Home > OS >  Multiple JWT authorization token in Web API
Multiple JWT authorization token in Web API

Time:10-01

I have a web API application developed with .Net Core 5 where I have implemented the authorization using OIDC 2, therefore using a JWT bearer token.

Now I need to put this application behind a corporate API Gateway which acts like a proxy, that requires additional authorization. The requests therefore should have two authorization tokens, one for the API Gateway and another one for the application itself.

The Gateway administrator has told me to modify my code in order to process a request like the following:

curl -X GET "https://api-gateway.some-domain.org/my-application/some-endpoint" 
     -H "accept: application/json" 
     -H "MyApp-Authorization: Bearer JGVFISOODISJ..." 
     -H "Authorization: Bearer FVJIDOSJFMDSIO..."

I have understood from the administrator response that I should modify how it is configured the authentication in my application, in the startup file maybe.

Currently I've configured in the following way:


public void ConfigureServices(IServiceCollection services)
{

    //...

    //Add ASP.NET Core Identity Services
    services.AddIdentity<IdentityUser, IdentityRole>()
            .AddEntityFrameworkStores<RPToolDBContext>()
            .AddSignInManager<SignInManager<IdentityUser>>();
    
    var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(appSettings.Secret));
    
    services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
            .AddJwtBearer(opt =>
            {
                opt.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuerSigningKey = true,
                    IssuerSigningKey = key,
                    ValidateAudience = false,
                    ValidateIssuer = false,
                    ValidateLifetime = true,
                    ClockSkew = TimeSpan.Zero
                };
            })
            .AddAzureAdBearer(options => Configuration.Bind("AzureAd", options));
    //...

}

What do I need to change in order to modify the attribute name?

Obviously, I think I need to change also the code in the front-end, which is developed in REACT using the MSAL library, in order to work with the new header...

CodePudding user response:

This pattern can be good from the viewpoints of both good security and simple code standard if it works like this:

  • Confidential access tokens in an unreadable format are issued to web and mobile clients so that no sensitive data is revealed to them

  • APIs receive JWTs containing claims and scopes then use them for authorization, including all user context needed

  • When the client calls the API, messages are routed via the gateway, which swaps confidential tokens for JWTs

INDUSTRY STANDARDS

At my company we call this The Phantom Token Pattern. It is worth seeing if you can steer things in this direction - eg forward my answer to an architect if you work with one.

Your API should not have to work with 2 types of token or non standard header values, since this will mean security libraries fail to work.

CUSTOM AUTHENTICATOR

As a last resort you can customize .Net and retrieve the token differently. Some sample code of mine shows how to customize the .Net stack, but only for learning purposes. It is best to keep your security code simple and standard.

  • Related