JwtSecurityTokenHandler and TokenValidationParameters

c# validation security jwt identity
Patrice Cote picture Patrice Cote · Sep 5, 2014 · Viewed 40.8k times · Source

I used to have a reference to Microsoft.IdentityModel.Tokens.JWT and everything was working fine.

I updated to use the new System.IdentityModel.Tokens.Jwt but nothing seems to work now. It cannot find the ValidateToken method of the JwtSecurityTokenHandler and the TokenValidationParameters have no AllowedAudience, SigningToken or ValidateExpiration properties.

What am I missing here? Can anyone provide with a working sample of a JWT validation with this?

My "old" code :

private static void ValidateJwt(string jwt)
{
    var handler = new JWTSecurityTokenHandler();
    var validationParameters = new Microsoft.IdentityModel.Tokens.JWT.TokenValidationParameters()
    {
        AllowedAudience = "https://my-rp.com",
        //SigningToken = new BinarySecretSecurityToken(Convert.FromBase64String(myBase64Key)),
        SigningToken = new X509SecurityToken(
           X509
           .LocalMachine
           .My
           .Thumbprint
           .Find("UYTUYTVV99999999999YTYYTYTY88888888", false)
           .First()),
        ValidIssuer = "https://my-issuer.com/trust/issuer",
        ValidateExpiration = true
    };

    try
    {
        var principal = handler.ValidateToken(jwt, validationParameters);
    }
    catch (Exception e)
    {

        Console.WriteLine("{0}\n {1}", e.Message, e.StackTrace);
    }

    Console.WriteLine();
}

Answer

Patrice Cote picture Patrice Cote · Sep 8, 2014

After a lot of research and tests, I finally found that some properties names for TokenValidationParameters had changed and JwtSecurityTokenHandler.ValidateToken() method signature too.

So here's the modified working version of the above code.

private static void ValidateJwt(string jwt)
{
    var handler = new JwtSecurityTokenHandler();   
    var validationParameters = new TokenValidationParameters()
    {
        ValidAudience = "https://my-rp.com",
        IssuerSigningTokens = new List<X509SecurityToken>() { new X509SecurityToken(
           X509
           .LocalMachine
           .My
           .Thumbprint
           .Find("UYTUYTVV99999999999YTYYTYTY88888888", false)
           .First()) },
        ValidIssuer = "https://my-issuer.com/trust/issuer",
        CertificateValidator = X509CertificateValidator.None,
        RequireExpirationTime = true
    };

    try
    {
        SecurityToken validatedToken;
        var principal = handler.ValidateToken(jwt, validationParameters, out validatedToken);
    }
    catch (Exception e)
    {

        Console.WriteLine("{0}\n {1}", e.Message, e.StackTrace);
    }

    Console.WriteLine();
}

And for the reference, the JwtSecurityTokenHandler lives in the System.IdentityModel.Tokens namespace. Don't forget to add the package "JSON Web Token Handler For the Microsoft .Net Framework 4.5" (version 4.0.0 at the time I write theses lines).

Hope it can save a few hours of search for some of you guys!

Related questions

Regex Email validation

I use this @"^([\w\.\-]+)@([\w\-]+)((\.(\w){2,3})+)$" regexp to validate the email ([\w\.\-]+) - this is for the first-level domain (many letters and numbers, also point and hyphen) ([\w\-]+) - this is for second-level domain ((\.(\w){2,3})+) - …

Read More
How to Validate a DateTime in C#?

I doubt I am the only one who has come up with this solution, but if you have a better one please post it here. I simply want to leave this question here so I and others can search it …

Read More
Email address validation using ASP.NET MVC data type attributes

I have some problems with the validation of a Email. In my Model: [Required(ErrorMessage = "Field can't be empty")] [DataType(DataType.EmailAddress, ErrorMessage = "E-mail is not valid")] public string ReceiverMail { get; set; } In my view: <script src="@Url.Content("~/…

Read More