Configure JwtBearerOptions from a configuration file

Question

I am trying to find a documentation how to configure a jwt bearer and its JwtBearerOptions in asp.net core from a configuration file using a Microsoft predefined configuration section/keys. There is no explanation in Microsoft docs about this is possible or not. I feel that it should be possible because everything in the .net core generation is using the options pattern.

Here is an example how the same technique is used to configure a Kestrel host.

Answer 1

.NET

builder.Services
   .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
   .AddJwtBearer(options =>
   {
       options.Authority = "https://securetoken.google.com/EXAMPLE";
       options.TokenValidationParameters = new TokenValidationParameters
       {
           ValidateIssuer = true,
           ValidIssuer = "https://securetoken.google.com/EXAMPLE",
           ValidateAudience = true,
           ValidAudience = "EXAMPLE",
           ValidateLifetime = true
       };
   });

appsettings.json

{
  "JwtSettings": {
    "Authority": "https://securetoken.google.com/EXAMPLE",
    "TokenValidationParameters": {
      "ValidateIssuer": true,
      "ValidIssuer": "https://securetoken.google.com/EXAMPLE",
      "ValidateAudience": true,
      "ValidAudience": "EXAMPLE",
      "ValidateLifetime": true
    }
  }
}

Answer 2

services.AddAuthentication(defaultScheme: JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(o => Configuration.Bind("JwtBearerOptions", o));

where application settings.json

{
"JwtBearerOptions": {
    "Audience": "Your aud" 
  }
}

Answer 3

This is not a real answer to the initial question. However I am very happy with this solution.

After several hours of digging into the AspNetCore source code I found that the JwtBearerOptions are added to the DI as a named options. This means that you cannot provide the configuration from a config file without writing code. However I found an acceptable solution which will work for the majority of cases.

I do not have a list of all available keys and the sample here is showing only two of them. You can inspect the public properties of the JwtBearerOptions and add them in the appsettings.json. They will be picked and used by the framework.

See the code bellow and the comments there for details how this works:

appsettings.json

{
    "Cronus": {
        "Api": {
            "JwtAuthentication": {
                "Authority": "https://example.com",
                "Audience": "https://example.com/resources"
            }
        }
    }
}

Startup.cs

public class Startup
{
    const string JwtSectionName = "Cronus:Api:JwtAuthentication";

    private readonly IConfiguration configuration;

    public Startup(IConfiguration configuration)
    {
        this.configuration = configuration;
    }

    public void ConfigureServices(IServiceCollection services)
    {
        // Gets the settings from a configuration section. Notice how we specify the name for the JwtBearerOptions to be JwtBearerDefaults.AuthenticationScheme.
        services.Configure<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme, configuration.GetSection(JwtSectionName));

        // OR

        // Gets the settings from a configuration. Notice how we specify the name for the JwtBearerOptions to be JwtBearerDefaults.AuthenticationScheme.
        services.Configure<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme, configuration);

        services.AddAuthentication(o =>
        {
            // AspNetCore uses the DefaultAuthenticateScheme as a name for the JwtBearerOptions. You can skip these settings because .AddJwtBearer() is doing exactly this.
            o.DefaultAuthenticateScheme = Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerDefaults.AuthenticationScheme;
            o.DefaultChallengeScheme = Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerDefaults.AuthenticationScheme;
        })
        .AddJwtBearer();
    }
}