Asp.net-core – Get claims from JWT token in ASP.NET Core 2.0 API

asp.netasp.net-coreasp.net-core-2.0asp.net-web-apijwt

I'm using mixed authentication in my ASP.NET Core 2.0 Web and API app. Meaning both cookies and now adding JWT token.

The web part of the app uses cookies and in the API part, I want to use JWT token.

My question is how do I get the claims from JWT token? In my web controllers, I can simply use HttpContext.User; to get the claims stored in a cookie. How do I handle it in my API methods where I want to use JWT token?

Here's my AuthenticationBuilder:

public static void MyAuthenticationConfig(IServiceCollection services, IConfiguration configuration)
{
   services.AddAuthentication(options =>
   {
      options.DefaultAuthenticateScheme = "myApp_cookie";
      options.DefaultChallengeScheme = "myApp_cookie";
    })
    .AddCookie("myApp_cookie", options =>
    {
      options.AccessDeniedPath = "/Unauthorized";
      options.LoginPath = "/Login";
    })
    .AddCookie("social_auth_cookie")
    .AddOAuth("LinkedIn", options =>
    {
      options.SignInScheme = "social_auth_cookie";

      options.ClientId = "my_client_id";
      options.ClientSecret = "my_secret";

      options.CallbackPath = "/linkedin-callback";

      options.AuthorizationEndpoint = "https://www.linkedin.com/oauth/v2/authorization";
      options.TokenEndpoint = "https://www.linkedin.com/oauth/v2/accessToken";
      options.UserInformationEndpoint = "https://api.linkedin.com/v1/people/~:(id,first-name,last-name,email-address,picture-url,picture-urls::(original))";

      options.Scope.Add("r_basicprofile");
      options.Scope.Add("r_emailaddress");

      options.Events = new OAuthEvents
      {
         OnCreatingTicket = OnCreatingTicketLinkedInCallBack,
         OnTicketReceived = OnTicketReceivedCallback
       };
    })
    .AddFacebook(options =>
    {
        options.SignInScheme = "social_auth_cookie";
        options.AppId = "my_app_is";
        options.AppSecret = "my_secret";
        options.Events = new OAuthEvents
        {
           OnCreatingTicket = OnCreatingTicketFacebookCallback,
           OnTicketReceived = OnTicketReceivedCallback
         };
     })
     .AddGoogle(options =>
     {
         options.SignInScheme = "social_auth_cookie";
         options.ClientId = "my_id.apps.googleusercontent.com";
         options.ClientSecret = "my_secret";
         options.CallbackPath = "/google-callback";
         options.Events = new OAuthEvents
         {
             OnCreatingTicket = OnCreatingTicketGoogleCallback,
             OnTicketReceived = OnTicketReceivedCallback
         };
      })
      .AddJwtBearer("JwtBearer", jwtBearerOptions =>
      {
         jwtBearerOptions.TokenValidationParameters = new TokenValidationParameters
         {
             ValidateIssuerSigningKey = true,
             IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("my_secret")),

             ValidateIssuer = true,
             ValidIssuer = "my-api",

             ValidateAudience = true,
             ValidAudience = "my-client",

             ValidateLifetime = true,

             ClockSkew = TimeSpan.FromMinutes(5)
        };
    });
}

Best Answer

Normally the claims of JWT are automatically added to the ClaimsIdentity.

Source:
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/af5e5c2b0100e8348c63e2d2bb45612e2080841e/src/System.IdentityModel.Tokens.Jwt/JwtSecurityTokenHandler.cs#L1110).

So you should be able to just use 'User' property of the base 'Controller' class.

public async Task<IActionResult> Get()
{
    // TODO Move 'Claims' extraction code to an extension method
    var address = User.Claims.Where('GET THE NEEDED CLAIM');
    ...
}

I never had any problems getting the claims from a JWT token. But I only used IdentityServer4.AccessTokenValidation so far. But internally it uses the Microsoft JWT Handler afaik.

Related Solutions

Asp.net-mvc – Returning binary file from controller in ASP.NET Web API

Try using a simple HttpResponseMessage with its Content property set to a StreamContent:

// using System.IO;
// using System.Net.Http;
// using System.Net.Http.Headers;

public HttpResponseMessage Post(string version, string environment,
    string filetype)
{
    var path = @"C:\Temp\test.exe";
    HttpResponseMessage result = new HttpResponseMessage(HttpStatusCode.OK);
    var stream = new FileStream(path, FileMode.Open, FileAccess.Read);
    result.Content = new StreamContent(stream);
    result.Content.Headers.ContentType = 
        new MediaTypeHeaderValue("application/octet-stream");
    return result;
}

A few things to note about the stream used:

You must not call stream.Dispose(), since Web API still needs to be able to access it when it processes the controller method's result to send data back to the client. Therefore, do not use a using (var stream = …) block. Web API will dispose the stream for you.
Make sure that the stream has its current position set to 0 (i.e. the beginning of the stream's data). In the above example, this is a given since you've only just opened the file. However, in other scenarios (such as when you first write some binary data to a MemoryStream), make sure to stream.Seek(0, SeekOrigin.Begin); or set stream.Position = 0;
With file streams, explicitly specifying FileAccess.Read permission can help prevent access rights issues on web servers; IIS application pool accounts are often given only read / list / execute access rights to the wwwroot.

Json – How to get ASP.NET Web API to return JSON instead of XML using Chrome

Note: Read the comments of this answer, it can produce a XSS Vulnerability if you are using the default error handing of WebAPI

I just add the following in App_Start / WebApiConfig.cs class in my MVC Web API project.

config.Formatters.JsonFormatter.SupportedMediaTypes
    .Add(new MediaTypeHeaderValue("text/html") );

That makes sure you get JSON on most queries, but you can get XML when you send text/xml.

If you need to have the response Content-Type as application/json please check Todd's answer below.

NameSpace is using System.Net.Http.Headers.

Best Answer

Related Solutions

Asp.net-mvc – Returning binary file from controller in ASP.NET Web API

Json – How to get ASP.NET Web API to return JSON instead of XML using Chrome

Note: Read the comments of this answer, it can produce a XSS Vulnerability if you are using the default error handing of WebAPI

Related Topic