azure-activedirectory-identitymodel-extensions-for-dotnet
azure-activedirectory-identitymodel-extensions-for-dotnet copied to clipboard
AzureAD
using JsonWebTokenHandler with ASP.NET Core (AddJwtBearer)
Originally posted by @mafurman in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1566#issuecomment-742874826
At the current moment, it isn't possible to plug in the JsonWebTokenHandler instead of the JwtSecurityTokenHandler. We plan on adding support for this feature in the future.
Is there an open ticket for this work? I searched, but couldn't find one. I was hoping that it could get into ASP.NET Core 6 I asked a couple Microsoft folks about this on Twitter, and Barry Dorrans suggested that I file a ticket here. Thanks!
@ericsampson : thanks for reaching out. The goal is to have this in asp.net core 6. @brentschmaltz is working on this. We are working on a few json related issues and https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1592 before we can get this into asp.net core 6. Marking this a a feature request. @mafurman @GeoK @RojaEnnam
@ericsampson i am working on this in this topic branch brentsch/json. We need to produce a new version of OpenIdConnectProtocolValidator as we used a specified JwtSecurityToken in this api: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/101da4bd2ecb0a3128017de47bf5123a700f4a6e/src/Microsoft.IdentityModel.Protocols.OpenIdConnect/OpenIdConnectProtocolValidationContext.cs#L72
I was just testing this and one issue is that JsonWebTokenHandler isn't a SecurityTokenHandler even though the doc comments claim it is
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/28dc4da0083e34a412b383c67f5c83e1d7678bb6/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.cs#L23-L26
You can mostly workaround this by writing a wrapper class
internal sealed class Wrapper : ISecurityTokenValidator
{
private readonly JsonWebTokenHandler _handler;
public Wrapper()
{
_handler = new JsonWebTokenHandler();
}
public bool CanValidateToken => _handler.CanValidateToken;
public int MaximumTokenSizeInBytes { get => _handler.MaximumTokenSizeInBytes; set => _handler.MaximumTokenSizeInBytes = value; }
public bool CanReadToken(string securityToken)
{
return _handler.CanReadToken(securityToken);
}
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
{
var result = _handler.ValidateToken(securityToken, validationParameters);
validatedToken = result.SecurityToken;
return new ClaimsPrincipal(result.ClaimsIdentity);
}
}
A couple other issues when doing this is that MapInboundClaims option is absent, but used by ASP.NET Core
https://github.com/dotnet/aspnetcore/blob/1c443e889aaa1c8353accdd35a89643e72e95f0e/src/Security/Authentication/JwtBearer/src/JwtBearerOptions.cs#L137
And a DateTime.MaxValue for expire results in a serialized max value instead of null
https://github.com/dotnet/aspnetcore/blob/1c443e889aaa1c8353accdd35a89643e72e95f0e/src/Security/Authentication/test/JwtBearerTests.cs#L885
Lastly, the release notes claimed a perf improvement of 25%-30%, sadly we did not see that. We saw a ~3% decrease in RPS, however a 44% reduction in allocations (more if https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/1964 is merged).
I'm glad to see that you are checking this out @BrennanConroy : )
@brentschmaltz, so I guess all these related issues didn't make into ASPdNC 7 lol, are you aiming for 8 now?
@ericsampson asp.net has a path for using JsonWebTokenHandler.
Here is a link to get you started: https://learn.microsoft.com/en-us/dotnet/core/compatibility/aspnet-core/8.0/securitytoken-events