ASP.Net Core Application Redirects to Cookie-based Login with JWT Authentication in Header #12842
Labels
area-auth
Includes: Authn, Authz, OAuth, OIDC, Bearer
area-identity
Includes: Identity and providers
Comments
blowdart
added
area-identity
|
Having both cookies and JWT is supported, and what you're doing looks ok. However, can we get the full contents of your ConfigureServices() and Configure() functions from startup.cs (with any secrets removed) along with what version of ASP.NET Core that you're using. Is the JWT bearer authentication putting anything in the logs? |
|
Thanks for getting back to me so fast, @blowdart . I'm targeting ASP.Net Core 2.2. I do not believe I'm using those AuthorizationHandlers (contactisowner/contact), I just followed a tutorial from a long time ago and forgot to remove the dead code. |
|
OK for starters you can remove .AddCookie(cfg => cfg.SlidingExpiration = true)because AddIdentity adds cookies anyway. What I have working is the following; public void ConfigureServices(IServiceCollection services)
{
services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
services.AddDbContext<ApplicationDbContext>(options =>
options.UseSqlServer(
Configuration.GetConnectionString("DefaultConnection")));
services.AddDefaultIdentity<IdentityUser>()
.AddDefaultUI(UIFramework.Bootstrap4)
.AddEntityFrameworkStores<ApplicationDbContext>();
services.AddAuthentication()
.AddJwtBearer(options =>
{
options.Audience = JwtParameters.Audience;
options.ClaimsIssuer = JwtParameters.Issuer;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(JwtParameters.SigningKey),
ValidateIssuer = false,
ValidateAudience = true
};
});
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
}I have a controller action which issues a JWT and then I'm using fiddler to send it, as an Authorization: Bearer header to a controller which looks like this; Can you strip everything down to just this sort of thing? I've put the pieces I have working at https://github.com/blowdart/CookieJwtBearerSample |
|
Silly question, but when I implement:
edit: I figured it out, haha. Also, I've stripped the entire startup section to this: And the other JWT controllers are not changing. Should I change my original JWT controller implementation that goes into AppSettings for Tokens:Issuer? I noticed that I did not have that class "JWT Parameters" and had to create it - it seems to be different from what I have in my appsettings.sjon In appsettings.json - I'll clone your repo and just run your project to see if I can get it working. edit: I'll update if I run into anything - thanks so much for the help so far. edit: |
|
So I've tried integrating it using my view model - It returns a JWT, and the JWT can hit an endpoint - the problem is that the JWT is not associated with the account that I logged into. I'm assuming that there's something I have to do with the JWT middleware to establish the identity of the person that logged in. More specifically, I am passing this: With a JSON request: And it's returning a JWT successfully: The problem is when I post this to a protected endpoint, Returns null. |
|
I don't want to celebrate prematurely, but it looks like I've managed to take what you did and integrate it into my solution - for any soul that comes after me and wants to perform something similar, I was able to set up a controller that issues tokens after receiving JSON in the format of email, password like this: When it receives something like this: It returns a JWT related to the user that was sent in. This stops you from having to log in through a web page via browser. I then set up a controller like this: That accepts the Authorization Bearer[WHITESPACE]Token header on request. It successfully looks up the intended user, finds the device registration token, and sends a request to Google FireCloud Messaging. The reason I did this was to allow integration for the website and also a mobile ios/android app that will need access to the same resources. I don't want to close the issue prematurely, so I'll try to get the devices working over the weekend and update everyone. If it works, I'll try to contribute to a Medium article or something explaining @blowdart 's solution and how it might help people that make ASP.Net Core applications + Flutter applications. Thanks so much again! |
|
The JWT auih middleware only supports it as a bearer token. If you want it from the body and attached to the user property on the request you need to write your own auth service for that. |
|
I got it working - thanks a lot! |
ghost
locked as resolved and limited conversation to collaborators
# for free
to subscribe to this conversation on GitHub.
Already have an account?
#.
I've implemented JWT and I have an endpoint secured with JWT.
The problem is that whenever I don't have JWT set as the default method of authentication, sending a JWT in the header will result in an HTTP response 200 that has a redirect to the login page of my website. The website is scaffolded using ASP.Net Identity in ASP.Net Core 2.2. I need it to be able to work with a mobile app sending JWTs, and the website. Setting the default authentication scheme to JWT breaks the website (can no longer log in via cookies).
If I make the endpoint that's supposed to use JWT AllowAnonymous, it functions, but it will not be able to claim the identity of the person sending the token (obviously).
It returns error 401 or the login redirect page depending on which JWT tutorial I use.
I've tried including
On every method that's supposed to take JWT.
I've tried adding
To startup.
I've tried
But that only returns a 401 when I submit a JWT in the header.
For the record, I'm testing using Postman and the header is
Authorization Bearer[WHITESPACE]token.
This is how I'm generating tokens and registering devices
Note REGISTER DEVICE does not work if I do not have the authentication scheme by default JWT. Meaning for every identity request that takes place, I must use JWT. This means that it effectively breaks the identity scaffolding altogether for cookie-based authentication.
That is:
However, the other function works - it even sends it to firebase
I expect to be able to label methods with JWT authorization and have it work. I've even tried setting the default scheme to JWT and then setting the authorization scheme of each method back to Cookie based, but it doesn't seem to be working with any consistency and breaks my entire login mechanism for the website when I do that.
This is an extremely frustrating issue - there are seven billion different articles addressing different approaches and no unified explanation for how it should be handled. I think it should be common sense that someone would scaffold an application using Identity, then need to add a mobile application to the application stack as the business scales.
I'm really regretting choosing ASP.Net Core for development because of this. Any suggestions for how to fix this, or to allow mobile app authentication in conjunction with ASP.Net Core Identity would be much appreciated.
The text was updated successfully, but these errors were encountered: