When I try to pass this JWT (issued by Azure Mobile Services) as a HTTP header/Authorization/Bearer token:
Header:
{
"alg": "HS256",
"typ": "JWT",
"kid": "0"
}
Claims:
{
"ver": 2,
"aud": "Facebook",
"iss": "urn:microsoft:windows-azure:zumo",
"urn:microsoft:credentials": "pYK8b5...",
"exp": 1436730730,
"uid": "Facebook:10000xxxxxxxxxx"
}
Into my ASP.NET WEB API configured:
const string issuer = "urn:microsoft:windows-azure:zumo";
byte[] mobileServicesSecret = TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["as:SecretKey"]);
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new[] { "Facebook" },
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new SymmetricKeyIssuerSecurityTokenProvider(issuer, mobileServicesSecret)
}
});
I get:
A first chance exception of type 'System.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException' occurred in System.IdentityModel.Tokens.Jwt.dll
I suspect this is because the presence of the "kid" property?
EDIT: Using this https://github.com/Magenic/JWTvalidator/tree/master/JwtValidator/JwtValidator , it's possible to validate the JWT, so it's nothing wrong with it. But I really want to use OWIN/Katana.
Google suggests the following - Calling the tokeninfo endpoint
CustomJwtHandler.cs
TokenInfo.cs
WebApiConfig.cs