The default jti value within jwts is perhaps wrong?


jwt generation is perhaps wrong in one place as the the value of the default implemented jti will be represented as a Number field. According to the standard it should be a string. The newest version of System.IdentityModel.Tokens.Jwt.JwtSecurityToken (7.3.0) has stricter parsing and will throw an error when parsing jwt’s generated from the default JwtAuthProvider.

Although I easily “fixed” this by implementing my Custom JwtAuthProvider and implementing the handy functions ResolveJwtId and ResolveRefreshJwtId, I just wanted to let you know in case you wanted to address this issue.

The error reported is

System.Text.Json.JsonException: IDX11020: The JSON value of type: ‘Number’, could not be converted to ‘JsonTokenType.String’. Reading: ‘System.IdentityModel.Tokens.Jwt.JwtPayload.jti’, Position: ‘621’, CurrentDepth: ‘1’, BytesConsumed: ‘622’.

The “fix” I applied was something simple along the lines of

ResolveJwtId = (_) => $"jti_{NextJwtId()}";

ResolveRefreshJwtId = (_) => $"jti_{NextRefreshJwtId()}";

It looks like you’re trying to read the ServiceStack Auth JwtAuthProvider with IdentityAuth JWT library which isn’t supported.

Instead we recommend using the JWT Identity Auth Provider which integrates with and uses the ASP.NET Core JWT Identity Auth configuration where you wont have these incompatibility issues which we’ve updated in todays v8.1 release.

This will require Migrating to ASP .NET Core Identity Auth, where we’ve published a couple of guides to document the process of upgrading our migrating ServiceStack.Auth Apps to Identity Auth and a more detailed Migration to ASP.NET Core Identity for Authentication guide which goes into updating Foreign Key References.