Login/Register
Encrypting JWT security token supported algorithms
Asked Answered
Solved c#.net-corejwtencryption-symmetricnetcoreapp2.1
S

2

6

I'm trying to sign and encode my JWt with this snippet:

var claims = new Claim[] { new SomeClaimes() };
var scKey = Encoding.UTF8.GetBytes("SOME KEY");
var ecKey = Encoding.UTF8.GetBytes("SOME OTHER KEY");
var tokenDescriptor = new SecurityTokenDescriptor {
    Subject = new ClaimsIdentity(claims),
    SigningCredentials = new SigningCredentials(
        new SymmetricSecurityKey(
            scKey),
            SecurityAlgorithms.HmacSha512),
    EncryptingCredentials = new EncryptingCredentials(
        new SymmetricSecurityKey(
            ecKey),
            // I tryied all possible combination of algorithms here:
            SecurityAlgorithms.XXXX,
            SecurityAlgorithms.YYYY), 
    Issuer = "My Jwt Issuer",
    Audience = "My Jwt Audience",
    IssuedAt = DateTime.UtcNow,
    Expires = DateTime.Now.AddDays(7),
};
var tokenHandler = new JwtSecurityTokenHandler();
var token = tokenHandler.CreateJwtSecurityToken(tokenDescriptor);
var jwt = tokenHandler.WriteToken(token);

But when I run the code, I get error:

Encryption failed. No support for: Algorithm: '{0}', SecurityKey: '{1}'.

Which {0} and {1} are any combination of XXXX and YYYY in the code above (yes, I wrote a reflection snippet and have tried all possible combination of them). Which are supported algorithms for encoding (and decoding) a signed JWT?

Samekh answered 26/11, 2018 at 18:46 Comment(0)
S
12

Finally I found the answer:

var claims = new Claim[] { new SomeClaimes() };
var scKey = Encoding.UTF8.GetBytes("SOME KEY");
var ecKeyTemp = Encoding.UTF8.GetBytes("SOME OTHER KEY");

// Note that the ecKey should have 256 / 8 length:
byte[] ecKey = new byte[256 / 8];
Array.Copy(ecKeyTemp, ecKey, 256 / 8);

var tokenDescriptor = new SecurityTokenDescriptor {
    Subject = new ClaimsIdentity(claims),
    SigningCredentials = new SigningCredentials(
        new SymmetricSecurityKey(
            scKey),
            SecurityAlgorithms.HmacSha512),
    EncryptingCredentials = new EncryptingCredentials(
        new SymmetricSecurityKey(
            ecKey),
            SecurityAlgorithms.Aes256KW,
            SecurityAlgorithms.Aes256CbcHmacSha512), 
    Issuer = "My Jwt Issuer",
    Audience = "My Jwt Audience",
    IssuedAt = DateTime.UtcNow,
    Expires = DateTime.Now.AddDays(7),
};
var tokenHandler = new JwtSecurityTokenHandler();
var token = tokenHandler.CreateJwtSecurityToken(tokenDescriptor);
var jwt = tokenHandler.WriteToken(token);

As you ca see, using SecurityAlgorithms.Aes256KW as the key encryption algorithm and SecurityAlgorithms.Aes256CbcHmacSha512 as the encryption algorithm will do the job. Note that the key used to encryption algorithm should have 256 / 8 length.

Samekh answered 27/11, 2018 at 17:13 Comment(0)
F
-2

HmacSha512 use just one key to sign or verify token, try algorithm like RsaSha256 to public / private key encryption.

Ferrous answered 26/11, 2018 at 20:2 Comment(3)
Could you please be more detailed in your answer? Perhaps append some code sample?Pinch
The question is not about having one or more keys. Please read the question again.Samekh
i am not c# specialist but HmacSha512 is not SymetricSecurityKey try new ASymmetricSecurityKey or something like thatFerrous

© 2022 - 2024 — McMap. All rights reserved.