Stream: cds hooks
Topic: JWT signatures
Josh Mandel (Oct 01 2018 at 18:49):
Quick note from bulk data track this weekend: @Michele Mottini noted that in .NET, the standard libraries didn't support RS-384 signatures (but did, for example, support RS-256). Has anyone else run into this?
Brian Postlethwaite (Oct 02 2018 at 02:47):
https://jwt.io/ has the list of all the supported JWT encodings, and it says that it does support that...? maybe a newer version than last checked?
Brian Postlethwaite (Oct 02 2018 at 02:49):
(That being said, I have only used the Jose.Jwt lib with RS-256)
Chuck Feltner (Oct 02 2018 at 13:52):
@Josh Mandel We have observed the same restriction in the .NET standard libraries. It is also not possible to update to the latest library without upgrading to a different Owin version. So for now we are also just supporting RS-256.
Josh Mandel (Oct 02 2018 at 15:09):
(To be clear, Michele was able to work around and generate RS384 signatures, but it wasn't as straightforward as he had hoped.)
Michele Mottini (Oct 02 2018 at 15:33):
I was using https://www.nuget.org/packages/System.IdentityModel.Tokens.Jwt - and even using the latest version I was not able to sign using RS384 (but maybe I missed something?)
Michele Mottini (Oct 02 2018 at 15:34):
The work-around was to build the JWT header and payload manually and sign them using the standard .NET crypto libraries - that do support RS384
Michele Mottini (Oct 02 2018 at 15:36):
This was working on a client. For the server we currently use IdentityServer3 that does not seem to support RS384, so our current backend authentication implementation uses RS265 (but it is an area where we have to do some more investigations)
Last updated: Apr 12 2022 at 19:14 UTC
