Merge pull request #1 from psibernetic/finalization

Finalization

.vscode/launch.json

@@ -0,0 +1,21 @@
+{
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": ".NET Core Launch (console)",
+            "type": "coreclr",
+            "request": "launch",
+            "program": "${workspaceRoot}/src/JwtAndCookie.Example/bin/Debug/netcoreapp1.0/JwtAndCookie.Example.dll",
+            "args": [],
+            "cwd": "${workspaceRoot}",
+            "externalConsole": false,
+            "stopAtEntry": false
+        },
+        {
+            "name": ".NET Core Attach",
+            "type": "coreclr",
+            "request": "attach",
+            "processId": "${command.pickProcess}"
+        }
+    ]
+}

.vscode/tasks.json

@@ -0,0 +1,16 @@
+{
+    "version": "0.1.0",
+    "command": "dotnet",
+    "isShellCommand": true,
+    "args": [],
+    "tasks": [
+        {
+            "taskName": "build",
+            "args": [
+                "src/JwtAndCookie"
+            ],
+            "isBuildCommand": true,
+            "problemMatcher": "$msCompile"
+        }
+    ]
+}

README.md

@@ -1,20 +1,24 @@
-# OwinJwtAndCookie
-An owin middleware for JWT token parsing from Authorization header and cookies with an owin signin delegate with optional cookie writing capabilities.
+# JwtAndCookie
+An owin middleware for JOSE RSA JWE & JWT token parsing from Authorization header and cookies with an owin signin delegate with optional cookie writing capabilities.
 
 ## OWIN configuration
 
-Add the following to your OWIN startup or IAppBuilder, feeding your values from your own configuration scheme.
+Add the following to your ASPNETCORE startup, feeding your values from your own configuration scheme.
 
 ```csharp
-app.UseJwtAndCookieMiddleware(new JwtAndCookieMiddlewareOptions
+app.UseOwin(owin =>
 {
-    PassPhrase = configuration.HmacPassphrase,
-    CookieName = configuration.CookieName,
-    CookiePath = configuration.CookiePath,
-    CookieHttpOnly = true,
-    TokenLifeSpan = TimeSpan.FromMinutes(configuration.TokenLifeSpan),
-    ClaimsPrincipalResourceName = configuration.ClaimsPrincipalResourceName,
-    CreatePrincipal = CreatePrincipal
+    owin((next) =>
+        new JwtAndCookieMiddleware(next, new Options
+        {
+            Certificate = new X509Certificate2("C:\\jwtmiddleware.pfx", "test"),
+            CookieName = "jwt",
+            CookiePath = "/",
+            CookieHttpOnly = true,
+            TokenLifeSpan = TimeSpan.FromMinutes(30),
+            ClaimsPrincipalResourceName = "principal",
+            CreatePrincipal = (payload) => new ClaimsPrincipal(new ClaimsIdentity(new GenericIdentity("meh"))) //Example func
+        }).Invoke);
 });
 ```
 

global.json

@@ -0,0 +1,3 @@
+{
+    "projects": [ "src", "test" ]
+}

src/JwtAndCookie/JwtAndCookieMiddleware.cs

@@ -4,20 +4,24 @@
 using System.Linq;
 using System.Security.Claims;
 using System.Threading.Tasks;
-using JWT;
-using AppFunc = System.Func<System.Collections.Generic.IDictionary<string, object>, System.Threading.Tasks.Task>;
 
 namespace OwinJwtAndCookie
 {
+    using System.Security.Cryptography;
+    using System.Security.Cryptography.X509Certificates;
+    using AppFunc = Func<IDictionary<string, object>, Task>;
+
     public class JwtAndCookieMiddleware
     {
         private readonly AppFunc _next;
-        private readonly JwtAndCookieMiddlewareOptions _options;
+        private readonly Options _options;
 
-        public JwtAndCookieMiddleware(AppFunc next, JwtAndCookieMiddlewareOptions options)
+        public JwtAndCookieMiddleware(AppFunc next, Options options)
         {
             _next = next;
             _options = options;
+
+            Jose.JWT.JsonMapper = new Jose.NewtonsoftMapper();
         }
 
         public Task Invoke(IDictionary<string, object> environment)
@@ -61,18 +65,19 @@ public Task Invoke(IDictionary<string, object> environment)
             return _next(environment);
         }
 
-        private void DefineJwtGenerator(IDictionary<string, object> environment, JwtAndCookieMiddlewareOptions options)
+        private void DefineJwtGenerator(IDictionary<string, object> environment, Options options)
         {
             environment["jwtandcookie.signin"] = new Func<Func<Guid, IDictionary<string, object>>, bool, string>(
                 (claimBuilder, buildCookie) =>
                 {
                     var jti = Guid.NewGuid();
-                    var jwt = JsonWebToken.Encode(new Dictionary<string, object>
+                    var jwt = Jose.JWT.Encode(new Dictionary<string, object>
                     {
                         { "jti", jti.ToString() },
                         { "exp",  BuildExpHeader(options) }
-                    }.Union(claimBuilder(jti)).ToDictionary(p => p.Key, p => p.Value), _options.PassPhrase,
-                        JwtHashAlgorithm.HS256);
+                    }.Union(claimBuilder(jti)).ToDictionary(p => p.Key, p => p.Value), 
+                        _options.Certificate.GetRSAPublicKey() as RSACng,
+                        Jose.JweAlgorithm.RSA_OAEP, Jose.JweEncryption.A256GCM);
 
                     if (!buildCookie) return jwt;
 
@@ -84,7 +89,7 @@ private void DefineJwtGenerator(IDictionary<string, object> environment, JwtAndC
                 });
         }
 
-        private static string BuildExpHeader(JwtAndCookieMiddlewareOptions options)
+        private static string BuildExpHeader(Options options)
         {
             var timePeriod = DateTime.UtcNow
                              - new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc)
@@ -96,14 +101,15 @@ private static string BuildExpHeader(JwtAndCookieMiddlewareOptions options)
 
         private IDictionary<string, object> DecodeAndValidateToken(string token)
         {
-
             IDictionary<string, object> payload = null;
 
             try
             {
-                payload = JsonWebToken.DecodeToObject<Dictionary<string, object>>(token, _options.PassPhrase);
+                payload = Jose.JWT.Decode<IDictionary<string, object>>(token, 
+                    _options.Certificate.GetRSAPrivateKey() as RSACng,
+                    Jose.JweAlgorithm.RSA_OAEP, Jose.JweEncryption.A256GCM);
             }
-            catch (SignatureVerificationException) //No meaningful valid payload, return null.
+            catch (Jose.JoseException) //No meaningful valid payload, return null.
             {
                 return payload;
             }

src/JwtAndCookie/JwtAndCookieMiddlewareOptions.cs → src/JwtAndCookie/Options.cs

@@ -1,24 +1,25 @@
 using System;
 using System.Collections.Generic;
 using System.Security.Claims;
+using System.Security.Cryptography.X509Certificates;
 
 namespace OwinJwtAndCookie
 {
-    public class JwtAndCookieMiddlewareOptions
+    public class Options
     {
-        public JwtAndCookieMiddlewareOptions()
+        public Options()
         {
             CookieHttpOnly = true;
         }
-
-        public string PassPhrase { get; set; }
-
+
         public string CookieName { get; set; }
 
         public string CookiePath { get; set; }
 
         public bool CookieHttpOnly { get; set; }
 
+        public X509Certificate2 Certificate { get; set; }
+
         public string ClaimsPrincipalResourceName { get; set; }
 
         public TimeSpan TokenLifeSpan { get; set; } = TimeSpan.FromMinutes(30);

src/JwtAndCookie/Properties/AssemblyInfo.cs

@@ -32,5 +32,5 @@
 // You can specify all the values or you can default the Build and Revision Numbers 
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("1.0.0.0")]
-[assembly: AssemblyFileVersion("1.0.0.0")]
+[assembly: AssemblyVersion("2.0.0.0")]
+[assembly: AssemblyFileVersion("2.0.0.0")]