I am using openiddict, which is configured to use json web tokens:
services.AddAuthentication();
services.AddOpenIddict()
.AddEntityFrameworkCoreStores<ApplicationDbContext>()
.AddMvcBinders()
.EnableTokenEndpoint("/connect/token")
.AllowPasswordFlow()
.AllowRefreshTokenFlow()
.UseJsonWebTokens()
.DisableHttpsRequirement()
.AddEphemeralSigningKey();
I configured the JWT middleware as follows:
var secretKey = Configuration.Get<AppOptions>().Jwt.SecretKey;
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
RequireHttpsMetadata = env.IsProduction(),
Audience = Configuration.Get<AppOptions>().Jwt.Audience,
Authority = Configuration.Get<AppOptions>().Jwt.Authority,
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(secretKey)),
ValidateIssuer = true,
ValidateAudience = true,
ValidAudience = Configuration.Get<AppOptions>().Jwt.Audience,
ValidateLifetime = true,
}
});
app.UseOpenIddict();
As you can see, the issuer signing key is set to a symmetric key:
IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(secretKey)),
but the created jwt access_tokens has an algapplication set to RS256, so it seems that this parameter is ignored, and openiddict uses the RSA private key to sign the token generated from
.AddEphemeralSigningKey();
source
share