Decrypting token from cookie with .NET Core WebApi

[xennialex]

Hi!

I'm trying to use the token provided by next-auth (4.0.0-beta.6) in our .NET Core WebApi but can't get it to work.

Found this example that explains how to implement it:
https://www.ovidiudan.com/nextjs-nextauth-asp-net-core-jwt-tokens/

I even tried using only the jose-jwt decrypt function, but it always throws this exception:

System.ArgumentException: AES-GCM algorithm expected key of size 256 bits, but was given 512 bits
   at Jose.JWE.Decrypt(String jwe, Object key, Nullable`1 expectedJweAlg, Nullable`1 expectedJweEnc, JwtSettings settings)
   at Jose.JWT.DecodeBytes(String token, Object key, Nullable`1 expectedJwsAlg, Nullable`1 expectedJweAlg, Nullable`1 expectedJweEnc, JwtSettings settings, Byte[] payload)
   at Jose.JWT.Decode(String token, Object key, Nullable`1 jwsAlg, Nullable`1 jweAlg, Nullable`1 jweEnc, JwtSettings settings, String payload)
   at Jose.JWT.Decode(String token, Object key, JwtSettings settings, String payload)
   at Backend.Test.Models.JoseTest.ShouldWork() in C:\....\JoseTest.cs:line 18

Tried using the function like this:

string token = "eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..GUEzLCuSq8tKOQ8T.XKYs2wjqBBjrGL4LNJDpugZDK2A4VqbASaXuKzvOgMmsLasaurrbQ1mOVPNQyIr86HQY56SjHoln2pzQ_sypeyzXNKSRrYh8CcyPJItYk6wKpfhsYejsRZ7r_1DdrWBqmGrQRiaaH-5be1aFh5dx5yM00_Ao0i1fDiWO6w5ndzCut-bMYttpEkav6d3GxfULSXOEGPhiTGFtJeEGf5Haul5Xvh0sd8_OmKz3.M5xfNg3yZ6RA38W4KOXpHw";
byte[] secretKey = Base64Url.Decode("XwrkowE0ijJEgll_EkLMhOeZvD3CcUs89_UKbvxvaCTloyiCnvxNdTFFAITnYkLf24kG4uXQZ793UNKbNHo0Ng");
string json = Jose.JWT.Decode(token, secretKey);

The jwt config looks like this:

  secret: 'blafasel', // process.env.SECRET
  jwt: {
    // How we generated signing key: npm install -g node-jose-tools
    // Then we ran this to generate the signing key: jose newkey -s 512 -t oct -a HS512
    signingKey: {
      kty: 'oct',
      kid: 'btNhhndbpyB9eUDjNJAe05gbBmkuxXgQ6iKfjfj2sPU',
      alg: 'HS512',
      k: 'XwrkowE0ijJEgll_EkLMhOeZvD3CcUs89_UKbvxvaCTloyiCnvxNdTFFAITnYkLf24kG4uXQZ793UNKbNHo0Ng'
    },
  }

Can somebody please give me a hint what I'm doing wrong?
Or maybe even a working code sample?

[balazsorban44]

you aren't supposed to use the NextAuth token in third party. use the token provided by your provider.

[xennialex]

How could I hand over the token from a custom provider (it's a Shibboleth OpenId Connection) to a third party .NET Core WebApi?

[balazsorban44]

Check out the jwt and session callbacks. https://next-auth.js.org/configuration/callbacks you can send your provider's token by attaching it to the API requests in the Authorization header.

[xennialex]

There are two tokens we get in the callback.

I guess the access token should be the one to use for the bearer header, but it seems not to be a JWT (jwt.io encoder can't decode it) token so the WebApi can't validate it. I can get the userinfo just fine with this token though.

The other is the id_token. That's a valid JWT token but as far as I have read it shouldn't be used for api calls and it contains none of the claims that I would need.

[balazsorban44]

The id_token should not be used for accessing protected content. You will need the access_token. It is not a requirement that an access_token will be a JWT though, you will have to check with your identity provider how validation should be done.