With Auth0, you can specify the algorithm used to sign your JWT tokens:
So in scenarios when you are signing JWTs with RSRS256 algorithm, you need to perform some changes in your ASP.NET Web Api in order to validate them properly.
NOTE: You can download your
.cerfile fromhttps://{YOU}.auth0.com/cerendpoint.
From app.UseJwtBearerAuthentication method, just replace SymmetricKeyIssuerSecurityTokenProvider with X509CertificateSecurityTokenProvider specifying your public signing key:
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new[] { audience },
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new X509CertificateSecurityTokenProvider(issuer, new X509Certificate2("PATH_TO_YOUR_PUBLIC_CERTIFICATE.cer")),
// new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret)
}
});Since JWT nuget v1.3.2 does not support RS256 algorithm, you need to replace it with System.IdentityModel.Tokens.Jwt nuget:
Install-Package System.IdentityModel.Tokens.Jwt
Go to App_Start\JsonWebTokenValidationHandler.cs and configure a JwtSecurityTokenHandler instance inside SendAsync method:
try
{
SecurityToken securityToken;
var tokenHandler = new JwtSecurityTokenHandler();
var validationParameters = new TokenValidationParameters()
{
ValidAudience = this.Audience,
ValidIssuer = this.Issuer,
IssuerSigningKey = new X509SecurityKey(new X509Certificate2("PATH_TO_YOUR_PUBLIC_CERTIFICATE.cer"))
};
Thread.CurrentPrincipal = tokenHandler.ValidateToken(token, validationParameters, out securityToken);
if (HttpContext.Current != null)
{
HttpContext.Current.User = Thread.CurrentPrincipal;
}
}
catch (SecurityTokenValidationException ex)
{
errorResponse = request.CreateErrorResponse(HttpStatusCode.Unauthorized, ex);
}
catch (Exception ex)
{
errorResponse = request.CreateErrorResponse(HttpStatusCode.InternalServerError, ex);
}And remove the App_Start\JsonWebToken.cs file.