Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Encrypted JWTs?

See original GitHub issue

I’m looking to create an encrypted JWT and I’m a little lost.

Option 1: Articles like this one suggest just encrypting the string representation of a JWT: https://www.owasp.org/index.php/JSON_Web_Token_(JWT)_Cheat_Sheet_for_Java#Token_information_disclosure

Option 2: However, this article suggests nesting a signed JWT inside an encrypted JWT: https://connect2id.com/products/nimbus-jose-jwt/examples/signed-and-encrypted-jwt

My preference would be to use option 2 as I assume this is the correct way of encrypting a JWT. I can’t seem to find the right overloads and/or properties in the JwtSecurityToken object though to make it work. On the JwtHeader I see a property called Cty which is great, because I need to use that to set the content type, and on the JwtSecurityToken I see a property called InnerToken which looks promising. I don’t, however, know how to set that property and/or create a JwtPayload that wraps an existing JWT.

Has anybody else done this before and able to provide a sample?

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:6 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
jacobslussercommented, Jun 28, 2017

@brentschmaltz, thanks for your response. I have some follow-up questions.

Funny you mention that… after posting I persisted for another couple hours and found the JwtSecurityTokenHandler.CreateJwtSecurityToken method – a parent to the one you mentioned. As far as I can tell, that is the only way to create a signed and encrypted token because all the other methods seem to want SigningCredentials or EncryptingCredentials, but not both. Perhaps you could show me otherwise?

So the code I currently have is like this:

var now = DateTime.UtcNow;
var key = Encoding.UTF8.GetBytes("C9CB44D98642A7062A0D39B94B6CDC1E54276F2E7CFFBF44288CEE73C08A8A65");
var securityKey = new SymmetricSecurityKey(key);

var claims = new[]
{
    new Claim(JwtRegisteredClaimNames.Sub, "1234567890"),
    new Claim("name", "John Doe"),
    new Claim("admin", "true", ClaimValueTypes.Boolean)
};

var jwt = new JwtSecurityTokenHandler().CreateJwtSecurityToken(
    issuer: "example.com",
    audience: "example.com",
    subject: new ClaimsIdentity(claims),
    expires: now.AddMinutes(30),
    issuedAt: now,
    signingCredentials: new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256),
    encryptingCredentials: new EncryptingCredentials(securityKey, JwtConstants.DirectKeyUseAlg, SecurityAlgorithms.Aes256CbcHmacSha512));

var token = new JwtSecurityTokenHandler().WriteToken(jwt);

Console.WriteLine("Encrypted JWT: " + new JwtSecurityTokenHandler().WriteToken(jwt));

Console.WriteLine();
Console.WriteLine("Push ENTER to exit.");
Console.ReadLine();

The result is:

Encrypted JWT: eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwidHlwIjoiSldUIn0..kv71w0GLaULzcsdYyuOFSw.96gllkIz90WGtYt03kwqaEa4pUsODH0dpv0hh8HmjoukVvCPgT-apO_zUQwXO1dJkQbhtXqOCBjoEtqG-dpziUgfaZEz_4_XXpyNj8_v24mx8atPfcRDbTgHpgKSY2iZ-5thiXrSojmpVW6vIWksp7uKRN9BUA-ZC-QtLiUpyMVPP40Ft341bKfLF2jaAiYcwsRsUszb7KFE3Xy7fjwarlXemqGQbH3JamZVQo4vxxobg9z6BB0853AoBXewsV4V5GPFBXCv7WURblw3kp3Epe-lnHjdUbIY3kOhWeaPKDzoCAelUMqAoszvjQ1_1mAxDmV6rufaAB6kBLveDd2V4xM6leoFP3bZaP7sWiCJjYc.JuXpkjiUIj6BQqLgEW4W2NAH9Hr5SoHXYTd26TkdshI

As you can see, the second part of the JWE – which as I understand is the encrypted key – is empty. Why is that?

Finally, I would love some clarification around the choice of encryption algorithms. I’m trying to create a JWE using AES-GCM and AAD, as mentioned in my first link, however, I’m not sure if .NET supports this algorithm. Do you know?

0reactions
brentschmaltzcommented, Jul 6, 2017

@jacobslusser I will close this now. Please feel free to re-open if you need additional info.

Read more comments on GitHub >

github_iconTop Results From Across the Web

JWT Token Security Best Practices
The registry for JSON Web Signatures and Encryption Algorithms lists all available algorithms that can be used to sign or encrypt JWTs. It...
Read more >
JSON Web Token Introduction - jwt.io
Although JWTs can be encrypted to also provide secrecy between parties, we will focus on signed tokens. Signed tokens can verify the integrity...
Read more >
Signing and Encrypting with JSON Web Tokens
JWTs are a convenient wrapper for signed or encrypted data, and they are often used as cryptographic primitives in session management and ...
Read more >
JSON Web Token (JWT) with RSA encryption
Encrypting a JWT for a given recipient requires their public RSA key. The decryption takes place with the corresponding private RSA key, which...
Read more >
JSON Web Tokens
Although JWTs can also be encrypted to provide secrecy between parties, Auth0-issued JWTs are JSON Web Signatures (JWS), meaning they are signed rather...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

WsFed metadata with signature fails

Next page

[Question] Performance consideration