C#•13mo ago

✅ JTI not being pulled from payload when I am trying to validate token

I create an access token store all the claims i want on it and get an access token and this is what the payload looks like when its decoded

Creating Access Token

    private string CreateAccessToken(ApplicationUser user, string sessionId)
    {
        var tokenHandler = new JwtSecurityTokenHandler();
        var key = Encoding.ASCII.GetBytes(_jwtSecret);

        var tokenDescriptor = new SecurityTokenDescriptor
        {
            Subject = new ClaimsIdentity(new Claim[]
            {
                new Claim(ClaimTypes.Name, user.UserName.ToString()),
                new Claim(JwtRegisteredClaimNames.Jti, sessionId),
                new Claim(JwtRegisteredClaimNames.Sub, user.Id),
            }),
            Expires = DateTime.UtcNow.AddMinutes(30),
            SigningCredentials = new(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature),
            Issuer = "https://localhost:7059",
            Audience = "http://localhost:5173"
        };

        var token = tokenHandler.CreateToken(tokenDescriptor);
        var tokenStr = tokenHandler.WriteToken(token);

        return tokenStr;
    }

    private string CreateAccessToken(ApplicationUser user, string sessionId)
    {
        var tokenHandler = new JwtSecurityTokenHandler();
        var key = Encoding.ASCII.GetBytes(_jwtSecret);

        var tokenDescriptor = new SecurityTokenDescriptor
        {
            Subject = new ClaimsIdentity(new Claim[]
            {
                new Claim(ClaimTypes.Name, user.UserName.ToString()),
                new Claim(JwtRegisteredClaimNames.Jti, sessionId),
                new Claim(JwtRegisteredClaimNames.Sub, user.Id),
            }),
            Expires = DateTime.UtcNow.AddMinutes(30),
            SigningCredentials = new(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature),
            Issuer = "https://localhost:7059",
            Audience = "http://localhost:5173"
        };

        var token = tokenHandler.CreateToken(tokenDescriptor);
        var tokenStr = tokenHandler.WriteToken(token);

        return tokenStr;
    }

{
  "unique_name": "Test",
  "jti": "SESS73ab5ea8-2c67-42a9-ba6e-96241dad5b0a",
  "sub": "bababf79-a2bc-49b3-9690-206acd714bd0",
  "nbf": 1732389177,
  "exp": 1732390948,
  "iat": 1732389177,
  "iss": "https://localhost:7059",
  "aud": "http://localhost:5173"
}

{
  "unique_name": "Test",
  "jti": "SESS73ab5ea8-2c67-42a9-ba6e-96241dad5b0a",
  "sub": "bababf79-a2bc-49b3-9690-206acd714bd0",
  "nbf": 1732389177,
  "exp": 1732390948,
  "iat": 1732389177,
  "iss": "https://localhost:7059",
  "aud": "http://localhost:5173"
}

CydoOP•11/23/24, 7:21 PM

Now when I go to verify that access token for some reason half the claims just dissapear, and i have no idea why

The JIT claim is never present but its present on the incoming access token. and my debugger says only these claims are present

CydoOP•11/24/24, 7:38 PM

Figured it out

SteveTheMadLad•11/24/24, 7:48 PM

What was it? I read your post and it got me curious, as I recently did something similar and had no issue.

SSteveTheMadLad What was it? I read your post and it got me curious, as I recently did something...

CydoOP•11/26/24, 5:43 PM

Sorry never got a notification for this, The issue was a variety of things tbh but the way I ended up fixing it was using a different package for jwt's

So instead of using , i used which is apparently the newer and prefered way to do Jwt's and then changes a few other things you'd have to do since the methods from that handler are async.

So the two methods completely changed to work now look like this

CydoOP•11/26/24, 5:43 PM

CydoOP•11/26/24, 5:44 PM

And these are the packages