All geek questions in one place

Verify JWT Live.com Token (Microsoft Account)

Third Party Programmers

I am currently struggling with checking the JWT token of a Microsoft account in Web Api 2. I found the OWIN middleware for them (NuGet package Microsoft.Owin.Security.Jwt), and here is the code from my Startup.cs setup, which:

public void ConfigureAuth(IAppBuilder app) { var sha256 = new SHA256Managed(); var secretBytes = System.Text.Encoding.UTF8.GetBytes(@"(My app client secret)" + "JWTSig"); byte[] signingKey = sha256.ComputeHash(secretBytes); app.UseJwtBearerAuthentication( new JwtBearerAuthenticationOptions { AllowedAudiences = new[] { "(My API domain )" }, IssuerSecurityTokenProviders = new[] { new SymmetricKeyIssuerSecurityTokenProvider( "urn:windows:liveid", signingKey) } }); }

I found this snippet here:

http://code.lawrab.com/2014/01/securing-webapi-with-live-id.html

The JWT token is sent from my Windows Store app client using the Live SDK. I am sending an authentication token, not an access token, so I'm sure this is a JWT. Using online debuggers like this: http://jwt.io/ I can successfully decode part of the header and payload, but I cannot find a way to verify the signature. The debug output of my web API when sending a request with this JWT:

  Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware Error: 0: Authentication failed
 System.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10500: Signature validation failed.  Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier
     (
     IsReadOnly = False,
     Count = 1,
     Clause [0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
     )
 ', 
 token: '{"alg": "HS256", "kid": "0", "typ": "JWT"}. {"ver": 1, "iss": "urn: windows: liveid", "exp ": 1408666611," uid ":" my Microsoft account uid "," aud ":" (My API domain) "," urn: microsoft: appuri ":" ms-app: // (client app store id) ", "urn: microsoft: appid": "(ID of the app from account.live.com/developers)"}
 RawData: (the JWT token) '.
    w System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature (String token, TokenValidationParameters validationParameters)
    w System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateToken (String securityToken, TokenValidationParameters validationParameters, SecurityToken & validatedToken)
    w Microsoft.Owin.Security.Jwt.JwtFormat.Unprotect (String protectedText)
    w Microsoft.Owin.Security.Infrastructure.AuthenticationTokenReceiveContext.DeserializeTicket (String protectedData)
    w Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationHandler.d__0.MoveNext ()

Sorry for my English, any corrections are more than welcome.

+8
source share
1 answer

One of the easiest ways I can use is to check it from the source itself.

in your case, right now you are using live.com, then send one request to live.com and use your token in the header, and if it is a valid header, it will return a known value (for example, user account information)

select the URL as follows: https://outlook.live.com/ows/v1.0/OutlookOptions

and send the token in the header as Authorization: Media TOKEN_VALUE

if he returned the expected value, then this is a valid token and the session also works

0
source

Source: https://habr.com/ru/post/974180/

More articles:


All Articles