jwt-dotnet / jwt Goto Github PK

I have been successfully using this library with the previous Web Api with absolutely no problems. Now, I'm starting a brand new project with Asp.net Core Web Api, however I can still generate tokens but I don't know how to hook this up with the Controller's Authorize Attribute. Can someone please provide me a sample or something?

I'm trying to verify a token sent to me by Google, but I can't. I've tried using both my clientID and my secret to verify the token. Both times it fails.

I'm sorry but this is more of question rather than an issue, since I can not find any appropriate place where to ask question.

Assuming that I have a secret key "top secret" and I used this to encode same data multiple times, will jwt always generate unique token?

Will jwt always generate unique token no matter if same secret key use to encode different data?

JwtValidator.cs: Validate(...) converts the exp claim into an integer:
expInt = Convert.ToInt32(expObj);

However this fails if I attempt to set an expiry past 19 January 2038, the Year 2038 problem.

The definition of seconds since the epoch does not enforce that the result is an integer, merely that the "tm_sec, tm_min, tm_hour, tm_yday, and tm_year" components that are in the expression "are all integer types".

Hence I think all epoch date conversions should be parsed to double, which will support dates beyond DateTime.MaxValue.

If for some reason I decide an algorithm is no longer safe. I should be able to stop treating tokens signed using that algorithm as "verified". if i understand the current code, if it is in the header and in the list of possible algorithms, it will be used. you might say it doesn't matter, as cracking the key will be super hard with no sample to work with (as they are all encoded using the algorithm I am using) but It is one more layer of protection, with no downsides.

suggestion:
public static string Decode(string token, byte[] key, JwtHashAlgorithm = null)

no need for "bool verify = true" for this overload.

Hi @mikelehen,
It seems you've abandoned this project. It's great, and I'm sorry to see it stalled!
What do you think if the community would pick it up? To few maintainers such as myself. We could review the pull requests, answer the questions, etc.

NOTE:
If your reading this because your NuGet install of JWT doesn't work, the solution is at the bottom :-)

Original Question Follows Here

Trying to use the library, looking at the samples in readme.md, quite impressed at how simple lib is to use.

Great, so I install NuGet package (1.3.4) according to my nuget, but when writing code, none of the interfaces in the samples are found.

Looked in the object explorer in VS15 and all i see is this:

Going into each of the classes etc I don't see any of the interfaces in the sample code anywhere:

Please advise, do I need a different version, or is their an issue here?

Cheers
Shawty

There's a new major version of JSON.NET: https://www.nuget.org/packages/Newtonsoft.Json/10.0.1

Should this JWT >2.x depend on this? I tested it briefly and there aren't any problematic API changes.

It would be great to replace the dependency on System.Web.Extensions (which is only used for Json serialization) with NewtonSoft - that way we can use this library in Xamarin projects (which Newtonsoft.Json supports, but Extensions doesn't).

Hi,
Will you consider to review and merge the changes to support Google flavored Jwt implementation?
If I understand correctly currently the code doesn't support the algorithm Google supports exclusively. At least it didn't work for me. Particularly - RS256.
System.IdentityModel.Tokens.Jwt doesn't support it either.

as per title

In the examples there is a secret key like:
var secret = "GQDstcKsx0NHjPOuXOYg5MbeJ1XT0uFiwDVvVBrk";

Where does this key normally come from? Should we extract it i.e. from certificates?
I think it isn't something what should been hard code in our programs, am i right?

Thanx for your feedback!

Best regards
Thomas

I reproduced the issue @blgrnboy was experiencing in #100. The package path needs to be reverted or fixed and also needs to work on the build server.

I'm going to move this project to it's own organization. Existing owners will be added. Github should handle the redirects fine.

While testing my authorization code with various forms of tokens that have been tampered with, I've noticed JsonWebToken.DecodeToObject throws a System.Exception when given an invalid token string. I've tracked it down to JsonWebToken.Base64UrlDecode. Throwing (and catching) an exception of the base Exception type is generally bad practice and I'd prefer catching a more specific exception (like ArgumentException, or the already existing SignatureVerificationException).

I haven't noticed Exception being thrown anywhere else in the class, either, so I believe this was not intentional. I've only noticed a block of code trying to catch a base Exception during a Convert.ToInt32 call. That could be altered to catch the specific exceptions the method can throw, perhaps in a similar way as here: http://stackoverflow.com/questions/136035/catch-multiple-exceptions-at-once

Hi,
Am new to JWT thing. Ican able to successfully generate JWT for my app. But don't know how to verify the signature of JWT. Can anyone help me regarding this. How to verify the signature?

Will you be making this compliant with .NET Standard?

This assembly is not signed with a key, which makes it impossible to use with assemblies that must be GAC'ed.

Is there a way to download old versions that supports .net 3.5?

Could you please update the NuGet package as there are things missing, such as token expiry validation etc.
Thanks!

I didn't find what's new in VS 2015 for its Unit Testing Framework (aka MSTest) but in my opinion xUnit is more flexible and dynamically developing framework.

Particularly, it supports parametrized tests of various kinds (called PropertyData in v1 and MemberData in v2).

What do you think about such switch?

Hi,

Is (or could there be) a strong named version?

I'm getting this error:
Could not load file or assembly 'JWT, Version=1.3.3.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. A strongly-named assembly is required. (Exception from HRESULT: 0x80131044)

Hi,

i'd like to decode the extra headers i added to the token,
but there seems to be no option for it?

Regards

Encoded token can be decoded without secret key
pass encoded token in 1st parameter, any key in 2nd parameter and pass false is 3rd parameter in the following method
JsonWebToken.Decode

and you are done

Unless you strongly name the NuGet-delivered assembly, assemblies that are themselves strongly-named can't use you.

Feature request ! : Would it be useful to add a public method Verify(object Token, string Key). I want to process tokens from multiple sources. I need to decode them to recover the issuer so I know which key to use for verification. A Verify() method would save me calling Decode() twice.

The code is partly subject to the security attack described her:
https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
It is vulnerable to “If a server is expecting a token signed with RSA, but actually receives a token signed with HMAC, it will think the public key is actually an HMAC secret key.”

I'm trying to validate a token from Google Plus. I get an error that says RSA256 is not supported. I can see the algorithm in the source code. Is there any way to get this going?

Log says:

Executing task: Test
Running 0 tests
Finished executing task: Test

Can you please take a look?

It should be pretty easy to use travis-ci or AppVeyor to build this repo when code is checked in. Additionally, the CI script could produce the nupkg file automatically and push it somewhere like MyGet.

I've set this up before, so I'm happy to assist if you want to do this.

Installing the 1.3.5-beta nupkg via VS 2015 NuGet does not extract a DLL into the lib directory. 1.3.4 of course works correctly.

• Go away from static API in favor of instance-based API with a number of separate classes:
  • JwtEncoder : IJwtEncoder
  • JwtDecoder : IJwtDecoder
  • JwtValidator : IJwtValidator
• Mark static API [Obsolete]
• Make static API a wrapper on top of instance-based API
• Remove static API in the future versions (such as 2.1 or 3.0)

do you have in docs any example for RSA asymetric usage via certificate ?

In ver. 2.0 I would move from the static class paradigm to an instance with dependencies. So you could inject necessary encoder/decoder, serializer or certificate factory.

Thoughts?

The idea is to extract few child packages:

• JwtNet.Json.NewtonSoft for JsonNet based implementation of Json (de)serialization
• JwtNet.Json.ServiceStack for ServiceStack.Text based implementations
• JwtNet.Cryptography.RS256 for System.Security.Cryptography based implementation of RS256Algorithm

Hi,

Was fiddling and noticed:

https://github.com/jwt-dotnet/jwt/blob/master/src/JWT/Algorithms/HMACSHA384Algorithm.cs#L9
https://github.com/jwt-dotnet/jwt/blob/master/src/JWT/Algorithms/HMACSHA512Algorithm.cs#L9

Where the HMACs should surely reflect the algorithm they are representing? Or am I missing something.

Regards,
Sam

Hi folks,

For every Request that arrives, we attempt to decode the string token using your DecodeToObject<T> method. Great! Works fine 😄

Now, for every Request I noticed the code does the following (taken from your documentation):

var token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJjbGFpbTEiOjAsImNsYWltMiI6ImNsYWltMi12YWx1ZSJ9.8pwBI_HtXqI3UgQHQ_rDRnSQRxFL1SR8fbQoS-5kM5s";
var secret = "GQDstcKsx0NHjPOuXOYg5MbeJ1XT0uFiwDVvVBrk";
try
{
    IJsonSerializer serializer = new JsonNetSerializer();
    IDateTimeProvider provider = new UtcDateTimeProvider();
    IJwtValidator validator = new JwtValidator(serializer, provider);
    IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder();
    IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder);
    
    var json = decoder.Decode(token, secret, verify: true);
    Console.WriteLine(json);
}
...

• Create a serializer.
• Now, create a TimeProvider.
• ... etc..

Basically, each request keeps creating the same objects again and again.

So - why can't these be static ?

• Create them all once.
• _decoder.Decode(..);

e.g.

private static IJwtAlgorithm _algorithm = new HMACSHA256Algorithm();
private static IJsonSerializer _serializer = new JsonNetSerializer();
private static IDateTimeProvider _provider = new UtcDateTimeProvider();
private static IJwtValidator _validator = new JwtValidator(_serializer, _provider);
private static IBase64UrlEncoder _urlEncoder = new JwtBase64UrlEncoder();
private static IJwtEncoder _encoder = new JwtEncoder(_algorithm, _serializer, _urlEncoder);
private static IJwtDecoder _decoder = new JwtDecoder(_serializer, _validator, _urlEncoder);

<in some method>
_decoder.Decode(..);
...

So - is this possible? OK? These things thread safe?

When trying to decode segments of JWT token (first two segments) using other libraries, an exception is thrown saying invalid input or illegal base64 string. It happens since we are not considering trailing equals (=) character while encoding (in method public static string Base64UrlEncode(byte[] input)).
Please look into this and if possible then try to provide an overload so that we don't break existing clients.

after i used the function Encode() i got the token:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjp7IlVzZXJfTmFtZSI6ImV0YWciLCJVc2VyX0lkIjoxMDMsIlVzZXJfQWNjZXNzIjowfSwiZXhwIjoxNDgyMjA4NjM5fQ.I_aeBp9A2O2tl7VsrN0aTnHSu4Frygp25IIf6_lcixw

if i change the last char of token, e.g.:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjp7IlVzZXJfTmFtZSI6ImV0YWciLCJVc2VyX0lkIjoxMDMsIlVzZXJfQWNjZXNzIjowfSwiZXhwIjoxNDgyMjA4NjM5fQ.I_aeBp9A2O2tl7VsrN0aTnHSu4Frygp25IIf6_lcixx

you see i replaced last char 'w' to “x‘, then i use the funciton DecodeToObject(), now i still get the correct object, maybe i used a wrong method, but how did it happened?

It seems like it should be ok for the payload to be an IDictionary but it fails to Deserialize. My work-around for the time being is simply to load my IDictionary back into a Dictionary.

IDictionary<string,obj> payload = ...
JWT.JsonWebToken.Encode(new Dictionary<string,obj>(payload), ...

Does version 2.4.1 require version 10.0.2 of the json library?

• CI using AppVeyor
• Link AppVeyor to MyGet?
• Publish to NuGet

Hello. I am interested in working with Jwt.Net. On NuGet there is only v.1.3.4 in the stable channel, but v.2.1.1-beta in the pre-release channel. I am wondering if the 2.0.0 version is missing in the stable channel? From my perspective the version numer 2.1.1-beta tells me that 2.0.0 should be a stable release and could be added as a package to the stable channel.

Am I wrong?

Instruction that includes AppVeyor: https://github.com/codecov/example-csharp/blob/master/readme.md

Could you add asymmetric encryption? That seems to be all that is missing to support JWS - JSON Web Signature.

When I use the Decode() method, a "SignatureVerificationException" exception is thrown no matter if the signature is invalid (1), the expiracy date is invalid (2) or the token has expired (3):

1.

if (decodedCrypto != decodedSignature)
{
    throw new SignatureVerificationException(string.Format("Invalid signature. Expected {0} got {1}", decodedCrypto, decodedSignature));
}

2.

try
{
   exp = Convert.ToInt32(payloadData["exp"]);
}
catch (Exception)
{
   throw new SignatureVerificationException("Claim 'exp' must be an integer.");
}

3.

if (secondsSinceEpoch >= exp)
{
   throw new SignatureVerificationException("Token has expired.");
}

cf.

Would it be possible to have a specific custom exception for each scenario? Then it would be easier and more robust to handle errors when decoding a token.

Thank you

I just tested the result after including this library in one of our projects.
Whatever it is that you are smoking - it must be good...
You are outputting the correct signature with each SignatureVerificationException...
If I were an attacker, I would silently say "thank you" when I saw this - and wonder what drug you're on...

private static void Verify(string decodedCrypto, string decodedSignature, string payloadJson)
{
    if (decodedCrypto != decodedSignature)
    {
        // My oh my - please don't donate the correct signature to a wannabe-attacker...
        // throw new SignatureVerificationException(string.Format("Invalid signature. Expected {0} got {1}", decodedCrypto, decodedSignature));
        throw new SignatureVerificationException(string.Format("Invalid signature. Expected {0} got {1}", "SEE_LOG", decodedSignature));
    }