ASP.NET Core에서 대칭 암호화를 사용한 JWT 인증

JWT Token is a common way of creating access tokens that can contain several claims (e.g. Username, Roles). JWT Token means JSON (JavaScript Object Notation) Web Token. Every JWT Token has the following structure:

• Header, containing the encryption algorithm;
• Payload, containing custom Claims, plus at least two required claims:
  • exp  representing the expiration time when the Token will become unavailable;
  • iat  or Issued at Time, the time when the Token was created;\ The times are formatted using the Unix Timestamp format (e.g. 1582784721).
• Signature, representing the encoded header, plus  a dot , plus the encoded payload, plus a secret key. The concatenated result will be run through the encryption algorithm specified on the Header to validate the Token.

The Symmetric Key is used both for signing and validation. For example, let's say John wants to share a secret with Jane, when the secret is told, John also tells Jane a password - the key - in order for the secret to being understood. In this way, John - the identity provider or the service - ensures that his secret is well kept by using the given password.

In the  ConfigureServices  method from the  Startup  class, the  AppSettings  section needs to be read. To read a type from the configuration file, a class must be created, so for the  AppSettings  section an equivalent class needs to exists, as is shown below. This class can be seen as a Data Transfer Object, which contains plain properties.

public class AppSettings
{
    public string EncryptionKey { get; set; }
}

After the section is read, the  EncryptionKey  needs to be converted into bytes.

public void ConfigureServices(IServiceCollection services)
{
    services.AddControllers();

    IConfigurationSection settingsSection = configuration.GetSection("AppSettings");
    AppSettings settings = settingsSection.Get<AppSettings>();
    byte[] signingKey = Encoding.UTF8.GetBytes(settings.EncryptionKey);

    services.AddAuthentication(signingKey);

    services.Configure<AppSettings>(settingsSection);
    services.AddTransient<AuthenticationService>();
    services.AddTransient<UserService>();
    services.AddTransient<TokenService>();
}

On  line 9  the  Authentication  service is added into the App container, this service is responsible, for managing  Authentication  settings, like  IssuerSigningKey  or  LifeTimeValidation .\
For this step, an extension method is created called  AddAuthentication , which receives the  service  and the  signingKey  converted earlier.\
From  line 11  to  14 , the services are configured for the Dependency Injection, we will return to the implementation of these services in a moment.

public static IServiceCollection AddAuthentication(this IServiceCollection services,
    byte[] signingKey)
{
    services.AddAuthentication(authOptions =>
        {
            authOptions.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            authOptions.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        })
        .AddJwtBearer(jwtOptions =>
        {
            jwtOptions.SaveToken = true;
            jwtOptions.TokenValidationParameters = new TokenValidationParameters
            {
                ValidateAudience = false,
                ValidateIssuer = false,
                ValidateIssuerSigningKey = true,
                IssuerSigningKey = new SymmetricSecurityKey(signingKey),
                ValidateLifetime = true,
                LifetimeValidator = LifetimeValidator
            };
        });

    return services;
}

The  authenticationOptions  need to configure the  Authenticate  and  Challenge  Schemes, in order to verify that the endpoint(s) which receives a JWT Token will go through the validation step, as is described below starting from  line 12 . The same Schema will be seen on the endpoints that use the  AuthorizeAttribute .\
Then the  JwtBearer  is added to the  Authentication  process, using the following properties:

• SaveToken  is self-explanatory. It's used to persist the Token into local storage. The token will be valid even if the service restarts, so its lifetime is different from the application;
• ValidateAudience  and  ValidateIssuer  must be used for the service to skip or to validate the Audience or the Issuer. The Audience refers to the server or the Identity Provider, in this case, our ASP.NET Service. And the  Issuer  refers to the client(s) that makes HTTP request(s). For the sake of this example, both are set  false . Please note that even if you don't want to validate the  Audience  or/and the  Issuer  these values must be set;
• ValidateIssuerSigningKey  needs to be set to  true , in order to validate the received Token;
• For  IssuerSigningKey  will use the  SymmetricSecurityKey , the same approach will be also used when the Token will be created.
• LifeTimeValidator  is important if the generated  Token  has set an expiration time.

User's Credentials will be used as a Data Transfer Object, this class will be received on the authentication endpoint and sent to the  AuthenticationService . It's a plain class that contains only the  Username  and the  Password  of the user.

public class UserCredentials
{
    public string Username { get; set; }
    public string Password { get; set; }
}

The  AuthenticationService  is used like a middleware that receives the  UserCredentials  from the  Controller , validates them using the  UserService  and if the credentials are valid, it creates a Token using the  TokenService . Both the  User  and  Token  services are injected into the constructor.

public string Authenticate(UserCredentials userCredentials)
{
    userService.ValidateCredentials(userCredentials);
    string securityToken = tokenService.GetToken();

    return securityToken;
}

For the sake of this example, the  UserService  contains a list of users created on the constructor. In a real-life scenario, this will be read from storage or from a service.

public class UserService
{
    private readonly IEnumerable<UserCredentials> users;

    public UserService()
    {
        users = new List<UserCredentials>
        {
            new UserCredentials
            {
                Username = "john.doe",
                Password = "john.password"
            }
        };
    }
...

This is more like a  UserValidation  service, but to better illustrate that it also reads the users, the  UserService  name will be kept.

...
    public void ValidateCredentials(UserCredentials userCredentials)
    {
        bool isValid =
            users.Any(u =>
                u.Username == userCredentials.Username &&
                u.Password == userCredentials.Password);

        if (!isValid)
        {
            throw new InvalidCredentialsException();
        }
    }
}

The  ValidateCredentials  method checks if the  username  and  password  pair exists, and if it doesn't it will throw the  InvalidCredentialsException  which will be caught on the  Controller .

TokenService  is receiving on the constructor the  AppSettings , which will be used on the  GetTokenDescriptor  method to set up the Token.

public class TokenService
{
    private readonly AppSettings appSettings;

    public TokenService(IOptions<AppSettings> options)
    {
        appSettings = options.Value;
    }
...

The public  GetToken  method is used to get the token description, to create the Token and write it into a string, that will be returned to the calling service, in this case to the  AuthenticationService .

public string GetToken()
{
    SecurityTokenDescriptor tokenDescriptor = GetTokenDescriptor();
    var tokenHandler = new JwtSecurityTokenHandler();
    SecurityToken securityToken = tokenHandler.CreateToken(tokenDescriptor);
    string token = tokenHandler.WriteToken(securityToken);

    return token;
}

On the  GetTokenDescriptor  method, the token is constructed. In this method, the  ExpirationTime  and  SigningCredentials  are set. Because the Claims are not in the main focus of this article, I will create another one, in which I will explain how the Claims can be set on the Token and how they can be used.

private SecurityTokenDescriptor GetTokenDescriptor()
{
    const int expiringDays = 7;

    byte[] securityKey = Encoding.UTF8.GetBytes(appSettings.EncryptionKey);
    var symmetricSecurityKey = new SymmetricSecurityKey(securityKey);

    var tokenDescriptor = new SecurityTokenDescriptor
    {
        Expires = DateTime.UtcNow.AddDays(expiringDays),
        SigningCredentials = new SigningCredentials(symmetricSecurityKey, SecurityAlgorithms.HmacSha256Signature)
    };

    return tokenDescriptor;
}

Now, all we have to do, is to create an  AuthenticationController  which receives the  UserCredentials  and uses the previously created  AuthenticationService .\
On the constructor the  AuthenticationService  is injected, to be used on the  Authentication  endpoint.

[Route("identity/[controller]")]
public class AuthenticationController : ControllerBase
{
    private readonly AuthenticationService authenticationService;

    public AuthenticationController(AuthenticationService authenticationService)
    {
        this.authenticationService = authenticationService;
    }
...

The authentication endpoint accepts HTTP Post requests, receives the  UserCredentials  as previously mentioned, and uses the  AuthenticationService  to authenticate and create the Token.

...
    [HttpPost]
    public IActionResult Authenticate([FromBody] UserCredentials userCredentials)
    {
        try
        {
            string token = authenticationService.Authenticate(userCredentials);
            return Ok(token);
        }
        catch (InvalidCredentialsException)
        {
            return Unauthorized();
        }
    }
}

If the credentials are valid, then the endpoint will return an  OK  HTTP Status code and the generated token. Otherwise, if the  InvalidCredentialsException  is thrown, the  Unauthorized  HTTP Status code is returned.

The purpose of the  ValidationController  is to check that the signing process is working, in order to validate the Token.

Route("identity/[controller]")]
public class ValidationController : ControllerBase
{
    [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
    public IActionResult Validate()
    {
        return Ok();
    }
}

You may notice that the  Validate  endpoint has the  AuthorizeAttribute  which has on its constructor the same  AuthenticationSchemes  as was set on the  Authentication  service.

Firstly, the happy flow for the  AuthenticationController  is tested, so we'll provide the correct combination of the username and password, in order to receive the token.