I am prototyping the use of IdentityServer4 to protect several services with the caveat that these services will most likely not be ported (in the foreseeable future) to use OWIN middleware in ASP.NET Core. Therefore, I cannot use many middleware helpers that automate JWT validation by simply providing the well-known JWKS IdentityServer endpoint, among other things.
It would be nice if I could restore this behavior, and I would like to use the Microsoft implementation of the JwtSecurityTokenHandler if possible. However, I cannot figure out how to use the JsonWebKeySet and JsonWebKey provided through the IdentityServer discovery endpoint to retrieve the keys and perform validation.
JwtSecurityTokenHandler uses TokenValidationParameters to validate the JWT, and these parameters require an instance of one or more SecurityKey to perform the validation.
ClaimsPrincipal ValidateJwt(string token, IdentityModel.Client.DiscoveryResponse discovery) { JwtSecurityToken jwt = new JwtSecurityToken(token); TokenValidationParameters validationParameters = new TokenValidationParameters { ValidateAudience = true, ValidateIssuer = true, RequireSignedTokens = true, ValidIssuer = "expected-issuer", ValidAudience = "expected-audience", IssuerSigningKeys = discovery.KeySet.Keys }; JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler(); SecurityToken validatedToken; return handler.ValidateToken(jwt, validationParameters, out validatedToken); }
How to make the necessary transfer from JsonWebKeySet to IEnumerable<SecurityKey> so that verification can happen? Is there any other method (other than OWIN middleware) that will also work using the DiscoveryResponse data above?
(Unfortunately, the documentation for System.IdentityModel.Tokens.Jwt not been updated.)
source share