Thank you, I had seen that page but glazed over on all the stuff about signing the JWT and missed the obvious validation info.
My websocket server is in C# and I imported the Microsoft JWT stuff.
I added the auth.token from onAuthorized as an attribute to the XML message I’m sending to the websocket server.
Here’s the routine that I’ve come up with and initial testing looks good. If anything doesnt check out with the validation, the tokenChannelIdStr doesnt match my expected extensionChannelId and I respond with a failure message. Otherwise, the validation must have worked and the channel Id’s match!
using Microsoft.IdentityModel.Tokens;
using System.ServiceModel.Security.Tokens;
using System.IdentityModel.Tokens.Jwt;
...
//In my websocket onMessage after getting the extensionMessage XML Root Node
string tokenChannelIdStr = "";
XAttribute tokenAttr = extensionMessage.Attribute("JwtToken");
if (tokenAttr != null)
{
string tokenStr = tokenAttr.Value;
byte[] secretByteArray = Convert.FromBase64String(extensionJwtSecret);
SecurityKey secretKey = new SymmetricSecurityKey(secretByteArray);
SecurityToken validatedToken = null;
var tokenHandler = new JwtSecurityTokenHandler();
var tokenParameters = new TokenValidationParameters()
{
IssuerSigningKey = secretKey,
ValidateAudience = false,
ValidateIssuer = false
};
try
{
tokenHandler.ValidateToken(tokenStr, tokenParameters, out validatedToken);
}
catch (Exception ex)
{
_vaProxy.WriteToLog($"JWT ValidateToken Exception: {ex.Message}", "red");
validatedToken = null;
}
if (validatedToken != null)
{
if (((JwtSecurityToken)validatedToken).Payload.TryGetValue("channel_id",out var tokenChannelId))
{
tokenChannelIdStr = tokenChannelId.ToString();
}
}
}
if (tokenChannelIdStr != extensionChannelId)
{
XElement failMessage = new XElement("ServerReply",
new XElement("Type", "Fail"),
new XElement("Message", "JWT Token validation failed"),
new XElement("Timestamp", DateTime.Now.ToString())
);
_vaProxy.WriteToLog("JWT Token does not match our ChannelId!", "red");
if (this.ConnectionState == WebSocketState.Open)
{
Send(failMessage.ToString());
}
return;
}
//Carry on, JwtToken looks good...
Any constructive criticism or best practices guidance is appreciated, I’m pretty new to all this and in particular the tokenParameters used in ValidateToken feel like a shot in the dark.