How generate a JWS Compact Serialization object

Question

User248873758 posted

Hi,

I'm trying to understand authentication with openid connect

I received an authorization code, the server can exchange it for an access token and an identification token.

_keyPrivate = "FVSxlyJTtDw ....."; //field d:
            var client = new RestClient("https://test/oidc/token");
            var request = new RestRequest(Method.POST);
            request.AddHeader("cache-control", "no-cache");
            request.AddHeader("content-type", "application/x-www-form-urlencoded");
            request.RequestFormat = DataFormat.Json;
            request.AddParameter("grant_type", "authorization_code");
            request.AddParameter("code", _code);
            request.AddParameter("redirect_uri", "https://localhost:44302/");
            request.AddParameter("client_assertion", (headerEncoded + "." + payloadEncoded + "." + _keyPrivate ));
            request.AddParameter("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");

            IRestResponse response = client.Execute(request);

But I receive as an error:

{"error":"unauthorized_client","detail":"Signed assertion is not valid","uid":"511334434"}

==> Invalid Signature with https://jwt.io/#debugger

Do I miss something? ==> request.AddParameter("client_assertion", (headerEncoded + "." + payloadEncoded + "." + _keyPrivate )); ??

Answer 1

User753101303 posted

Hi,

Not an expert but it seems you pass a key. AFAIK the key should be used to sign the token. The receiver can get the key on its own by fetching the metadata document and use the same key to sign the same token and see if it ends up with the same signature.

It allows to make fairly sure that the received token was issued by the identity provider we are trusting (and that the token was not altered in between).

Not sure at which step you are and what is your scenario. You do have existing middleware doing the right thing out of the box so you could use them, instrument them (they have notification events) and they are open source as well.

For example https://github.com/aspnet/AspNetKatana/tree/dev/src/Microsoft.Owin.Security.OpenIdConnect

Answer 2

User248873758 posted

Thank you for your help,

yes I have a key (private_key_jwt) but I can not find the instruction to sign.

This is authentication via openid connect core, I'm at the stage where I have to exchange the authorization code against a token.

Answer 3

User753101303 posted

Still not 100% sure to get your intent You are trying to write your own identity provider ? Try perhaps one of https://docs.microsoft.com/en-us/aspnet/core/security/authentication/community?view=aspnetcore-2.2 ?

On the client side i would expect something like https://gunnarpeipman.com/aspnet/aspnet-core-azure-ad/

Even if this is not your actual goal it should allow to have quickly something quickly up and running that you can then study.

BTW you have a a dedicated ASP.NET Core forum (just noticed you posted in Web Forms)

Answer 4

User248873758 posted

It's not the supplier but the customer.

I'm trying to exchange the authorization code against an access token, so I have to build a post request with a client_assertion ==> jws compact ==> header + "." playload + "." signature.

I will redo a post in the other section of the forum. ==> It's client side, the code will remain the same: webForm, mvc, core

I guess the private key is in the field "d"

{
     "kty": "RSA",
     "kid": "bilbo.baggins@hobbiton.example",
     "use": "sig",
     "n": "n4EPtAOCc9AlkeQHPzHStgAbgs7bTZLwUBZdR8_KuKPEHLd4rHVTeT
         -O-XV2jRojdNhxJWTDvNd7nqQ0VEiZQHz_AJmSCpMaJMRBSFKrKb2wqV
         wGU_NsYOYL-QtiWN2lbzcEe6XC0dApr5ydQLrHqkHHig3RBordaZ6Aj-
         oBHqFEHYpPe7Tpe-OfVfHd1E6cS6M1FZcD1NNLYD5lFHpPI9bTwJlsde
         3uhGqC0ZCuEHg8lhzwOHrtIQbS0FVbb9k3-tVTU4fg_3L_vniUFAKwuC
         LqKnS2BYwdq_mzSnbLY7h_qixoR7jig3__kRhuaxwUkRz5iaiQkqgc5g
         HdrNP5zw",
     "e": "AQAB",
     "d": "bWUC9B-EFRIo8kpGfh0ZuyGPvMNKvYWNtB_ikiH9k20eT-O1q_I78e
         iZkpXxXQ0UTEs2LsNRS-8uJbvQ-A1irkwMSMkK1J3XTGgdrhCku9gRld
         Y7sNA_AKZGh-Q661_42rINLRCe8W-nZ34ui_qOfkLnK9QWDDqpaIsA-b
         MwWWSDFu2MUBYwkHTMEzLYGqOe04noqeq1hExBTHBOBdkMXiuFhUq1BU
         6l-DqEiWxqg82sXt2h-LMnT3046AOYJoRioz75tSUQfGCshWTBnP5uDj
         d18kKhyv07lhfSJdrPdM5Plyl21hsFf4L_mHCuoFau7gdsPfHPxxjVOc
         OpBrQzwQ",
     "p": "3Slxg_DwTXJcb6095RoXygQCAZ5RnAvZlno1yhHtnUex_fp7AZ_9nR
         aO7HX_-SFfGQeutao2TDjDAWU4Vupk8rw9JR0AzZ0N2fvuIAmr_WCsmG
         peNqQnev1T7IyEsnh8UMt-n5CafhkikzhEsrmndH6LxOrvRJlsPp6Zv8
         bUq0k",
     "q": "uKE2dh-cTf6ERF4k4e_jy78GfPYUIaUyoSSJuBzp3Cubk3OCqs6grT
         8bR_cu0Dm1MZwWmtdqDyI95HrUeq3MP15vMMON8lHTeZu2lmKvwqW7an
         V5UzhM1iZ7z4yMkuUwFWoBvyY898EXvRD-hdqRxHlSqAZ192zB3pVFJ0
         s7pFc",
     "dp": "B8PVvXkvJrj2L-GYQ7v3y9r6Kw5g9SahXBwsWUzp19TVlgI-YV85q
         1NIb1rxQtD-IsXXR3-TanevuRPRt5OBOdiMGQp8pbt26gljYfKU_E9xn
         -RULHz0-ed9E9gXLKD4VGngpz-PfQ_q29pk5xWHoJp009Qf1HvChixRX
         59ehik",
     "dq": "CLDmDGduhylc9o7r84rEUVn7pzQ6PF83Y-iBZx5NT-TpnOZKF1pEr
         AMVeKzFEl41DlHHqqBLSM0W1sOFbwTxYWZDm6sI6og5iTbwQGIC3gnJK
         bi_7k_vJgGHwHxgPaX2PnvP-zyEkDERuf-ry4c_Z11Cq9AqC2yeL6kdK
         T1cYF8",
     "qi": "3PiqvXQN0zwMeE-sBvZgi289XP9XCQF3VWqPzMKnIgQp7_Tugo6-N
         ZBKCQsMf3HaEGBjTVJs_jcK8-TRXvaKe-7ZMaQj8VfBdYkssbu0NKDDh
         jJ-GtiseaDVWt7dcH0cfwxgFUHpQh7FoCrjFJ6h6ZEpMF6xmujs4qMpP
         z8aaI4"
   }

HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret) ==> https://jwt.io/introduction/ I can not find the equivalent in C # ==> HMACSHA256(

Thank you for your reply

Answer 5

User753101303 posted

I see https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.hmacsha256?view=netframework-4.7.2

I meant a much higher level view. So you are trying to use OpenID Connect to authenticate a user against which identity provider ? On my side I'm just using existing components such as https://blogs.msdn.microsoft.com/webdev/2014/03/28/owin-security-components-in-asp-net-openid-connect/ that are configured with few lines, handling the whole flow for me and still provides hooks for extensibility.