All geek questions in one place

What to do with JWT client_id on Javascript backend using ASP.NET Web API

I am trying to implement JWT authorization in a project. However, in order to successfully receive the token, I must pass the client_id from the AngularJS interface to the ASP.NET Web API and, as far as I know, it is not protected at all. So can someone please give me a hint about what I should do in my situation.

On the JS side -

var data = 'grant_type=password&username=' + loginData.Email + '&password=' + loginData.Password + '&client_id=' + client_id; $http.post('/oauth2/token', data); //Code omitted

I use this guide to create Jwt authorization, for the most part. Besides the fact that I have an application on one domain, here is what my Startup.cs looks like -

 public void Configuration(IAppBuilder app) { var config = new HttpConfiguration(); config.MapHttpAttributeRoutes(); ConfigureOAuth(app); ConfigureValidationOAuth(app); } private static void ConfigureOAuth(IAppBuilder app) { var oAuthServerOptions = new OAuthAuthorizationServerOptions { AllowInsecureHttp = true, TokenEndpointPath = new PathString("/oauth2/token"), AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(30), Provider = new CustomOAuthProvider(), AccessTokenFormat = new CustomJwtFormat(ConfigurationManager.AppSettings["owin:issuer"]) }; app.UseOAuthAuthorizationServer(oAuthServerOptions); } private static void ConfigureValidationOAuth(IAppBuilder app) { var issuer = ConfigurationManager.AppSettings["owin:issuer"]; var audience = ConfigurationManager.AppSettings["owin:audience"]; var secret = TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["owin:secret"]); //Api controllers with [Authorize] attribute will be validated with Jwt app.UseJwtBearerAuthentication( new JwtBearerAuthenticationOptions { AuthenticationMode = AuthenticationMode.Active, AllowedAudiences = new[] {audience}, IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[] { new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret) } }); }
+5
source share
1 answer

JWT authentication and authorization should work as follows:

  • pass username and go to server server

  • validates user data and generates a JWT token, which should be in this format: (check JWT.io for more info info)

    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4JFJFJVJFJVJFJVJFJVJFJVJFJVJFJ

  • JWT token must be stored on the client side in local storage

  • To make your life easier, you must create an angular HTTP request interceptor that automatically adds the stored JWT token to the request headers. Something like that:

myApp.factory('jwt-interceptor', ['$q', '$window', function($q, $window) { return { request: function(request) { request.headers['Authorization'] = 'Bearer ' + $window.localStorage.token; return request; }, responseError: function(response) {
return $q.reject(response); } }; }]).config(['$httpProvider', function($httpProvider) { $httpProvider.interceptors.push('jwt-interceptor'); }]);

  1. the server should read the header parameter named Authorization , decompile the token and check if the payload is valid:

    a. was decompiled correctly and the payload is not damaged

    b. check if the timestamp in the payload exceeds the current timestamp

    with. other checks related to user permissions (if necessary)

+2
source

Source: https://habr.com/ru/post/1236831/

More articles:


All Articles