5

The security concerns: According to https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ a lot of JWT libraries use the token itself in order to determine the algorithm for the signature.

This is our use case: We want to create a login mechanism that validates a user with the hard credentials (username/password) and then return a JWT token with e.g. 3 Days lifetime. The token should contain the username and a signature should guarantee that the token cannot be "faked".

What library can we use in Web API / MVC 6? It is important that the signature algorithm can be specified on decoding to avoid the vulnerability.

If possible we would like to avoid integrating complex OAuth components.

Improve this question
2
  • After just little bit of googling I have found two interesting things: open source project on GitHub - jwt-dotnet: github.com/jwt-dotnet/jwt and JSON Web Token Handler for the Microsoft .NET Framework 4.5 on NuGet: nuget.org/packages/System.IdentityModel.Tokens.Jwt It look like both of them can offer generation and validation of JWT tokens, however I haven't used them, Commented Jul 1, 2015 at 20:48
  • I saw these. I do not know if they offer spec.of algo on validation. Commented Jul 1, 2015 at 21:01

1 Answer 1

Reset to default
3
+50

I am using the System.IdentityModel.Tokens.Jwt library, and I just checked for this issue. I Generated a token and validated it in one of my tests, then I removed the signingCredentials which changes the alg to none. The JWT generated with the "alg":"none" failed validation.

Here is how I am generating the token:

public string GenerateToken(SSOContext context, SignatureSettings settings)
{
    var token = new JwtSecurityToken(
        issuer: "MyIssuer",
        audience: "MyAudience",
        claims: GetClaims(context),
        //comment the below line to generate a 'none' alg
        signingCredentials: new X509SigningCredentials(settings.Certificate),
        notBefore: DateTime.UtcNow,
        expires: DateTime.UtcNow.AddHours(1)
        );

    return new JwtSecurityTokenHandler().WriteToken(token);
}

When I validate the token I get an exception as expected with the message

IDX10504: Unable to validate signature, token does not have a signature:

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

As I read the comments in the net about the vulnerability the only way to be on the safe side would be to define the expected algo on validation hardcoded. Is this possible with this library? At Least it would not be vulnerable to the none algo issue as I understand your response. Maybe you can confirm or add additional information.
You can take the jwt and turn it into a JwtSecurityToken object and check the SignatureAlgorithm property to make sure it is what is expected as well. If not you could not even bother validating and just reject it. link If you see anything wrong, please let me know. I am answering partly to see if anyone spots an error.
This all looks reasonable and solid to me I think I am going to accept your answer very soon. I am not sure if I can fully test until the bounty ends. So I guess I need to accept it then soon in order to prevent loss of the award.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.