This project is to illustrate how you can create and validate JWTs in C# on the .NET Framework (or .NET Core 2.0 in this case)

Note: You should almost never need to actually do this yourself, you'd be better off using an off the shelf product to build your tokens, eg: http://www.keycloak.org/ you'll reduce your maintenance costs, reduce the chance of missing security vulnerabilities, and end up with something that you can use to fedarate identity across your products rather than having the nightmare of an identity provider per team.

In some cases I've come across projects that need to shoe horn something in, so this is intended to help get you over the line with an upgrade path that doesn't involve ripping and replacing the entire identity system all at once.

I've never really understood the pros and cons of the many many different private/public key file formats.
I'm used to using PEMs as generated by openSSL so that's what I've used here.
It seems jose-jwt wants p12 files, so I'm using bouncy-castle to convert between the two. If you generate p12 files up front, you can eliminate the bouncy-castle dependency.

The commands I've used to generate the private key and then public key are as follows:

openssl genrsa -out private.pem 1024
openssl rsa -in private.pem -out public.pem -outform PEM -pubout

If you want to know how JWT works in depth, read https://tools.ietf.org/html/rfc7519

The below list of claims is an example payload. You can add custom claims to the payload, however that'll add complexity when moving to an OTS solution.

List<Claim> claims = new List<Claim> { 
    claim("clientId", "CLIENT-ID-GOES-HERE"), 
    claim("sub", "USER-IDENTIFIER-GOES-HERE"),
    claim("iss", "AUTH-SERVER-IDENTIFIER-GOES-HERE"),
    claim("iat", unixTime(now)),
    claim("exp", unixTime(now.AddMinutes(60)))
};

The function:

public static string CreateToken(List<Claim> claims, string key)

Will create an RS256 signed, but not encrypted token with that set of claims.
You can test it using: https://jwt.io

Again, you typically shouldn't do this yourself, most web frameworks include libraries that will do this for you.
If you're working against an OpenID Connect implementation, these libraries will often retreive the public key from the token provider via a separate http request (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse)

The function:

public static string DecodeToken(string token, string key) 

Will take a JWT, a pem containing a public key, validate the JWT signature, and return a json string representing the token payload.

If the signature is invalid, it will throw a Jose.IntegrityException

Note: this function does not validate any of the claims. In order to do that you need to de-serialize the JSON string (out of scope) At minimum you should verify the issuer, the iat was in the past, and the exp is in the future.