Decoding and verifying JWT token using System.IdentityModel.Tokens.Jwt

by

Within the package there is a class called JwtSecurityTokenHandler which derives from System.IdentityModel.Tokens.SecurityTokenHandler. In WIF this is the core class for deserialising and serialising security tokens.

The class has a ReadToken(String) method that will take your base64 encoded JWT string and returns a SecurityToken which represents the JWT.

The SecurityTokenHandler also has a ValidateToken(SecurityToken) method which takes your SecurityToken and creates a ReadOnlyCollection<ClaimsIdentity>. Usually for JWT, this will contain a single ClaimsIdentity object that has a set of claims representing the properties of the original JWT.

JwtSecurityTokenHandler defines some additional overloads for ValidateToken, in particular, it has a ClaimsPrincipal ValidateToken(JwtSecurityToken, TokenValidationParameters) overload. The TokenValidationParameters argument allows you to specify the token signing certificate (as a list of X509SecurityTokens). It also has an overload that takes the JWT as a string rather than a SecurityToken.

The code to do this is rather complicated, but can be found in the Global.asax.cx code (TokenValidationHandler class) in the developer sample called “ADAL – Native App to REST service – Authentication with ACS via Browser Dialog”, located at

http://code.msdn.microsoft.com/AAL-Native-App-to-REST-de57f2cc

Alternatively, the JwtSecurityToken class has additional methods that are not on the base SecurityToken class, such as a Claims property that gets the contained claims without going via the ClaimsIdentity collection. It also has a Payload property that returns a JwtPayload object that lets you get at the raw JSON of the token. It depends on your scenario which approach it most appropriate.

The general (i.e. non JWT specific) documentation for the SecurityTokenHandler class is at

http://msdn.microsoft.com/en-us/library/system.identitymodel.tokens.securitytokenhandler.aspx

Depending on your application, you can configure the JWT handler into the WIF pipeline exactly like any other handler.

There are 3 samples of it in use in different types of application at

http://code.msdn.microsoft.com/site/search?f%5B0%5D.Type=SearchText&f%5B0%5D.Value=aal&f%5B1%5D.Type=User&f%5B1%5D.Value=Azure%20AD%20Developer%20Experience%20Team&f%5B1%5D.Text=Azure%20AD%20Developer%20Experience%20Team

Probably, one will suite your needs or at least be adaptable to them.

More Related Contents:

  1. What is the difference between IQueryable and IEnumerable?
  2. Could you explain STA and MTA?
  3. ControlTemplate for existing controls in WPF
  4. Calculate week of month in .NET
  5. Is Mono ready for prime time? [closed]
  6. How to force a Solution file (SLN) to be opened in Visual Studio 2013?
  7. What problem does IStructuralEquatable and IStructuralComparable solve?
  8. Custom app.config Config Section Handler
  9. Cannot send a content-body with this verb-type
  10. I want Spy++ but I don’t have Visual Studio [closed]
  11. Referencing Google’s V8 engine from a .NET app
  12. Windows 7 .net Excel .SaveAs() Error Exception from HRESULT: 0x800A03EC
  13. How to improve painting performance of DataGridView?
  14. ASP.NET MVC 3 Model Binding Resources
  15. “The calling thread must be STA, because many UI components require this” error when creating a WPF pop-up Window in thread
  16. How are .NET 4 GUIDs generated?
  17. How to use Observable.FromEvent instead of FromEventPattern and avoid string literal event names
  18. System.IO.FileSystemWatcher to monitor a network-server folder – Performance considerations
  19. Drag and drop a DLL to the GAC (“assembly”) in windows server 2008 .net 4.0
  20. How do you databind to a System.Windows.Forms.Treeview control?
  21. Get a list of groups that Azure AD user belongs to in claims
  22. What should be the lifetime of an NHibernate session?
  23. Change selected and unfocused Listbox style to not be grayed out
  24. Detecting what the target object is when NullReferenceException is thrown
  25. What’s the different between ASP.NET AJAX pageLoad() and JavaScript window.onload?
  26. Default ContextMenu Style – WPF
  27. .net: How to parse a date with this format: 08 Feb 2011 06:46
  28. Looking for a practical approach to sandboxing .NET plugins
  29. Using Entity Framework entities as business objects?
  30. How to force WPF to use resource URIs that use assembly strong name? Argh!

Leave a Comment