Hi,
I was making some tests with this project and I fail to understand the purpose of the RSAParametersWithPrivate class. It seems to me I can generate an RSAParameters object with all fields populated simply by deserializing it:

JsonConvert.DeserializeObject("");

The RSAParametersWithPrivate class does not seem to add anything to this. Am I missing something?

Hi,

First thanks for such a great sample, you have no idea how long I have spent banging my head against this.

After getting this sample working I decided I want to try to integrate it into the standard ASP Core RC2 sample that comes with the latest Visual Studio.

I took your code and wove it in and to my great surprise it worked!

Now im trying to get it to work with the SQL DB that comes with the sample template. I have modified the TokenController Post function to look like this:

[HttpPost]
public async Task<dynamic> Post(string email, string password)
{
    var result = await _signInManager.PasswordSignInAsync(email, password, false, false);
    if (result.Succeeded)
    {
        DateTime? expires = DateTime.UtcNow.AddMinutes(2);
        var token = GetToken(email, expires);
        return new { authenticated = true, entityId = 1, token = token, tokenExpires = expires };
    }

    return new { authenticated = false };
}

And that works well. Now I notice that in GetToken() you mention:

// Here, you should create or look up an identity for the user which is being authenticated.
// For now, just creating a simple generic identity.
var identity = new ClaimsIdentity(new GenericIdentity(user, "TokenAuth"), new[] { new Claim("EntityID", "1", ClaimValueTypes.Integer) });

Could you please explain a little about ClaimsIdentity, and Claims and how I should intergrate that with the ASP UserManager / SignInManager?

Thanks so much,
Mike

.Net Core is released. I'm wondering if this project can be upgraded into netcoreapp1.0 framework instead of using dnx?

Hello, I'm trying to play with this project (VS2015, ASPvNext RC), but I'm not able to access the secured API. Whenever I try a GET http://localhost:53129/api/value/1 I get the error No SecurityTokenValidator available for token:

{"success":false,"error":"No SecurityTokenValidator available for token: token=eyJhbGciOiJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNyc2Etc2hhMjU2IiwidHlwIjoiSldUIn0.eyJuYmYiOjE0NTIxMDg2NTgsImV4cCI6MTQ1MjEwODc3OCwiaWF0IjoxNDUyMTA4NjU4LCJ1bmlxdWVfbmFtZSI6IlRFU1QiLCJFbnRpdHlJRCI6MSwiaXNzIjoiRXhhbXBsZUlzc3VlciIsImF1ZCI6IkV4YW1wbGVBdWRpZW5jZSJ9.LhAbTFL6_ESs6o9_Y_7s1K80EzOPhWIByTdDu-s6DkJx68pqclpWMVqpAEmGqPxKrCoG2EVoNvDYkvGhkqBMQ4J6I4KEcNt5ii1LwlxyCtPsBQ2Ez3WztTd9xMsGfIU0BtweJUhivviUI8m3Wp8pH-n94Mt5hjVNV0WQzHYYrZkzWrKlCX0o176N_M9P2sgJhxYFv1jD6gmQRGKPUNubH59R0WIlisu0pXL8_iF2FoQ-14bsvZ5wC40d3vLRxSVI-2EDQ2U6l4srsWfc0rWVAq1e5bRSn1LiX8DQ47VABpetYHSc62trx0ZLnAc6XmbeaTb2azbPY6LJAA0x2G5ulQ"}

Here is what I did:

1. download your project, unzip and compile.
2. run (F5) the solution.
3. I can confirm that the server has started by accessing (using Fiddler) the unprotected API action with GET http://localhost:53129/api/values, which returns some JSON code.
4. I request a token using the fake credentials TEST:TEST, and I correctly get it back with this post:

POST http://localhost:53129/api/token

--Header:
User-Agent: Fiddler
Host: localhost:5000
Content-type: application/json
Content-Length: 40

--Body:
{"username":"TEST", "password": "TEST" }

1. I copy the received JWT token value and paste it into this request:

GET http://localhost:53129/api/value/1

--Header:
User-Agent: Fiddler
Host: localhost:53129
Content-Type: application/json
Authorization: Bearer token=...received token...

Yet, I always get the error quoted above. Any suggestion?

Hi,

Thank you for excellent demo application! This is really a time saver
Looks like current sample has fixed token expiration time. Is there any way to have this as sliding expiration?

Thank you

I've been trying to get this sample to work. When/how is TokenController supposed to be called?

Is it possible to use this method to authorize a route based on the users role? I was able to put the roles into the claims just fine but when I attempt to add the Authorize attribute with the roles property set I get an unauthorized result back.

Hi,
thanks again for this excellent demo. I am trying to reduce the size of generated JWT tokens. At the moment, signature is more than 3 times the size of the payload. I think using HMACSHA256 signature with secret key could reduce the global token size.
I've tried to use it instead of RSA, but failed. Could you please improve your demo with this signing method? Thanks a lot!

Got the following problem:

NU1001 The dependency Microsoft.AspNet.FileProviders.Physical >= 1.0.0-rc1-final could not be resolved. TokenAuthExampleWebApplication X:\dotnet\ASPNETSelfCreatedTokenAuthExample\src\TokenAuthExampleWebApplication\project.json 1

Did you manage to get this running on CoreCLR on Linux?

I tried on Ubuntu. I managed to get the creation of the key working by modifying the
lRsa = new RSACryptoServiceProvider(2048);
to
lRsa = new RSAOpenSsl(2048);

But I get into issues when trying to create a token, when the framework tries to create an AsymmetricSignatureProvider.

This seems to be this issue.

Has anyone tried anything like this yet?

User.GetUserId();
always returns null when I use controller with [Authorize("Bearer")] attribute. For not-api controllers (with [Authorize] everything seems to work OK).
I suspect that there is something to include in [ClaimsIdentity object here].
Could you help me with solving this?

This is not any issue with your code really but more a help for others that, like me, didn't fully understood how the new middleware arhitecture works. I added app.UseJwtBearerAuthentication after app.useMvc() which resulted in an error saying that I had no authentication handler for Bearer. It took a while before I realised that, of course, the order of middlewares matters. So a comment in the code saying that app.UseJwtBearerAuthentication needs to come before asp.useMvc() could be helpful for others :)

Glaring security hole with the code here means that if anyone compromises a single active token, they could remain logged in forever, even if the user changed their password or "logged out".

To fix this, refresh tokens must be implemented, which can be revoked.