xabaril / jwtsimpleserver Goto Github PK

Adding a JWK for signing would be very useful.
I was not able to find how to use the provided JWK class referenced in the project instead of a signingKey for signing the JWT and there is a use case I am very interested in where the received token is signed using a JWK instead of a signingKey.

thank u.

how can

async ValidateClientAuthenticationAsync ??

`public async Task ValidateClientAuthenticationAsync(JwtSimpleServerContext context)
{
var user = await _userManager.FindByNameAsync(context.UserName);

        if (user == null)
        {
            context.Reject("Invalid user authentication");
        }

        var signInResult = await _signInManager.CheckPasswordSignInAsync(user, context.Password, false);

        if (signInResult.Succeeded)
        {
            var claims = new List<Claim>();
            claims.Add(new Claim(ClaimTypes.Name, "demo"));

            context.Success(claims);
        } else {
            context.Reject("Invalid user authentication");
        }

        return Task.CompletedTask;
    }`

Hi, when we are doing the request of token from our frontend is possible to fetch the data but the response throws the error No 'Access-Control-Allow-Origin'.

Error:
Access to XMLHttpRequest at 'http://localhost:53348/Token' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

If in the WriteResponseAsync we set the header with => context.Response.Headers["Access-Control-Allow-Origin"] = "*"; we can fetch the data correctly.

private Task WriteResponseAsync(
int statusCode,
HttpContext context,
string content = "",
string contentType = "application/json")
{
context.Response.Headers["Content-Type"] = contentType;
context.Response.StatusCode = statusCode;
return context.Response.WriteAsync(content);
}

Thanks!

Reported possible bug with CORS middleware and server

I'm refreshing every 30 sec:

const config = { headers: {'Content-Type': 'application/x-www-form-urlencoded' }}

axios.post('/token', qs.stringify({ refresh_token: refreshToken, grant_type: 'refresh_token' }), config)

For each request, the returned access_token increases in size. After ~1-2hrs it's about 20k.

Edit: decoded the token and DateCreated is added each time:

...
"DateCreated": [
"08.10.2019 07.09.49",
"08.10.2019 07.10.18",
"08.10.2019 07.10.48",
"08.10.2019 07.11.18",
"08.10.2019 07.11.48",
"08.10.2019 07.12.18",
"08.10.2019 07.12.48",
...

https://github.com/Xabaril/JWTSimpleServer/blob/master/src/JWTSimpleServer/JwtTokenEncoder.cs#L30

i want change this in option. please.

public Func Expires = () => DateTime.UtcNow.AddMinutes(15);

We should not expose refresh token to the UI. Right?

How would you handle it in right way?

https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/

Document public classes and methods.

Support for .net core 2.2?

Hi,

Are there any plans to upgrade this to .NET Core 3.1? Please guide.

Thanks.

Improve sample playground appearance without adding additional frameworks.

The IAuthenticationProvider should be flexible for those scenarios where the user may not login using the username but an email and password.

I know that with the current implementation I can just make the clients send the email in the "username" and it will work but it is not nice for the clients to do that.

Response for preflight has invalid HTTP status code 401.

Within my implementation of IAuthenticationProvider. I'm using Microsoft.AspNetCore.Identity to validate user and password.

And from what I know SignInManager and UserManager are registered as scope. But I agree that IAuthenticationProvider should be registered as Singleton as we don't need more than 1 instance of it.

So should I do: AddScoped<IAuthenticationProvider, CustomAuthenticationProvider>()

or what I think is a better solution, I will inject into CustomAuthenticationProvider, IServiceScopeFactory and do:

using (var scope = serviceScopeFactory.CreateScope()) { var signInManager = scope.ServiceProvider.GetService<SignInManager<ApplicationUser>>(); var userManager = scope.ServiceProvider.GetService<UserManager<ApplicationUser>>(); var findUser = await userManager.FindByNameAsync(user); var result = await signInManager.CheckPasswordSignInAsync(findUser, password, false); return result.Succeeded; }

Many thanks

How would you implement the control of user roles?