JWT along side Windows/AspNet Auth

yjamal · December 28, 2017, 9:00pm

Hi Mythz,

So I am trying to integrate JWT auth provider alongside our normal AspNet Auth provider(setup below) where I have manually created the secret key and appended in web.config.

var authFeature = new AuthFeature(() =>
				new MyAppUserSession(),
                new IAuthProvider[]
                {
                    new JwtAuthProvider(AppSettings)
                    {
                        RequireSecureConnection = false,
                        LoadUserAuthFilter = (userSession, tokens, authInfo) => {
                            UserAuth.LoadUser(this.GetContainer(), userSession, tokens, authInfo);
                        }
                    },
                    new AspNetWindowsAuthProvider(this)
                    {
		         LoadUserAuthFilter = (userSession, tokens, authInfo) => {
				UserAuth.LoadUser(this.GetContainer(), userSession, tokens, authInfo);
			},
			AllowAllWindowsAuthUsers = true          
                    }
                }           
            );

That UserAuth.LoadUser just basically contacts AD gets more record details populates that into MyAppUserSession
and then gets the Roles and Permissions from our Db.
Then my services have
[RequiredRole] and [RequiredPermission] implemented to further check against the right user with the right roles/permissions.

Furthermore, in my IIS I under Authentication I have everything disabled except for Windows Auth: Enabled.
(I have a feeling maybe I have to enable Anonymous Auth to be Enabled too?)

Then, I do the following to request for api but I get an Unauthorized from the servicestack.

public class MyClient : JsonServiceClient
{
    ctor() 
    {
        this.RequestFilter = req =>
        {
             var token = GetJwtToken(__payload__, my_secret) // this internally just uses this [lib](https://github.com/jwt-dotnet/jwt/blob/master/src/JWT/JwtEncoder.cs);
             req.AddBearerToken(token);
        }
    }
    
    // and __payload__ is populated like following:-
    payload.Add("exp", (int)DateTime.UtcNow.AddHours(1).Subtract(new DateTime(1970, 1, 1)).TotalSeconds);
    payload.Add("iss", "SP-CustomScripts");
    payload.Add("iat", (int)DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1)).TotalSeconds);
    payload.Add("prn", userName);
}

and then the service returns “Unauthorized”.

Thanks,

mythz · December 29, 2017, 12:23am

Why are you sub-classing instead of using the BearerToken property from the JsonServiceClient?

JWT’s are completely disconnected from Windows Auth where if you want to allow clients to authenticate with just JWT tokens you need to enable anonymous access.

It’s not clear how you’re creating the JWT, but first try to create the JWT manually and see if you can authenticate with manual tokens first. JWT’s should work independent of Windows Auth, so make sure you can Authenticate with JWT’s first before trying to create them using Windows Auth.

When reporting errors from ServiceStack please always include the full HTTP Response Headers of the Error Response which may help identify the issue.

yjamal · January 5, 2018, 9:45pm

Sorry to forgot to respond back on this and will try to include full HTTP request/response headers in questions like these.

So, yes I enabled anonymous access in IIS and then found out the SECRET that my client had for generating the signature was same as the one stored in config of the Server except the client was using the base64 version(copy-pasta programming as I just copied the jwt.AuthKeyBase64 from the config). Instead, what I had to use was the original secret key for generating the signature.

Anyway, Thanks for the response and was able to get it running.