Using JwtSecurityToken with HttpClient

Question

I am trying to use a JWT token to query an OpenApi endpoint with a HttpClient. I have been trying to do this for a while now with multiple attempts of different things like Base64 encodings and just putting the JWT token raw into the Authorization header, but the endpoint splits back a 403 Forbidden with "Authentication failed" every time. The validation of the JWT works fine and is done with Microsoft.IdentityModel.Tokens:

public JwtSecurityToken ValidateCurrentToken(string token)
{
    var jwksJson = GetKeyInfo();
    var tokenHandler = new JwtSecurityTokenHandler();
    var keyset = JsonWebKeySet.Create(eveJwksJson);
    
    var tokenParameters = new TokenValidationParameters();
    tokenParameters.ValidateIssuerSigningKey = true;
    tokenParameters.ValidateIssuer = true;
    tokenParameters.ValidateAudience = false;
    tokenParameters.ValidateLifetime = true;
    tokenParameters.ValidateActor = false;
    tokenParameters.ValidIssuers = new List<string>{ "host1", "host2" };
    tokenParameters.IssuerSigningKey = keyset.Keys.First();

    SecurityToken validatedToken;
    try
    {
        tokenHandler.ValidateToken(token, tokenParameters, out validatedToken);
    }
    catch(Exception e)
    {
        throw new AuthenticationException("Token is not valid: " + e.Message);
    }

    var securityToken = (JwtSecurityToken) validatedToken;
}

But I cant figure out what to add to the Authorization header in this section:

public async Task<HttpResponseMessage> GetResponse(HttpClient httpClient, Uri uri, JwtSecurityToken token)
{
    HttpRequestMessage httpRequestMessage = new HttpRequestMessage()
    httpRequestMessage.Headers.Authorization = new AuthenticationHeaderValue("Bearer", <WHAT TO PUT HERE>);
    httpRequestMessage.Method = HttpMethod.Get;
    httpRequestMessage.RequestUri = uri
    return await httpClient.SendAsync(httpRequestMessage);
}

Some have suggested that I tried urlBase64 encode the JSON data from the token, but no result. Documentation for this all has something to do with services and I can seem to find any that applies to my issue.

Answer 1

You already have the token, the ValidateCurrentToken method just does the validation. The string parameter token is your JWT token which contains three parts concatenated with a dot, they are Header, Payload and Signature. Header and Payload are base64 encoded. For example, it should look something like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

So you already have the value you need to use, you don't need to convert JwtSecurityToken into a string. Just use the value in the token parameter in the Authorization header. Make sure you leave a blank space between Bearer keyword and the token.

You can refer to jwt.io for more info about JWT tokens and how they work.

Answer 2

In regard to < WHAT TO PUT HERE > Take a look at this class JwtSecurityTokenHandler and see if it´s help in your case. The sugestion is to use the WriteToken method to get a string of the JWT in compact serialization form.

new JwtSecurityTokenHandler().WriteToken(token)