Understanding JWT: A Guide to Secure Authorization with Refresh token.

Lawson Borges
By -Lawson Borges
January 18, 2024
0

Understanding JWT: A Guide to Secure Authorization with Refresh token

Introduction

JSON Web Tokens (JWT) have become a cornerstone in modern web development for secure authorization and information exchange between parties.

In this blog post, we will delve into the fundamentals of JWT, explore the process of creating a secure authorization mechanism, and discuss the importance of token blacklisting for heightened security.

JWT Token

What is JWT?

JSON Web Token (JWT) is a compact, URL-safe means of representing claims between two parties. It is often used for authentication and authorization in web development. A JWT is composed of three parts: a header, a payload, and a signature. The header and payload are Base64-encoded JSON objects, and the signature is created by hashing the encoded header and payload with a secret key.

JWT Base 64 decode

Before Creating a JWT Token you need to understand the Principles and Claims

Principles:

A principle in identity management represents an entity, often a user or a system, and encapsulates the entity's identity, authentication status, and any additional context. Principles are typically represented by objects such as ClaimsPrincipal in .NET or Principal in Java.

Claims:

Claims, on the other hand, are individual pieces of information about a principle. These can include attributes like a user's name, email, roles, or any other relevant data. Claims are statements about a principle, and they are often represented as key-value pairs.

When to Use Principles

1. Authentication:

Principles are particularly useful during the authentication process. When a user logs in, a principle is created to represent that authenticated user. This principle can then be used throughout the application to determine the user's identity.

2. Authorization:

In the context of authorization, principles play a vital role. Roles and permissions associated with a user are typically represented as claims within the principle. This allows for straightforward access control decisions based on the user's identity.

3. Contextual Information:

If you need to carry contextual information about the user throughout the application, principles are a suitable choice. This might include details such as the user's authentication method, authentication time, or any other metadata.

When to Use Claims

1. Fine-Grained Authorization:

Claims shine when you need to implement fine-grained authorization. By associating specific claims with a user, you can make nuanced decisions about what resources or actions they can access within your application.

2. User Profile Information:

Claims are ideal for carrying user profile information. Details like the user's full name, email address, or any custom attributes can be conveniently represented as claims.

3. Dynamic Permissions:

If your application requires dynamic permissions that may change based on runtime conditions, using claims to represent these dynamic aspects is a pragmatic approach.

Making the Right Choice

1. Consider Use Case:

When deciding between principles and claims, consider your application's use case. If you primarily need to represent a user's identity, use principles. If you require a more granular representation of attributes and permissions, opt for claims.

2. Combination Approach:

In many scenarios, a combination of principles and claims is the most effective. Use principles for identity and overarching context, and use claims to carry specific pieces of information about the user.

3. Flexibility and Maintainability:

Think about the future scalability and maintainability of your application. A well-thought-out combination of principles and claims can provide the flexibility needed as your application evolves.

Below is the code to Generate a token with the Refresh token


  1. [HttpPost]  
  2. public IActionResult Post([FromBody] User value)  
  3. {  
  4.     var user = Startup.Users  
  5.                 .Find(x => x.UserName == value.UserName);  
  6.     if(user is null)  
  7.     {  
  8.         return StatusCode(StatusCodes.Status401Unauthorized, "No proper credentials");  
  9.   
  10.     }  
  11.     if (user.Password==value.Password) // Check DB  
  12.     {  
  13.         MyToken tk = new MyToken();  
  14.         
  15.         tk.TokenValue = GenerateJSONWebToken(user.UserName,30);  
  16.         tk.RefreshToken = GenerateRefreshToken();  
  17.         user.RefreshTokenExpiryTime = DateTime.Now.AddDays(7);  
  18.         user.RefreshToken = tk.RefreshToken;  
  19.         return Ok(tk);  
  20.     }  
  21.     else  
  22.     {  
  23.         return StatusCode(StatusCodes.Status401Unauthorized , "No proper credentials");  
  24.     }  
  25. }  
  26. private ClaimsPrincipal GetPrincipalFromExpiredToken(string token)  
  27. {  
  28.     var tokenValidationParameters = new TokenValidationParameters  
  29.     {  
  30.         ValidateIssuer = true,  
  31.         ValidateAudience = true,  
  32.         ValidateLifetime = true,  
  33.         ValidateIssuerSigningKey = true,  
  34.         ValidIssuer = "lawson",  
  35.         ValidAudience = "BrowserClients",  
  36.         IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("secret@123456"))  
  37.     };  
  38.     var tokenHandler = new JwtSecurityTokenHandler();  
  39.     SecurityToken securityToken;  
  40.     var principal = tokenHandler.ValidateToken(token,   
  41.                                 tokenValidationParameters,   
  42.                                 out securityToken);  
  43.     var user = Startup.Users  
  44.                .Find(x => x.UserName == principal.Identity.Name);  
  45.     var jwtSecurityToken = securityToken as JwtSecurityToken;  
  46.     if (jwtSecurityToken == null   
  47.         || user.RefreshTokenExpiryTime <= DateTime.Now)  
  48.         throw new SecurityTokenException("Invalid token");  
  49.     return principal;  
  50. }  
  51.   
  52. private string GenerateJSONWebToken(string username, int expiryTime)  
  53. {  
  54.     // header info  
  55.     var algo = SecurityAlgorithms.HmacSha256;  
  56.   
  57.     // payload info  
  58.     var claims = new[] {  
  59.         new Claim(ClaimTypes.Name, username),  
  60.         new Claim(JwtRegisteredClaimNames.Sub, username),  
  61.         new Claim(JwtRegisteredClaimNames.Email, ""),  
  62.         new Claim("IsAdmin""True"),  
  63.         new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString())  
  64.         };  
  65.     // signature  
  66.     var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("secret@123456"));  
  67.     var credentials = new SigningCredentials(securityKey, algo);  
  68.     var token = new JwtSecurityToken("lawson",  
  69.        "BrowserClients",  
  70.       claims,  
  71.       expires: DateTime.Now.AddSeconds(expiryTime),  
  72.       signingCredentials: credentials);  
  73.   
  74.     return new JwtSecurityTokenHandler().WriteToken(token);  
  75. }  
  76.   
  77. private string GenerateRefreshToken()  
  78. {  
  79.     var randomNumber = new byte[32];  
  80.     using (var rng = RandomNumberGenerator.Create())  
  81.     {  
  82.         rng.GetBytes(randomNumber);  
  83.         return Convert.ToBase64String(randomNumber);  
  84.     }  
  85. }  


Calling refresh token when the token is expired

  1. [HttpGet]  
  2. public IActionResult Get(MyToken TokenVale)  
  3. {  
  4.   
  5.     var token = RefreshToken(TokenVale);  
  6.     return Ok(token);  
  7.       
  8. }  
  9. private MyToken RefreshToken(MyToken tokenApiModel)  
  10. {  
  11.     if (tokenApiModel is null)  
  12.         throw new Exception("Invalid client request");  
  13.     string accessToken = tokenApiModel.TokenValue;  
  14.     string refreshToken = tokenApiModel.RefreshToken;  
  15.   
  16.     var principal = GetPrincipalFromExpiredToken(accessToken);  
  17.     var username = principal.Identity.Name; //this is mapped to the Name claim by default  
  18.   
  19.     var user = Startup.Users.SingleOrDefault(u => u.UserName == username);  
  20.     if (user is null || user.RefreshToken != refreshToken)  
  21.         throw new Exception("Invalid client request");  
  22.   
  23.     var newAccessToken = GenerateJSONWebToken(user.UserName, 60);  
  24.     var newRefreshToken = GenerateRefreshToken();  
  25.   
  26.     user.RefreshToken = newRefreshToken;  
  27.     user.RefreshTokenExpiryTime = DateTime.Now.AddDays(7);  
  28.     tokenApiModel.RefreshToken = newRefreshToken;  
  29.     tokenApiModel.TokenValue = newAccessToken;  
  30.   
  31.     return tokenApiModel;  
  32. }  



Tags:

You Might Like

Show more
JWT Token

Post a Comment

0Comments

Post a Comment (0)
Share to other apps
Copy Post Link