
decodes, pretty sure. Comparing them doesn't work because it doesn't know what claims and stuff are in that token
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
if it checks parts where i say ture whats the use of SymmetricSecurityKey(Encoding.UTF8.GetBytes("YOUR_SIGNING_KEY")) those things are publicly available in token @TeBeCo
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
you mean the part where it check literally every part? because if os then it is pretty much the same as craeting token and comparing it with users's
D.Mentia
D.Mentia9mo ago
I think there's some confusion here because for some reason it seems common that both the authenticator (where this endpoint is), and the issuer of the token, both seem to have the signing key's secret when I think usually, the authenticator would have only the public half of the symmetric token, and couldn't actually create a token itself, it can only decode and I assume in the backend it's doing that for you, if you supply the full symmetric token, it just takes the public part for decoding and ignores the private part for encoding
Dachi
DachiOP9mo ago
so basiclly
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
it uses that token to more easily read public part? not token but symmetric key
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
D.Mentia
D.Mentia9mo ago
a symmetric key consists of a Public and Private key. The private key can be used to encrypt things, and nobody should ever have it except the server that's issuing tokens, or basically, the side that others need to verify that yep, this token came from this server. The public key can be used to decrypt things that were encrypted with the private key, and you can safely share it to anyone
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
whats public key ? in my situation
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
i though what you said about public and private was asymmetric
D.Mentia
D.Mentia9mo ago
right? Or is that RSA?
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
D.Mentia
D.Mentia9mo ago
oh, well, nvm then
Dachi
DachiOP9mo ago
yes
D.Mentia
D.Mentia9mo ago
so with symmetric... both sides have the 'secret'?
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
yes and i don't get why
D.Mentia
D.Mentia9mo ago
then yeah ignore all that stuff above :lul:
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
D.Mentia
D.Mentia9mo ago
I guess the idea with a symmetric key is that you don't want anyone to be able to decode it except your services
Dachi
DachiOP9mo ago
no one can decode it
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
it uses ssh256
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
how can you decode that
D.Mentia
D.Mentia9mo ago
by knowing the key
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
D.Mentia
D.Mentia9mo ago
decode whatever you encoded/encrypted with that key
Dachi
DachiOP9mo ago
Can you decode something that is encripted by ssh256?
D.Mentia
D.Mentia9mo ago
The whole point of encryption... or encoding... I can barely remember the difference... is that you can decode it or decrypt it if you know how, usually by knowing some secret
Dachi
DachiOP9mo ago
i geniuanly don't get how that authentication works sure but ssh256 is one way encryption you can't decript
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
D.Mentia
D.Mentia9mo ago
Something somewhere makes a JWT token, which contains claims and info about the user that you can verify came from your other service and know are validated. It makes it using a symmetric key with a given secret - such that it can be decoded, if someone else (your other service or API) knows the secret. If nothing can decode it, it doesn't make sense
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
c#
var claims = new List<Claim>
{
new Claim(JwtRegisteredClaimNames.Sub, id),
new Claim(ClaimTypes.Role, "api-user"),
new Claim(ClaimTypes.Role, "api-admin"),
};

var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configuration["JwtSecret"]!));
var credentials = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);

var token = new JwtSecurityToken(
issuer: "myapi.com",
audience: "myapi.com",
claims: claims,
expires: DateTime.Now.AddMinutes(60),
signingCredentials: credentials);

var tokenGenerator = new JwtSecurityTokenHandler();
var jwt = tokenGenerator.WriteToken(token);
c#
var claims = new List<Claim>
{
new Claim(JwtRegisteredClaimNames.Sub, id),
new Claim(ClaimTypes.Role, "api-user"),
new Claim(ClaimTypes.Role, "api-admin"),
};

var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configuration["JwtSecret"]!));
var credentials = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);

var token = new JwtSecurityToken(
issuer: "myapi.com",
audience: "myapi.com",
claims: claims,
expires: DateTime.Now.AddMinutes(60),
signingCredentials: credentials);

var tokenGenerator = new JwtSecurityTokenHandler();
var jwt = tokenGenerator.WriteToken(token);
this is how i generate it the token
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
First off, you cannot decrypt/decipher SHA-256 its from google
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
now don't i use that algorithm to encript then what am i doing
D.Mentia
D.Mentia9mo ago
In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and authenticity of a message. An HMAC is a type of keyed hash function that can also be used in a key derivation scheme or a key stretching scheme.
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
i have done it
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
D.Mentia
D.Mentia9mo ago
SHA-256 is a hashing algorithm, which is one-way, but HMAC is the encryption which is reversible
Dachi
DachiOP9mo ago
i just don't understand what's going on in the background
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
yes?
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
D.Mentia
D.Mentia9mo ago
this is the fundamental question they've been asking :lul: when verifying a JWT, does the service decode the JWT, or does it just hash the same values and check if they're the same?
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
sure
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
but didn't you say that token is decoded to udnerstand the audience and stuff?
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
D.Mentia
D.Mentia9mo ago
But when it comes to a JWT, you do need to decrypt because you don't know the contents of the claims in that JWT at the time of validation, it might have lots of claims that you don't care about you can't generate your own JWT and compare because you don't know what claims are in the original
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
D.Mentia
D.Mentia9mo ago
So then, if you specified ValidateIssuer = false and all the others to false in token validation params, it would still validate the signature?
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
can one person explain it again, cuz i am confused one says you gotta decode other says no you don;t
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
D.Mentia
D.Mentia9mo ago
Does that mean anyone could decode a JWT and get its contents without having to know any sort of secret? But they can't verify the signature without knowing the secret? Just out of curiosity
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
okay let me rephrease it
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
When i get user token, i get the public part of the token like, issuer etc. Then i take them with the symmetric key that i have and make a token and then check if that matches?
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
D.Mentia
D.Mentia9mo ago
When you get a user token, you (the backend) first decodes it apparently, because it needs to split it into header/payload/signature. Then it hashes the payload (of the incoming token) with the secret, and compares that result to the signature
Dachi
DachiOP9mo ago
is this correct?
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
can someone verify it?
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
D.Mentia
D.Mentia9mo ago
you don't make a "token" to compare to the incoming one, you just hash the decoded token and compare that to the decoded token's signature
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
@TeBeCoi have done everyhting it works but i don't understand fully why it works i have that written
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
but to rehash it don't you need to make basicly a token?
D.Mentia
D.Mentia9mo ago
you rehash the decoded content of the incoming token
Dachi
DachiOP9mo ago
Like i get the part where when incoming token is devided into 3 parts but i don't get it how you hash it so that it is the same without making it like a token
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
so localSign is the one we make from extracting payload from users token and hashing it with SymmetricKey
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
can you verify what i wrote
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
i'll take a break and then try to understand it again
Unknown User
Unknown User9mo ago
Message Not Public
Sign In & Join Server To View
Dachi
DachiOP9mo ago
i really don't fully understand it like i get it but not the way i have to know thanks for the help
Want results from more Discord servers?
Add your server