Blog Posts for: Jwt

Creating Authorization Policies dynamically with ASP.NET Core

20 November 2017

ASP.NET Core contains a DefaultAuthorizationPolicyProvider class which resolves authorization policies at runtime. I was watching a recording of the Implementing Authorization for Applications and APIs talk from NDC Oslo by Dominick Baier and Brock Allen and saw a technique they demonstrated to resolve authorization policies dynamically at runtime. I did an internet search and could not find this documented anywhere, so in this blog post I will explain how to do this.

Accessing the OIDC tokens in ASP.NET Core 2.0

01 August 2017

Earlier the year I wrote a blog post which described how to access the JWT Bearer token when using ASP.NET Core 2.0. Though that was specifically for when using the JWT middleware, you could also use that technique when using the OIDC middleware. In ASP.NET Core 1.1 So for example, in ASP.NET Core 1.x, if you wanted to access the tokens (id_token, access_token and refresh_token) from your application, you could set the SaveTokens property when registering the OIDC middleware:

Access the JWT bearer token when using the JWT middleware in ASP.NET Core

26 May 2017

When using JSON Web Tokens (JWTs) as Bearer tokens in your ASP.NET Core Web API, it may sometimes be required to access the actual token which was passed to the API somewhere else in your API. For Remote Map for example I have the requirement to access the user’s full profile under certain conditions. I want to store some of the user’s personal information in the local database, and in order to obtain their information I have to call the /userinfo endpoint of the Auth0 Authentication API.

Manually validating a JWT using .NET

10 April 2017

JSON Web Tokens are commonly used to authorize request made to an API. For this purpose ASP.NET (both OWIN and Core) has middleware which allows you to easily authorize any request by ensuring the token being passed to the API is valid. But what if you want to manually validate a token? At Auth0 we allow signing of tokens using either a symmetric algorithm (HS256), or an asymmetric algorithm (RS256). HS256 tokens are signed and verified using a simple secret, where as RS256 use a private and public key for signing and verifying the token signatures.

Using Roles with the ASP.NET Core JWT middleware

12 July 2016

Here is a great find: The JWT middleware in ASP.NET Core knows how to interpret a “roles” claim inside your JWT payload, and will add the appropriate claims to the ClaimsIdentity. This makes using the [Authorize] attribute with Roles very easy. This is best demonstrated with a simple example. First of all I head over to and create a JSON Web Token with the following payload: { "iss": "", "aud": "blog-readers", "sub": "123456", "exp": 1499863217, "roles": ["Admin", "SuperUser"] } Note the array of roles in the “roles” claim.