All geek questions in one place

How to colorize tokens in the JWT API 2?

I am trying to work with OAuth Web API 2 token boxes, but I don’t know how to decrypt them or get data.

I would really like to find or write an equivalent tool for this Google tool https://developers.google.com/wallet/digital/docs/jwtdecoder for tokens I receive from the Web API. The Google tool allows you to insert a line of text representing a JWT token, and it breaks it and decrypts the JSON inside.

In Visual Studio 2013, if you select the New ASP.NET project, and then select the web API template with separate user accounts, you will get a sample project that contains the marker endpoint. If you run the project, you can then POST execute the request "grant_type = password & username = joe & password = joe" to / token on the embedded web server and return the token:

{ "access_token":"x3vHm40WUXBiMZi_3EmdmCWLLuv4fsgjsg4S5Ya8kppDY_-2ejn7qF5Y_nbQ0bYVIKl6MNzL2GtXv-MAuwjippAAv5VDaxoKdxEVxeFrQ_eXsKNaQK7IvmVs1rIZ9eeRfRGK2AQ59wWQcyTtYO0dPJx9K7PGrSKz4ADAZ9SEZqQ4IesVhYbRCwToyxoyU5L9qdU8jXdHumkIrULRQhf68rIaBrEA_Be-V0rzWJ644fRLvv3z69XoHs3Az7PineILyNwbDck9uU2jkaXnwxoCTa4qlK8bR-lEI9-VXPNdbCvfgb5H9wfYsJcw2CMzNxNhV8v9YVZEt90evylwtTCEpXq4T3zRCQvrpbCvZrXqJ8uvlFeqCsvvhlIkSfPhBY8nm2ocWtBGPZm58zLe5FMi1jept0B54U38ZxkZlrGQKar47jkmnc6gpLrkpDBp7cWz", "token_type":"bearer", "expires_in":1209599, "userName":"joe", ".issued":"Fri, 01 Aug 2014 16:16:02 GMT", ".expires":"Fri, 15 Aug 2014 16:16:02 GMT" }

I want to know in what format access_token is and what information is contained.

The key I found is this: you can choose what type of token APIs are used by setting the OAuthAuthorizationServerOptions.AccessTokenFormat property in Startup.Auth.cs. The documentation for OAuthAuthorizationServerOptions says:

"The data format used to protect the information contained in the access token. If this is not provided by the application, the default data protection provider depends on the host server. The SystemWeb host in IIS will use ASP.NET machine key data protection, and HttpListener and other self-service the servers will use DPAPI data protection. If a different access token provider or format is assigned, the compatible instance must be assigned to the OAuthBearerAuthenticationOptions.AccessTokenProvider or OAuthBearerAuthenticationOptions.AccessTokenFormat property of the resource server. "

Therefore, it is probably encoded using MachineKey. In general, I can install the machine key in order, but if I know the machine key with which the token was created, how can I decrypt it?

+6
source share
1 answer

You are right about token generation. This token is an encrypted or signed string containing a de-serialized version of all claims and ticket properties for a signed user. If in IIS (SystemWeb) mode, encryption and signing are performed using the decryptionKey and "validationKey" key values ​​in machineKey node. If it works as an OWIN self-service application, encryption uses DPAPI to protect it and actually uses the 3DES algorithm.

To decrypt it, you need to call this code in your API controller action method (not necessary, but if you want to see what's inside this encrypted token):

 string token = "Your token goes here"; Microsoft.Owin.Security.AuthenticationTicket ticket= Startup.OAuthBearerOptions.AccessTokenFormat.Unprotect(token);

If you need to configure the AuthZ server to issue signed JWT tokens so that you can decode them using a tool for creating separate lines, for example, the Google JWT decoder; then I recommend you read my blog about JSON Web Token in ASP.NET Web API 2 using Owin

+7
source

Source: https://habr.com/ru/post/977788/

More articles:


All Articles