Question: Adding support for EncryptingCredentials

Question

Question: Adding support for EncryptingCredentials

rebeccapowell opened this issue 4 years ago · comments

When defining the SecurityTokenDescriptor, you can not only set the SigningCredentials, but the EncryptingCredentials as well.

Is there a way to use the same key to set the EncryptingCredentials as well. I've been trying the following, but I've been getting an exception, and I'm not sure how to solve it:

private string EncodeToken(ClaimsIdentity identityClaims)
{
	var tokenHandler = new JwtSecurityTokenHandler();
	var currentIssuer = $"{ControllerContext.HttpContext.Request.Scheme}://{ControllerContext.HttpContext.Request.Host}";
	var key = _jwksService.GetCurrent();

	var encryptingCredentials = new EncryptingCredentials(key.Key, SecurityAlgorithms.RsaOAEP, SecurityAlgorithms.Aes128CbcHmacSha256);
	var token = tokenHandler.CreateToken(new SecurityTokenDescriptor
	{
		Issuer = currentIssuer,
		Subject = identityClaims,
		Expires = DateTime.UtcNow.AddHours(1),
		SigningCredentials = key,
		EncryptingCredentials = encryptingCredentials
	});

	return tokenHandler.WriteToken(token);
}

Exception is:

Microsoft.IdentityModel.Tokens.SecurityTokenEncryptionFailedException: IDX10615: Encryption failed. No support for: Algorithm: '', SecurityKey: 'Microsoft.IdentityModel.Tokens.JsonWebKey, Use: 'sig',  Kid: '0EfgPGGNZBsnn69wrnwLzg', Kty: 'EC', InternalId: '2cIn0xM5H76UBp4u-Bx2MRU-S2YAS0XsHqe67NE4Cbk'.'.
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.CreateEncryptedToken(JwtSecurityToken innerJwt, EncryptingCredentials encryptingCredentials)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.CreateJwtSecurityTokenPrivate(String issuer, String audience, ClaimsIdentity subject, Nullable`1 notBefore, Nullable`1 expires, Nullable`1 issuedAt, SigningCredentials signingCredentials, EncryptingCredentials encryptingCredentials)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.CreateToken(SecurityTokenDescriptor tokenDescriptor)

Eduardo Pires · Answer 1 · Thu Apr 08 2021 05:25:00 GMT+0800 (China Standard Time)

@brunohbrito Can you check this?

Bruno Brito · Answer 2 · Wed May 12 2021 16:10:10 GMT+0800 (China Standard Time)

Hi @rebeccapowell

By default this component use ECDsa to generate the Keys and by your example we can see you are trying to use a RSA

new EncryptingCredentials(key.Key, SecurityAlgorithms.RsaOAEP, SecurityAlgorithms.Aes128CbcHmacSha256);

If you go to your startup.cs and change it to:

services.AddJwksManager(options => options.Algorithm = Algorithm.RS256)

Then it should work.

This component was designed to work with JWS. The algoritms it supports are those listed at RFC 7518 - JWS section. Maybe it could have some differences between JWE alg's

I'll work in a version to support JWE algs.

Bruno Brito · Answer 3 · Fri May 14 2021 16:57:35 GMT+0800 (China Standard Time)

@rebeccapowell Hi!

There are support for Jwe now. Search for NetDevPack.Security.Jwt . And it's fully integrated with ASP.NET Core DataProtection to store keys.