Introduction to Security.Jwt Project
The Security.Jwt
project is an innovative tool designed for managing JSON Web Tokens (JWTs) in .NET applications. Specifically, it aims to enhance the security of JWTs by handling cryptographic key management efficiently and securely. It addresses one of the primary challenges in key management: distributing keys in a secure manner.
Key Features
- Public Key Cryptosystem: The project employs a public key cryptosystem, enabling the sharing of public keys via a standardized JSON Web Key Set (JWKS) URI like
https://<your_api_address>/jwks
. - Automatic Key Management: Automatically generates RSA or ECDSA keys and rotates them every 90 days to adhere to best practices recommended by NIST for public key rotation.
- Enhanced Security with JWE: Supports JSON Web Encryption (JWE) for additional security layers.
- Easy API Integration: Provides extensions for client APIs to consume the JWKS endpoint with instructions available in the
NetDevPack.Security.JwtExtensions
. - Secure Default Settings: Follows RFC 7518 recommendations for using RSA and ECDSA algorithms, ensuring robust security standards.
- Simple Integration: By default, stores keys in the same location as ASP.NET Data Protection, simplifying key management.
Functional Components
Token Validation
Implementing token validation is straightforward and involves adding necessary services in your .NET application:
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = "https://www.devstore.academy",
ValidAudience = "NetDevPack.Security.Jwt.AspNet"
};
});
builder.Services.AddAuthorization();
builder.Services.AddJwksManager().UseJwtValidation();
Token Generation
Easily generate tokens using the auto-generated signing credentials:
public AuthController(IJwtService jwtService)
{
_jwtService = jwtService;
}
private string GenerateToken(User user)
{
var tokenHandler = new JwtSecurityTokenHandler();
var key = _jwtService.GetCurrentSigningCredentials(); // Automatically generated ECDsa or RSA key
var tokenDescriptor = new SecurityTokenDescriptor
{
Issuer = "https://www.devstore.academy",
Audience = "NetDevPack.Security.Jwt.AspNet",
Expires = DateTime.UtcNow.AddMinutes(60),
Subject = new ClaimsIdentity(user.Claims),
SigningCredentials = key
};
return tokenHandler.WriteToken(token);
}
How to Get Started
-
Installation: Install
NetDevPack.Security.Jwt
using NuGet Package Manager or the .NET CLI:Install-Package NetDevPack.Security.Jwt
Or:
dotnet add package NetDevPack.Security.Jwt
-
Configuration: Update your
Startup.cs
orprogram.cs
file to configure JWT validation:builder.Services.AddJwksManager().UseJwtValidation();
-
Manage Multiple APIs: Leverage JWKS for key distribution across multiple APIs:
- Identity API: Install
NetDevPack.Security.Jwt.AspNetCore
and configure token emission. - Client API: Use
NetDevPack.Security.JwtExtensions
for JWT validation.
- Identity API: Install
Storage Options
- Database Storage: Store keys in a database with EntityFramework Core integration.
- File System: Save keys to a file system for flexibility and custom solutions.
Conclusion
The Security.Jwt
project offers a comprehensive solution for JWT key management, focusing on security, ease of use, and adherence to industry best practices. Its features are particularly beneficial for applications requiring scalable, secure authentication like those deployed in containerized environments or load-balanced setups. With this project, developers can efficiently manage their JWTs and associated keys, ensuring their applications remain secure and compliant with recommended guidelines.