CODEWITHSUNDEEP
c#asp.net-core.net-corebearer-token
lastlink
lastlink

Reputation: 1745

How to customize bearer header keyword in asp.net core for JwtBearer and System.IdentityModel.Tokens.Jwt?

Using using Microsoft.AspNetCore.Authentication.JwtBearer; I have been unable to figure out how to change the "Bearer " key in the header to something else, in this case I'd like it to be "Token ".

Startup.cs

services.AddAuthentication(x =>
            {
                x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
            })
            .AddJwtBearer(x =>
             {
                 x.RequireHttpsMetadata = false;
                 x.SaveToken = true;
                 x.TokenValidationParameters = new TokenValidationParameters
                 {
                     ValidateIssuerSigningKey = true,
                     IssuerSigningKey = new SymmetricSecurityKey(key),
                     ValidateIssuer = false,
                     ValidateAudience = false,
                     ValidateLifetime = true,
                     ValidIssuer = Configuration.GetValue<string>("JwtIssuer"),
                     ValidAudience = Configuration.GetValue<string>("JwtAudience"),
                 };
                 x.Events = new JwtBearerEvents
                 {
                     OnAuthenticationFailed = context =>
                     {
                         if (context.Exception.GetType() == typeof(SecurityTokenExpiredException))
                         {
                             context.Response.Headers.Add("Token-Expired", "true");
                         }
                         return Task.CompletedTask;
                     }
                 };
             });

When I do something like

GET {{protocol}}://{{url}}/users HTTP/1.1
Authorization: Bearer {{token}}

The token works, but I could not figure out how to customize it to be something like.

GET {{protocol}}://{{url}}/users HTTP/1.1
Authorization: Token {{token}}

Upvotes: 12

Views: 14442

Answers (3)

Umar Kayondo
Umar Kayondo

Reputation: 724

This implementation was quite simple to implement for me: link

services.AddAuthentication().AddJwtBearer(options => {
           options.Events = new JwtBearerEvents {
                            OnMessageReceived = ctx => {
                                if (ctx.Request.Headers.ContainsKey("SpecialApiKey"))
                                {
                                    var bearerToken = ctx.Request.Headers["SpecialApiKey"].ElementAt(0);
                                    var token = bearerToken.StartsWith("Bearer ") ? bearerToken.Substring(7) : bearerToken;
                                    ctx.Token = token;
                                }
                                return Task.CompletedTask;
                            }
                        };
                    });

Upvotes: 0

Kirk Larkin
Kirk Larkin

Reputation: 93193

The implementation of the JwtBearer authentication handler lives inside of JwtBearerHandler, where the Authorization header is read and split using the format Bearer .... Here's what that looks like:

string authorization = Request.Headers["Authorization"];

// If no authorization header found, nothing to process further
if (string.IsNullOrEmpty(authorization))
{
    return AuthenticateResult.NoResult();
}

if (authorization.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
{
    token = authorization.Substring("Bearer ".Length).Trim();
}

// If no token found, no further work possible
if (string.IsNullOrEmpty(token))
{
    return AuthenticateResult.NoResult();
}

As the code above shows, this is hardcoded to use Bearer. However, JwtBearerEvents includes an OnMessageReceived property that allows you to hook into the process for retrieving the JWT from the incoming request. If you provide an implementation for this event, you can use your own processing to extract the JWT however you'd like.

Taking the implementation from above with a few changes, that event handler implementation would like something like this:

x.Events = new JwtBearerEvents
{
    // ...
    OnMessageReceived = context =>
    {
        string authorization = context.Request.Headers["Authorization"];

        // If no authorization header found, nothing to process further
        if (string.IsNullOrEmpty(authorization))
        {
            context.NoResult();
            return Task.CompletedTask;
        }

        if (authorization.StartsWith("Token ", StringComparison.OrdinalIgnoreCase))
        {
            context.Token = authorization.Substring("Token ".Length).Trim();
        }

        // If no token found, no further work possible
        if (string.IsNullOrEmpty(context.Token))
        {
            context.NoResult();
            return Task.CompletedTask;
        }

        return Task.CompletedTask;
    }
};

Upvotes: 26

Dmitry Pavlov
Dmitry Pavlov

Reputation: 28310

Prefix Bearer ... comes from JwtBearerDefaults.AuthenticationScheme you set as a default auth scheme.

If you'd like, you could use custom authentication like this or similar: 

// Add authentication
services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = CustomAuthOptions.DefaultScheme;
    options.DefaultChallengeScheme = CustomAuthOptions.DefaultScheme;
})
// Call custom authentication extension method
.AddCustomAuth(options =>
    {
    // Configure password for authentication
    options.AuthKey = "custom auth key";
});

.. or maybe even combine the custom scheme name with .AddJwtBearer(x => ...) - never tried this. Or maybe you are just looking for something like protecting your API with API Keys.

Upvotes: 0

Related Questions