We have answer of your question!

100% solved queries, no empty question

Question: ASP.NET Web API - Authenticated Encrypted JWT Token - Do I need OAuth?



I'm considering using authenticated encrypted JWT tokens to authenticate / authorized access to an ASP.NET Web API application.

Based on what I've read so far, it seems to me like it is an option to generate JWT tokens from a token service and pass them to Web API via the http authorization header.

I have found some good code examples on implementing the JWT creation and consumption (Pro ASP.NET Web API Security by Badrinarayanan Lakshmiraghavan).

I'm trying to understand if I need a full OAuth implementation to support this, or if I can simply pass the tokens along in the auth header.

Assuming the tokens are properly encrypted and signed, is there any inherent security flaw in keeping things simple without having to use OAuth?

Trying to keep things as simple as possible for my needs without compromising security.

Question author Bingles | Source




It is not that you must always OAuth when you use tokens. But given the fact that your application is a JavaScript app, you would be better off implementing a 3-legged authentication. Thinktecture identity server does support implicit grant. But if the client application getting access to the user credential is not a problem for you, your JavaScript app can get the user ID and password from the user and make a token request from a token issuer ensuring the user ID and password are not stored any where in JavaScript app (including DOM). This request for token can be a simple HTTP POST as well and it does not need to be anything related to OAuth. If your end user will not enter the credentials in the client application, OAuth implicit grant is the way. BTW, you don't need to encrypt JWT. TIS issues signed JWT and that will ensure token integrity. But if you are worried about the confidentiality, you can use HTTPS to both obtain the token as well as present the token.

Answer author Badri


Tickanswer.com is providing the only single recommended solution of the question ASP.NET Web API - Authenticated Encrypted JWT Token - Do I need OAuth? under the categories i.e asp.net-web-api , oauth-2.0 , jwt , . Our team of experts filter the best solution for you.

Related Search Queries:

You may also add your answer!