Secure JSON Web Token in Web API / MVC 6

Question

The security concerns: According to https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ a lot of JWT libraries use the token itself in order to determine the algorithm for the signature.

This is our use case: We want to create a login mechanism that validates a user with the hard credentials (username/password) and then return a JWT token with e.g. 3 Days lifetime. The token should contain the username and a signature should guarantee that the token cannot be "faked".

What library can we use in Web API / MVC 6? It is important that the signature algorithm can be specified on decoding to avoid the vulnerability.

If possible we would like to avoid integrating complex OAuth components.

Answer 1

I am using the System.IdentityModel.Tokens.Jwt library, and I just checked for this issue. I Generated a token and validated it in one of my tests, then I removed the signingCredentials which changes the alg to none. The JWT generated with the "alg":"none" failed validation.

Here is how I am generating the token:

public string GenerateToken(SSOContext context, SignatureSettings settings)
{
    var token = new JwtSecurityToken(
        issuer: "MyIssuer",
        audience: "MyAudience",
        claims: GetClaims(context),
        //comment the below line to generate a 'none' alg
        signingCredentials: new X509SigningCredentials(settings.Certificate),
        notBefore: DateTime.UtcNow,
        expires: DateTime.UtcNow.AddHours(1)
        );

    return new JwtSecurityTokenHandler().WriteToken(token);
}

When I validate the token I get an exception as expected with the message

IDX10504: Unable to validate signature, token does not have a signature: