jwt – Row Coding

How to set multiple audiences in Asp.Net Core 2.0 “AddJwtBearer” middleware?

September 27, 2023 by Tarik

Where to store user id in jwt

September 16, 2023 by Tarik

The sub claim is the right claim for the user identifier. The aud claim identifies the intended recipient of the JWT and the iss identifies the issuer/creator. Any other interpretations of these claims are not standard compliant, see: https://www.rfc-editor.org/rfc/rfc7519#section-4.1

The audience is invalid error

September 8, 2023 by Tarik

See here for what this claim is about: The aud (audience) claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the aud claim … Read more

Generate JWT Token in Keycloak and get public key to verify the JWT token on a third party platform

August 12, 2023 by Tarik

JWT and CSRF differences

July 30, 2023 by Tarik

An authentication system based on tokens (JWT or random) stored in cookies is vulnerable to CSRF attacks, because cookies are sent automatically to server in each request and an attacker could build a harmful url link to your site. https://yoursite.com/delete?something=1 To protect your site it is needed to use a CSRF token that your application … Read more

JWT Private / Public Key Confusion

July 20, 2023 by Tarik

With JWT, the possession and the use of the key materials are exactly the same as any other contexts where cypher operations occur. For signing: The private key is owned by the issuer and is used to compute the signature. The public key can be shared with all parties that need to verify the signature. … Read more

Usage of nbf in json web tokens

June 2, 2023 by Tarik

It definitely is up to how you interpret the time. One of possible scenarios I could make up is literally – when a token must last from some particular point in time til another point in time. Say, you’re selling some API or resource. And a client purchased access that lasts for one hour and … Read more

Why header and payload in the JWT token always starts with eyJ

February 27, 2023 by Tarik

JWTs consist of base64url encoded JSON, and a JSON structure just starts with {“…, which becomes ey…when encoded with a base64 encoder. The JWT header starts with {“alg”:…, which then becomes eyJ… You can try on this online encoder and enter {“alg” and click on encode. The result will be eyJhbGciPSA=

How do I get current user in .NET Core Web API (from JWT Token)

February 16, 2023 by Tarik

The accepted answer did not work for me. I’m not sure if that’s caused by me using .NET Core 2.0 or by something else, but it looks like the framework maps the Subject Claim to a NameIdentifier claim. So, the following worked for me: string userId = User.FindFirst(ClaimTypes.NameIdentifier)?.Value; Note that this assumes the Subject sub … Read more

What format is the exp (Expiration Time) claim in a JWT

November 4, 2022 by Tarik

RFC 7519 states that the exp and iat claim values must be NumericDate values. NumericDate is the last definition in Section 2. Terminology, and is defined as the number of seconds (not milliseconds) since Epoch: A JSON numeric value representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds. … Read more