1

ASP.NET Core 2.x has a really nice way to add Bearer Authentication using JWT tokens. The following code is the minimum requirement to make things work.

{
    TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = true,
        ValidIssuer = "https://issuer.com",
        ValidateLifetime = true,
    }
});

I understand the anatomy of a JWT header.payload.signature but in case we are using an Asymmetric algorithm, we need to validate the signature and for that we need to get the public keys from this url: issuer + .well-known/jwks.json.

So, is the middleware "magically" fetching the public keys and validating the signature? Also, is the middleware caching the public keys to avoid fetching the public keys in every validation?

Improve this question
2
  • Have you looked at TokenValidationParameters IssuerSigningKey property? Commented Jun 4, 2019 at 17:08
  • Well, I know that property and also the IssuerSigningKeyResolver my question is about the public keys caching. Commented Jun 4, 2019 at 22:30

1 Answer 1

Reset to default
3

The ConfigurationManager object is responsible for retrieving, refreshing and caching the configuration metadata required to validate JWTs, such as the issuer and signing keys . Middleware will retire the metadata and cahche when the first time authentication begins , see source code here .

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thank you! What happens when the token provider rotates the public keys?
@MarcoTalento ,middleware will refresh the configuration for exceptions that may be caused by key rollovers , see source code
Thank you very much, this is exactly what I was looking for! I forgot that asp.net core is open source now! Unfortunately, there is no similar mechanism in .net framework 4.x provided by the framework.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.