{"id":19992017,"url":"https://github.com/aloji/JwtSecurity","last_synced_at":"2025-05-04T11:30:34.556Z","repository":{"id":40926471,"uuid":"144176470","full_name":"aloji/JwtSecurity","owner":"aloji","description":"JWT Server for Asp.Net Core and Asp.Net WebAPI2","archived":false,"fork":false,"pushed_at":"2022-12-08T01:11:13.000Z","size":59,"stargazers_count":17,"open_issues_count":7,"forks_count":5,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-11-13T04:54:39.097Z","etag":null,"topics":["asp-net-core","asp-net-web-api-2","aspnetcore","jwt-client","jwt-middleware","jwt-server","jwt-token","netcore2","oauth2","owin"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aloji.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-08-09T16:14:11.000Z","updated_at":"2024-04-14T17:38:54.000Z","dependencies_parsed_at":"2023-01-25T02:30:57.962Z","dependency_job_id":null,"html_url":"https://github.com/aloji/JwtSecurity","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aloji%2FJwtSecurity","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aloji%2FJwtSecurity/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aloji%2FJwtSecurity/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aloji%2FJwtSecurity/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aloji","download_url":"https://codeload.github.com/aloji/JwtSecurity/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252329102,"owners_count":21730548,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["asp-net-core","asp-net-web-api-2","aspnetcore","jwt-client","jwt-middleware","jwt-server","jwt-token","netcore2","oauth2","owin"],"created_at":"2024-11-13T04:52:00.708Z","updated_at":"2025-05-04T11:30:33.607Z","avatar_url":"https://github.com/aloji.png","language":"C#","funding_links":[],"categories":["C\\#"],"sub_categories":[],"readme":"[![Build status](https://dev.azure.com/aloji/Aloji/_apis/build/status/JwtSecurity)](https://dev.azure.com/aloji/Aloji/_build/latest?definitionId=6)\n\n# JwtSecurity\n\nThe object is to allow using a token generated in an OWIN OAuth 2.0 Server in AspNet.Core projects.\n\n#### Nugets: https://www.nuget.org/profiles/aloji\n\n## Real life problem\n\nWe have the authorization server implemented with [OWIN OAuth 2.0](https://docs.microsoft.com/en-us/aspnet/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server), but the new developments are with AspNetCore\n\n\nThe first idea was to use the machine keys\n\n###### MachineKey\n\n\u003e If the authorization server and the resource server are not on the same computer, the OAuth middleware will use the different machine keys to encrypt and decrypt bearer access token. In order to share the same private key between both projects, we add the same machinekey setting in both web.config files.\n\nThe problem is that machinekey does not exist in AspNetCore, but MS gives us a [compatibility solution](https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/compatibility/replacing-machinekey?view=aspnetcore-2.1) to replace the machinekey settings in AspNetWebApi2 and using a [key storge provider](https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/implementation/key-storage-providers?view=aspnetcore-2.1) like redis we can be shared the keys.\n\nAfter several hours trying to implement this solution, I realized that it was easier, cleaner and cheaper to change the token generator to use JWT and dont use any external provider.\n\n\n## Configuration\n\nHow to setup the JwtSecurity in OWIN OAuth 2.0 Server ([full sample code](https://github.com/aloji/JwtSecurity/blob/master/samples/AuthServer.Owin.NetFramework/Startup.cs))\n\n```csharp\npublic class Startup\n{\n    public void Configuration(IAppBuilder appBuilder)\n    {\n        appBuilder.UseOAuthAuthorizationServer(new OAuthAuthorizationServerOptions\n        {\n            AccessTokenFormat = new JwtSecureDataFormat(\n                new JwtSecurityOptions\n                {\n                    Issuer = \"yourIssuerCode\",\n                    IssuerSigningKey = \"yourIssuerSigningKeyCode\"\n                })\n        });\n    }\n}\n```\n\nHow to setup the JwtSecurity in Resource Server .NetFramework ([full sample code](https://github.com/aloji/JwtSecurity/blob/master/samples/ResourceServer.NetFramewok/Startup.cs))\n\n```csharp\npublic class Startup\n{\n    public void Configuration(IAppBuilder appBuilder)\n    {\n        appBuilder.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions\n        {\n            AccessTokenFormat = new JwtSecureDataFormat(\n                new JwtSecurityOptions\n                {\n                    Issuer = \"yourIssuerCode\",\n                    IssuerSigningKey = \"yourIssuerSigningKeyCode\"\n                })\n        });\n    }\n}\n```\n\nHow to setup the JwtSecurity in Resource Server .NetFramework with Owin Auth Compatibility\n\n```csharp\npublic class Startup\n{\n    public void Configuration(IAppBuilder appBuilder)\n    {\n        appBuilder.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions\n        {\n            AccessTokenFormat = new MachineKeyCompatibilityDataFormat(\n                new JwtSecurityOptions\n                {\n                    Issuer = \"yourIssuerCode\",\n                    IssuerSigningKey = \"yourIssuerSigningKeyCode\"\n                })\n        });\n    }\n}\n```\n\nHow to setup the JwtSecurity in Resource Server .NetCore ([full sample code](https://github.com/aloji/JwtSecurity/blob/master/samples/ResourceServer.AspNetCore/Startup.cs))\n\n```csharp\npublic class Startup\n{\n    public void ConfigureServices(IServiceCollection services)\n    {\n        services\n              .AddJwtBearerAuthentication(options =\u003e\n              {\n                  options.Issuer = \"yourIssuerCode\";\n                  options.IssuerSigningKey = \"yourIssuerSigningKeyCode\";\n              });\n    }\n    \n    public void Configure(IApplicationBuilder app, IHostingEnvironment env)\n    {\n          app.UseAuthentication();\n    }\n}\n```\n\n#### Bonus:\n\nI developed a middleware to create a JwtServer with AspNetCore very similar to OwinOAuth2 settings\n\nHow to setup the JwtServer in AspNetCore ([full sample code](https://github.com/aloji/JwtSecurity/blob/master/samples/AuthServer.AspNetCore/Startup.cs))\n\n```csharp\n public class Startup\n{\n    public void ConfigureServices(IServiceCollection services)\n    {\n        services.AddJwtServer();\n    }\n    \n    public void Configure(IApplicationBuilder app, IHostingEnvironment env)\n    {\n          app.UseJwtServer(options =\u003e {\n                options.TokenEndpointPath = \"/token\";\n                options.AccessTokenExpireTimeSpan = new TimeSpan(1, 0, 0);\n                options.Issuer = \"yourIssuerCode\";\n                options.IssuerSigningKey = \"yourIssuerSigningKeyCode\";\n                options.AuthorizationServerProvider = new AuthorizationServerProvider\n                {\n                    OnGrantResourceOwnerCredentialsAsync = async (context) =\u003e\n                    {\n                        if (context.UserName != context.Password)\n                        {\n                            context.SetError(\"Invalid user authentication\");\n                            return;\n                        }\n\n                        var claims = new List\u003cClaim\u003e\n                        {\n                            new Claim(ClaimTypes.Surname, context.UserName)\n                        };\n\n                        context.Validated(claims);\n                        await Task.FromResult(0);\n                    }\n                };\n            });\n    }\n}\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faloji%2FJwtSecurity","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faloji%2FJwtSecurity","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faloji%2FJwtSecurity/lists"}