CODEWITHSUNDEEP
c#php
Rocket04
Rocket04

Reputation: 1631

Verifying/validating a JWT token created in PHP in .NET

I have a JWT token created using PHP that I need to then use in a .NET app (framework version 4.5.1). The token is generated in PHP using the following code (relies on https://github.com/lcobucci/jwt library):

use Lcobucci\JWT\Builder;
use Lcobucci\JWT\Signer\Hmac\Sha256;

$tokenBuilder = new Builder();
$tokenSigner  = new Sha256();

$token = (string)$tokenBuilder
    ->setIssuer('localhost:8081')
    ->setAudience('myaudience')
    ->setIssuedAt(time())
    ->setExpiration(time() + 86400)
    ->sign($tokenSigner, '710VWV0zby')
    ->getToken();

return $token;

I've been able to read the token fine in C#, but am struggling mightily to figure out how to validate and verify the token signature.

TokenValidationParameters validationParameters = new TokenValidationParameters
{
    ValidateIssuer = true
};

var tokenHandler = new JwtSecurityTokenHandler();

// THIS IS TO TEST IF TOKEN CAN BE READ
/*var jwtToken = tokenHandler.ReadJwtToken(token);

HttpContext.Current.Response.Write(jwtToken.Issuer);*/

SecurityToken validatedToken = null;
try
{
    tokenHandler.ValidateToken(token, validationParameters, out validatedToken);
}
catch (Exception)
{
    HttpContext.Current.Response.Write("Invalid! :(");
}

if (validatedToken != null) {
    HttpContext.Current.Response.Write("Valid! :)");
}

Obviously, my code can't verify any signature, given that there's not even any mention of a SHA-256 key anywhere. I'm assuming I need to include that somehow in the TokenValidationParameters there's a property I need to set, and I'm guessing SigningToken would be the one, but I don't really know where to start to specify an HMAC SHA 256 key.

Upvotes: 0

Views: 1282

Answers (1)

user2700322
user2700322

Reputation: 51

You need somehow export certificate that was using for token creation. It can be file in .pem format for example. After that create crypto provider using data from that certificate 

  public static RSACryptoServiceProvider CreateRsaCryptoProviderFromX509Certificate()
    {
        byte[] certData = Convert.FromBase64String(_CERTIFICATE);
        X509Certificate2 x509Cert = new X509Certificate2();
        x509Cert.Import(certData);
        var x509PublicKeyXml = x509Cert.PublicKey.Key.ToXmlString(false);

        RSACryptoServiceProvider RsaProvider = new RSACryptoServiceProvider();
        RsaProvider.FromXmlString(x509PublicKeyXml);
        return RsaProvider;
    }

where _CERTIFICATE store data from .pem file without leading coments

 string _CERTIFICATE = @"   DD5NYXRyaXg0Ml9mNThlMzdkLWU2ZjktNGU0Yi05MzVlLTNhMDFi
                            NzU2N2I5YjAeFw0xNjEyMzExNTE1MjNaFw00MjAxMDcxNTE1MjNaMEkxRzBFBgNVBAMMPk1hdHJp
                            eDQyX0FDU19SZWx5aW5nUGFydHlfZmY1OGUzN2QtZTZmOS00ZTRiLTkzNWUtM2EwMWI3NTY3Yjli
                            MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAho5G6pY9QJs/945aQ1w8oiF/17ZNGsNY
                            ul5G/+TprN7KfgzT9u+A588f4Z4B8z5QJlwIUeH33iuRcV0AIHd9MnEKR56IdOLLlNWNPvRAG5FJ
                            Wt4XPlaG+bE/oyuqxqpQM1KJ0iN74K/WLXM8ZdQlq7gTgtLS+icZH3i2arC8rdobh3zRk1wbUVXn
                            kjR4CASy+07LZwbVVp2g3pOsuy5AWBURIynQ7z3zj+u7NMF42htLOEzISl3Qb3BMOoXFMm93UGwp
                            B/Ae+zpWFWeh6190ipcUMXoAOfdh9VZUZX9C7OI/3plOiwKUvwfBQyLR8C/4uiTcCTp1i8fS0bta
                            jkPhdQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQA3fmwEgej+BhB7dkw+0TWEDiIC9cXR4uW7kElM
                            7+L7ARmUYVpAx05Z8oarsR0zm1u3ZYR00y3eLhw5RcXN6hC5jb5HYSQZERdqlzvS6bU6xJ57H7tC
                            KuPADkYmuPnRM/cdMKPeSG3ZHnHcTgJx62hFloPWbGPr9VLVp4R4coUgtuZMtlFvXamjpCNYSpob
                            N9wzk36r/4c+Nd/n+4DwqIaVzgEXHXkOUtOZhTYh7SG5WJVUSep5cIq3SBGzLn8oXCjiqn72zJ7C
                            vn5/ekaC1nzMDMcga5qWQNdLd/rXt65ZMbB/JhM+Ee9TIvmrrDXlvRh2cv7GtoTtPYEbIdVvrF+W";

for validation create token handler, validation parameters and validate token with cryptoprovider

     public static bool ValidateJwt(string jwt)
    {
        JwtSecurityTokenHandler securityTokenHandler = new JwtSecurityTokenHandler();
        RSACryptoServiceProvider rsa = CreateRsaCryptoProviderFromX509Certificate();

        TokenValidationParameters validationParameters = new TokenValidationParameters()
        {
            ValidAudience ="urn:6c23aaa7-6da8-4941-98b0-62f63cd146",
            ValidIssuer = "https://accounts.issuer.com",
            IssuerSigningKey = new RsaSecurityKey(rsa)
        };
        SecurityToken token;
        ClaimsPrincipal claimsPrincipal = securityTokenHandler.ValidateToken(jwt, validationParameters, out token);

        return claimsPrincipal.IsInRole("Admin");
    }

Upvotes: 1

Related Questions