Develop Reference

JWT Authentication in Web API using System.IdentityModel.Tokens.Jwt

I am trying to implement JWT token based authentication in Web API using System.IdentityModel.Tokens.Jwt and Identity.
I am following this
Web.config
<appSettings>
<add key="issuer" value="http://localhost/" />
<add key="secret" value="IxrAjDoa2FqElO7IhrSrUJELhUckePEPVpaePlS_Xaw" />
</appSettings>
Though I was able to successfully able to implement and run the application with authentication, I am not sure what these settings are for. What ever I given in issuer, still the application works as expected. Can someone please provide some insights on issuer and secret?
I am using postman to test the token and the API

From the same site that you followed the tutorial (Create a RESTful API with authentication using Web API and Jwt) he says about the properties:
Issuer - a unique identifier for the entity that issued the token (not to be confused with Entity Framework’s entities)
Secret - a secret key used to secure the token and prevent tampering
But to try and explain this a little more precise:
The issuer is basically the server or site or whatever that issues the token to the client.
And the secret is something that the server (or whatever) knows about. The secret can be used to create a signature that can verify that messages hasn't been altered on the way. More on that on jwt.io JWT Secret :
To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.
Hope this helps!

C# - How to Sign SAML Request using HTTPRedirect Binding

We have developed web site in Angular 5 using .Net Web API and SQL Server. The website has been deployed on Azure. Website has been successfully integrated with SSO (Ping Federator) using SAML 2.0.
Now we have a requirement to Sign SAML request. We have private and public key and getting “Invalid Signature” error at IDP side while sending signed SAML request. Below is sample SAML request.
<samlp:AuthnRequest
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_6727de62-72e3-48fd-836a-04332e7b2453"
Version="2.0"
IssueInstant="2018-08-27T05:07:04Z"
Destination="https://sso/SSO.saml2"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="http://mysite/login"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer>http://issuersite.com</saml:Issuer>
<samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
AllowCreate="true" />
</samlp:AuthnRequest>
The same has been constructed using following.
url = ssourl + “?” + "SAMLRequest=" + HttpUtility.UrlEncode(request) + "&Signature=" + HttpUtility.UrlEncode(_signature);
Below is the signed SAML request.
<?xml version="1.0"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://mysite/login " ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" IssueInstant="2018-08-07T07:40:36Z" Version="2.0" ID="_b8e67b27-cdd0-41ad-afe3-d98074813ec9"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> http://issuersite.com </saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#_b8e67b27-cdd0-41ad-afe3-d98074813ec9"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>NhZ1uC0aHuTf3/u6jmAShInBWtE=</DigestValue></Reference></SignedInfo><SignatureValue>YslaCvEyqd8XTnXEElDNawX399eZ61NWrE4ue/PVBmUoycIQ5kkCixnZSUEShJKL8UXuAOgIG/wW7jWZKpVY4ouIPafRDjQBVk/M7kAoMVdSVbAdZcqQLO0yGZLOyhOzyCF/O71wnxHPHIIKyf47vBt6GCyEB3MKioNXnU8fx8htig/AqKh6Ff6lku9zNpl88MugP5S9ZDzzBpmspLPP0cuO2dfiKsmYfMxfUrOcy2+FT33eBsnXDivD1he4Ts7LKW6HZJbY3LsqTc0U3qcjgJs9lmwcbqz27okojl6dz17ZAR42NNveaSRV8t09aPVuf+VVtWbEXHsqSPTrV2J9lQ==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIID8TCCAtmgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRMwEQYDVQQKEwpLcmFmdEhlaW56MQswCQYDVQQLEwJJUzEpMCcGA1UEAxMgYWN0aW9uei1kZXYuY2xvdWQua3JhZnRoZWlueipLcmFmdEhlaW56MQswCQYDVQQLEwJJUzEpMCcGA1UEAxMgYWN0aW9uei1kZXYuY2xvdWQua3JhZnRoZWluei5jb20xKDAmBgkqhkiG9w0BCQEWGVNlbGZTaWduZWRAa3JhZnRoZWluei5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYegD07kGb7n+LmBZ1XIzx/eygVDOpS+73qKUm4o6o5IXDIEi99+sjitpV9SOG0TLxtkF4lrJ9CytuPDosefDP+gahLzrLMxx6jqptmDIT6YdqjTGDrUMp6k3FG5YAtavNQUnUFYtbxrGcy5j2KznBckYoiqwqxsO/KlA4g7d4DDeygilYVF5gp6dQeZQqFijBDlFwJHLWYiFq+sY2O/yyX+2GBo7KJ2YNWMr9Y7RUEcOfcUTagPC+WoaJEEpzoRtq1nxaEjbwViVmRxLNzPnZZ4ABa1x2rkBwZzbF1r4NrsQg+OFR6sjKkxCf9f4fDoso9YLJV7raU5zfoLRfhvbBAgMBAAGjLjAsMAsGA1UdDwQEAwICBDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAG7s0ZD/rFmdmH0Uk6suq5XWQiu7hxgWZlqNEiehBuq5SHj73jVAN1+8/pqFqShsziP8hsnt20k4gJ1RfxrTZcbO0KhGXqE+727XjbrE9kDPlr2AwfMxOrDSQjxwVtoYC0hVbPygyAsH3OP4LrezhTvEmiUESQvVWBBw3yfEetKkfH1nF4+W+eSY0T4Q1rckoHf03XlBZkIf8Tc9T/CQ8XGDoSNUe1ZRXLm4zgM2VCzT5Y8DoUGG1ScRLH1HpFPruBarZ7kq5FRZfZpZdIQD3khIAx8hh8qpCMFV4rOO+xN+0havo08+jBP2qVE5A+PDua9lm8WVydhJbfYegzN5nJQ=</X509Certificate></X509Data></KeyInfo></Signature><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/></samlp:AuthnRequest>
request is deflated using memory stream and base64 encoded.
_ signature is the signed xml and base64 encoded.
We are able to successfully sign XML document but getting error while signing SAML request.
Tried following options but none of them working. Please share any inputs to fix this issue. Let me know if any other details are required on this.
SAML Redirect sign or verify failing to produce correct signature
HTTP-Redirect Binding SAML Request

how to sign saml 2.0 authnrequest in c#

I am the Service provider using native c# code to generate saml 2.0 AuthnRequest and consuming the SamlResponse. The client has asked us to sign the saml AuthnRequest and then send it to them. We are sending it as http-POST.
Here's the data we have:
The metadata of idp containing their x509 certificate.
Our own x509 certificate along with our private key. Used this tool to get a self signed one https://www.samltool.com/self_signed_certs.php
Our own SP Metadata (entity descriptor) Signed using the self-signed certificate and private key, using this tool https://www.samltool.com/sp_metadata.php
Now, with the above information, how do i sign my AuthnRequest ?

How to unencrypt Web API 2 JWT tokens?

I'm trying to work with the OAuth bearer tokens Web API 2 supplies but I don't know how to unencrypt them or get the data out.
What I'd really like to do is either find or write myself an equivalent tool to this Google Tool https://developers.google.com/wallet/digital/docs/jwtdecoder for the tokens I am getting from Web API. The Google tool allows you to paste in the string of text representing a JWT token and it splits it up and unencodes the JSON within.
In Visual Studio 2013 if you choose New ASP.NET project, and then choose the Web API template with individual user accounts you get a sample project that contains a token endpoint. If you start the project, you can then POST a request "grant_type=password&username=joe&password=joe" to /token on the built in webserver and you get a token back:
{
"access_token":"x3vHm40WUXBiMZi_3EmdmCWLLuv4fsgjsg4S5Ya8kppDY_-2ejn7qF5Y_nbQ0bYVIKl6MNzL2GtXv-MAuwjippAAv5VDaxoKdxEVxeFrQ_eXsKNaQK7IvmVs1rIZ9eeRfRGK2AQ59wWQcyTtYO0dPJx9K7PGrSKz4ADAZ9SEZqQ4IesVhYbRCwToyxoyU5L9qdU8jXdHumkIrULRQhf68rIaBrEA_Be-V0rzWJ644fRLvv3z69XoHs3Az7PineILyNwbDck9uU2jkaXnwxoCTa4qlK8bR-lEI9-VXPNdbCvfgb5H9wfYsJcw2CMzNxNhV8v9YVZEt90evylwtTCEpXq4T3zRCQvrpbCvZrXqJ8uvlFeqCsvvhlIkSfPhBY8nm2ocWtBGPZm58zLe5FMi1jept0B54U38ZxkZlrGQKar47jkmnc6gpLrkpDBp7cWz",
"token_type":"bearer",
"expires_in":1209599,
"userName":"joe",
".issued":"Fri, 01 Aug 2014 16:16:02 GMT",
".expires":"Fri, 15 Aug 2014 16:16:02 GMT"
}
What I want to find out is what format the access_token is in and what information is contained.
A clue I found was: you can choose what kind of tokens Web API uses by setting the OAuthAuthorizationServerOptions.AccessTokenFormat property in Startup.Auth.cs. The documentation for OAuthAuthorizationServerOptions says:
"The data format used to protect the information contained in the access token. If not provided by the application the default data protection provider depends on the host server. The SystemWeb host on IIS will use ASP.NET machine key data protection, and HttpListener and other self-hosted servers will use DPAPI data protection. If a different access token provider or format is assigned, a compatible instance must be assigned to the OAuthBearerAuthenticationOptions.AccessTokenProvider or OAuthBearerAuthenticationOptions.AccessTokenFormat property of the resource server."
So it's probably encoded using the MachineKey. That's fine, I can set the Machine Key OK but if I know the machine key that the token was created with, how do I decrypt it?

You are correct about the generation of the token. This token is an encrypted or signed string contains the de-serialized version of all the claims and ticket properties for the signed in user. If in IIS mode (SystemWeb), the encryption and signing is done via the "decryptionKey" and "validationKey" key values in machineKey node. If running as a self-host OWIN application, the encryption uses the DPAPI to protect it and that actually uses the 3DES algorithm.
To decrypt it you need to invoke this code in your API controller action method (not necessary but if you want to see what inside this encrypted token) :
string token = "Your token goes here";
Microsoft.Owin.Security.AuthenticationTicket ticket= Startup.OAuthBearerOptions.AccessTokenFormat.Unprotect(token);
If you need to configure your AuthZ server to issue JWT signed tokens so you can deconde them using someone line tool such as Google JWT decoder; then I recommend you to read my blog post here about JSON Web Token in ASP.NET Web API 2 using Owin

.NET client calling HTTPS Java web service

I have a HTTPS Java Web Service, I am trying to access the web service with .NET[.NET 2.0 style client / WCF client]. I am getting back this error from WS.
"HTTP Status 401 - This request requires HTTP authentication ()."
How do I find out what kind of security this WS has?
Besides SSL, I have user name and password to send it to WS, I believe this is part of message authentication.
Java client seems like successfully communicating, and it has few interesting lines,
System.setProperty("javax.net.ssl.keyStorePassword", new String(jsseKeyStorePassword));
System.setProperty("javax.net.ssl.trustStorePassword", new String(jsseTrustStorePassword));
----------------------------------------------
BindingProvider bindingProvider = (BindingProvider) port;
bindingProvider.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, username);
bindingProvider.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, new String(password));
I would appreciate any help.

Long story short,
Two problems I had to solve,
HTTP Status 401 - This request
requires HTTP authentication ()
Changed Authentication schema to Basic in the VS generated customeBinding in app.config
HTTP/1.1 505 HTTP Version Not
Supported
Remove Expect: 100-continue SOAP header. Add this line ServicePointManager.Expect100Continue = false;. For the details of the issue, go here
Long story here http://www.irasenthil.com/2010/10/wcf-client-to-java-web-service.html

It seems as though the Java WS requires a server and root certificate stored in a couple of key stores. It requires knowledge of the passwords to these key stores to obtain the certificates, which seem to be available in the jsseKeyStorePassword and jsseTrustStorePassword variables.
Also, you should be using at least .NET Framework 3.0 in order to use Windows Communication Foundation.