CODEWITHSUNDEEP
c#.net-corejwt
Moji
Moji

Reputation: 1830

Sending post request with Authorization header and token returns unauthorized

I am trying to use jwt as my token and use it to access an authorized API. I use Postman to test my API and add Authorization header with the value Bearer MyToken but the server response is 401 UnAuthorized. here is how I create my token: in my startUp:

 services.AddAuthentication (JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer (options => {
                    options.TokenValidationParameters = new TokenValidationParameters {
                    ValidateIssuerSigningKey = true,
                    IssuerSigningKey = new SymmetricSecurityKey (Encoding.ASCII
                    .GetBytes (Configuration.GetSection ("AppSettings:Token").Value)),
                    ValidateIssuer = false,
                    ValidateAudience = false
                    };
                });
app.UseAuthentication ();

I have put the [Authorize]on the top of my Controller. and here is the part where I create my token:

class JWTToken {

        public static object CreateToken (string Guid) {
            var claims = new [] { new Claim (ClaimTypes.NameIdentifier, Guid) };
            var key = new SymmetricSecurityKey (Encoding.UTF8.GetBytes ("Super secret key"));
            var creds = new SigningCredentials (key, SecurityAlgorithms.HmacSha512Signature);
            var tokenDescriptor = new SecurityTokenDescriptor {
                Subject = new ClaimsIdentity (claims), Expires = DateTime.Now.AddYears (2), SigningCredentials = creds
            };
            var tokenHandler = new JwtSecurityTokenHandler ();
            var token = tokenHandler.CreateToken (tokenDescriptor);
            return tokenHandler.WriteToken(token);
        }

Upvotes: 1

Views: 2971

Answers (2)

Bardr
Bardr

Reputation: 2559

You use different encodings:

// Here you use ASCII
IssuerSigningKey = new SymmetricSecurityKey (Encoding.ASCII
                    .GetBytes (Configuration.GetSection ("AppSettings:Token").Value))

// Here you use UTF8
var key = new SymmetricSecurityKey (Encoding.UTF8.GetBytes ("Super secret key"));

Also make sure that yours Configuration.GetSection ("AppSettings:Token").Value is same as "Super secret key" that you use to create JWT.

EDIT: This is my configuration that works:

// In ConfigureServices
var signingKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Token:SigningKey"]));
            services
            .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
            .AddJwtBearer(config =>
            {

                config.RequireHttpsMetadata = false;
                config.SaveToken = true;
                config.TokenValidationParameters = new TokenValidationParameters
                {
                    IssuerSigningKey = signingKey,
                    ValidateAudience = true,
                    ValidAudience = this.Configuration["Token:Audience"],
                    ValidateIssuer = true,
                    ValidIssuer = this.Configuration["Token:Issuer"],
                    RequireExpirationTime = true,
                    RequireSignedTokens = true,
                    ValidateLifetime = true,
                    ValidateIssuerSigningKey = true,
                    ClockSkew = TimeSpan.FromMinutes(3)
                };
            });

// In token controller
private string GetToken(AppUser user)
{
    var utcNow = DateTime.UtcNow;

    var claims = new Claim[]
    {
            new Claim(JwtRegisteredClaimNames.Sub, user.Id),
            new Claim(JwtRegisteredClaimNames.UniqueName, user.UserName),
            new Claim(JwtRegisteredClaimNames.Email, user.Email),
            new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
            new Claim(JwtRegisteredClaimNames.Iat, utcNow.ToString())
        };

        var signingKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["Token:SigningKey"]));
        var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);
        var jwt = new JwtSecurityToken(
            signingCredentials: signingCredentials,
            claims: claims,
            notBefore: utcNow,
            expires: utcNow.AddSeconds(_configuration.GetValue<int>("Token:Lifetime")),
            audience: _configuration["Token:Audience"],
            issuer: _configuration["Token:Issuer"]
        );
    return new JwtSecurityTokenHandler().WriteToken(jwt);
}

Maybe it will help you.

Upvotes: 3

Miq
Miq

Reputation: 4279

You need to validate the token signature. You set ValidateIssuersigningKey to true, but did you assign proper key to validate it? You could also try to implement custom validation method.

Middleware, if it considers that token is not valid, will respond with 401 as it cannot be authorized (Unauthotized)

Upvotes: 1

Related Questions