asp.net mvc 3 - JWT authentication using OWIN pipeline getting failed for certain requests -
i facing problem in jwt bearer authentication using owin pipeline getting failed unauthorized access requests coming particular region.
we have mvc application generates token , users login portal using mvc application , on client side stored in cookies. client side sends authorization header jwt access token every request resource server (web-api-2). works fine majority of requests not work users belong region.
token generation logic in mvc application
[authorize] public class tokencontroller : apicontroller { public token get() { string audienceid = configurationmanager.appsettings["as:audienceid"]; string symmetrickeyasbase64 = configurationmanager.appsettings["as:audiencesecret"]; var keybytearray = textencodings.base64url.decode(symmetrickeyasbase64); var securitykey = new microsoft.identitymodel.tokens.symmetricsecuritykey(keybytearray); var signingcredentials = new microsoft.identitymodel.tokens.signingcredentials(securitykey, securityalgorithms.hmacsha256signature); var issued = datetimeoffset.now.touniversaltime();// data.properties.issuedutc; var expires = datetimeoffset.now.addhours(1).touniversaltime(); var _issuer = configurationmanager.appsettings["as:issuer"]; var claims = new list<claim>(); claims.add(new claim(claimtypes.name, thread.currentprincipal.identity.name)); // todo: add here other claim need var token = new jwtsecuritytoken(_issuer, audienceid, claims, issued.utcdatetime, expires.utcdatetime, signingcredentials); var handler = new jwtsecuritytokenhandler(); var jwt = handler.writetoken(token); var tokenobject = new token { accesstoken = jwt, tokentype = "bearer", expiresin = expires.millisecond }; return tokenobject; } webapiconfig.cs
public static void register(httpconfiguration config) { config.maphttpattributeroutes(); config.enablecors(); config.routes.maphttproute( name: "defaultapi", routetemplate: "api/{controller}/{action}/{id}", defaults: new { action = "index", id = routeparameter.optional } ); config.filters.add(new authorizeattribute()); } owin statup class
[assembly: owinstartup(typeof(webapi.startup))] namespace webapi { public class startup { public void configuration(iappbuilder app) { configureoauthtokenconsumption(app); } private void configureoauthtokenconsumption(iappbuilder app) { string issuer = configurationmanager.appsettings["as:issuer"]; string audienceid = configurationmanager.appsettings["as:audienceid"]; byte[] audiencesecret = textencodings.base64url.decode(configurationmanager.appsettings["as:audiencesecret"]); //var sectokenprovider = new symmetrickeyissuersecuritytokenprovider(issuer, audiencesecret); //var authopts = new jwtbearerauthenticationoptions //{ // authenticationmode = authenticationmode.active, // allowedaudiences = new[] { audienceid }, // issuersecuritytokenproviders = new iissuersecuritytokenprovider[] // { // new symmetrickeyissuersecuritytokenprovider(issuer, audiencesecret) // } //}; // api controllers [authorize] attribute validated jwt app.usejwtbearerauthentication( new jwtbearerauthenticationoptions { authenticationmode = authenticationmode.active, allowedaudiences = new[] { audienceid }, issuersecuritytokenproviders = new iissuersecuritytokenprovider[] { new symmetrickeyissuersecuritytokenprovider(issuer, audiencesecret) } }); } } } i have tried troubleshooting issue have not found helpful fix issue. cross verified following points:
- client side sending token every request. on failure 401 status code, renews access token , sends updated token
apiagain fails - public key , private key same both
mvc,web-apiapplications otherwise resource server have returned 401 status code every request
one thing not sure is there network level setting or vpn setting can temper/omit request headers or authorization
Comments
Post a Comment