Thursday, March 19, 2015


If you are interested in using ASP.NET Web API with OWIN/Katana and JWT (JSON Web Tokens), there is very little documentation to get you started on this path from Microsoft.

Fortunately, this article does a pretty good job:

On the down side, there is no downloadable code sample available and there are lots of defects in the code base:

  1. The first defect is that none of the namespaces that need to be imported are displayed.  Therefore, in the MyJwtFormat class you need to import the System.IdentityModel assembly
  2. In the MyJwtFormat class, you are attempting to sign using a byte array, but the Convert.FromBase64String method fails
  3. If you use a basic string and use Encoding.UTF8.GetBytes, you will get an error message that you need at least 128 bits
  4. The constructor for the MyJwtFormat class does not provide an empty/default constructor, therefore, you will get an error when attempting to call the empty constructor.  Therefore, you will need to add an empty constructor or pass in the OAuthOptions as a parameter.  However, because the MyJwtFormat class is being instantiated in the OAuthOptions set up, you cannot pass it in as a parameter!! 
Here is the corrected MyJwtFormat class for your review:

using System;

using System.Collections.Generic;

using System.IdentityModel.Tokens;

using System.Linq;

using System.Text;

using System.Web;

using Microsoft.Owin.Security;

using Microsoft.Owin.Security.OAuth;


namespace OAuth2JWTServer


    public class MyJwtFormat : ISecureDataFormat<AuthenticationTicket>


        private readonly OAuthAuthorizationServerOptions _options;


        public MyJwtFormat()





        public MyJwtFormat(OAuthAuthorizationServerOptions options)


            _options = options;



        public string SignatureAlgorithm


            get { return ""; }



        public string DigestAlgorithm


            get { return ""; }



        public string Protect(AuthenticationTicket data)


            if (data == null) throw new ArgumentNullException("data");


            var issuer = "localhost";

            var audience = "all";

            var bytes = Encoding.UTF8.GetBytes("+zqf97FD/xyzzyplugh42ploverFeeFieFoeFooxqjE=");

            var now = DateTime.UtcNow;

            var expires = now.AddMinutes(60);

            var signingCredentials = new SigningCredentials(

                                        new InMemorySymmetricSecurityKey(bytes),



            var token = new JwtSecurityToken(issuer, audience, data.Identity.Claims,

                                             now, expires, signingCredentials);


            return new JwtSecurityTokenHandler().WriteToken(token);



        public AuthenticationTicket Unprotect(string protectedText)


            throw new NotImplementedException();



This article provides a downloadable code sample, however, it is a bit more complex than the article posted by Scott Allen as well as using NuGet Packages outside of the Microsoft software suite (ThinkTecture).  Therefore, you will have to decide for yourself if you want to follow this approach or follow Scott Allen's much simpler approach:

No comments:

Post a Comment