Using JWT to implement Authentication on Asp.net web API

Zapnologica picture Zapnologica · May 15, 2014 · Viewed 41.5k times · Source

I have been reading about JWT.

But from what I read it is not an authentication mechanism but more like a crucial component in a Authentication mechanism.

I have currently implemented a solution which works, but it was just to try out JWT and see how it works. But what I am after now is how one should make use of it. From my experience of it its basically just an encryption mechanism that gives you a unique encrypted key. You are also able to put information inside of this token.

I am wanting to implement it in terms on a ASP.NET web api 2 to be consumed by a mobile application.

So step 1:

  1. app => Server : Login (user, pasword)
  2. Server => app : Login OK, heres your JWT
  3. app => server : Get my profile (sends JWT with request) Server then decrypts JWT and determines the requests Identity.

Now this is just my understanding of it, Look I could be on the totally wrong path.

Is the Ideal of JWT so that you dont have to authenticate on every request? I just authenticate the users credentials once (on the initial login) and there on after the server can simply use JWT and no have to lookup the users pw and user in the DB?

I just want to use the JWT to Identity who the user is. I will then authorize then after i have authenticated them. As I know there is a big confused with the new MVC and Authentication and Authorization.

So what my question comes down to.

How can I safely and effectively Implement a Authentication Mechanism Using JWT? I don't want to just cough something up that seems to work and not have any Idea of the security implications. I am sure that there exists a source some where that has possibly designed a secure mechanism that would suit my requirements.

My requirements are:

  • Must only have to check db for users credentials once off per session? Due to the use of bcrypt using a lot of resources to compare passwords.
  • Must be able to identify the user from their request. (I.e who they are, userId will be sufficient) and preferably without accessing the DB as well
  • Should be as low overhead as possible, with regards to resources on the server side processing the request.
  • If an intruder had to copy a devices previous request, then he should not be able to access the real users data. (obviously)

Thanks

Answer

Thomas Sobieck picture Thomas Sobieck · May 15, 2014

Your understanding of JWTs is good. But here are a couple corrections and some recommendations.

Authentication and Authorization

  • JWTs have nothing to do with authentication. Hitting your DB and hashing passwords only happens when you authenticate on creation of the JWT. This is orthogonal to JWTs and you can do that in any way you like. I personally like Membership Reboot, which also has a good example of using JWTs.
  • Theoretically, you could have the user enter a password once a year and have the JWT be valid that entire year. This most likely not the best solution, if the JWT gets stolen at any point the users resources would be compromised.

Encryption

  • Tokens can, but don't have to be encrypted. Encrypting your tokens will increase the complexity of your system and amount of computation your server needs to read the JWTs. This might be important if you require that no one is able to read the token when it is at rest.
  • Tokens are always cryptographically signed by the issuer to ensure their integrity. Meaning they cannot be tampered with by the user or a third party.

Claims

Your JWTs can contain any information you want. The users name, birthdate, email, etc. You do this with claims based authorization. You then just tell your provider to make a JWT with these claims from the Claims Principle. The following code is from that Membership Reboot example and it shows you how this is done.

public override Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
    var svc = context.OwinContext.Environment.GetUserAccountService<UserAccount>();
    UserAccount user;
    if (svc.Authenticate("users", context.UserName, context.Password, out user))
    {
        var claims = user.GetAllClaims();

        var id = new System.Security.Claims.ClaimsIdentity(claims, "MembershipReboot");
        context.Validated(id);
    }

    return base.GrantResourceOwnerCredentials(context);
}

This allows you to control with precision whom is accessing your resources, all without hitting your processor intensive authentication service.

Implementation

A very easy way to implement a Token provider is to use Microsoft's OAuth Authorization Server in your WebAPI project. It give you the bare bones of what you need to make a OAuth server for your API.

You could also look into Thinktecture's Identity Server which would give you much easier control over users. For instance, you can easily implement refresh tokens with identity server where the user is authenticated once and then for a certain amount of time (maybe a month) they can continue getting short lived JWTs from the Identity Server. The refresh tokens are good because they can be revoked, whereas JWTs cannot. The downside of this solution is that you need to set up another server or two to host the Identity service.

To deal with your last point, that an intruder should not be able to copy the last request to get access to a resource, you must use SSL at a bare minimum. This will protect the token in transport.

If you are protecting something extremely sensitive, you should keep the token lifetime to a very short window of time. If you are protecting something less sensitive, you could make the lifetime longer. The longer the token if valid, the larger the window of time a attacker will have to impersonate the authenticated user if the user's machine is compromised.