Creating JWT token internally

https://softwareengineering.stackexchange.com/questions/362808

24-01-2021
|

سؤال

I need to implement JWT tokens in my ASP.NET Core API app to handle authorization.

My question is, what is the risk of generating my own JWT token within my API app as opposed to having it handled for me through a third party solution such as Azure Active Directory B2C or Identity Server?

There's a nice article written about handling JWT token creation in ASP.NET Core apps and it seems easy enough and at first glance, I'm not seeing any of the disadvantages of creating my own JWT tokens within my own app.

Here's the article: http://www.blinkingcaret.com/2017/09/06/secure-web-api-in-asp-net-core/

I'd appreciate someone giving the other side of the story so that I can make a healthy decision. Thanks.

المحلول

Chances are, there are going to be more applications that need to generate tokens.

Most companies want to centralize security. To that end, they don't want individual applications generating tokens. Instead they create a component that handles the JWT aspect and expect applications to use the component via a Nuget package. Most likely this component will be a part of the middleware pipeline. Then all applications use/generate JWT tokens the same way.

Some sample component code:

    public static class JwtMiddlewareExtensions
    {
        public static IApplicationBuilder UseJwtMiddleware(this IApplicationBuilder builder);
    }

Provided the Nuget package has been downloaded, then in startup to use the component:

        protected virtual void ConfigureAuthorization(IApplicationBuilder app)
        {
            app.UseJwtMiddleware();
        }

If we need a full integration test we can override the security authorization with our own.

    protected override void ConfigureAuthorization(IApplicationBuilder app)
    {
        app.UseMiddleware<AuthMiddleware>();
    }

where AuthMiddleware is a local implementation that looks something like this:

        public async Task Invoke(HttpContext context)
        {
            var identity = (IIdentity)new GenericIdentity("myuserid", "JWT");
            var principal = new System.Security.Principal.GenericPrincipal(identity, new[] { "CREATE" });
            context.Authentication.HttpContext.User = principal;

            await _next.Invoke(context);
        }

مرخصة بموجب: CC-BY-SA مع الإسناد

لا تنتمي إلى softwareengineering.stackexchange