How can I consume a JWT access token in a WCF "restful" endpoint (C#)

We’re trying to consume a JWT access token within a “restful” WCF (webHttpBinding). We are using .NET 4.7 Framework (System.ServiceModel v4.0.0.0). The code is running on a Windows 10 machine (this is a PoC).

Obtaining the token
We obtain the token in a normal dotnet-core web application, as illustrated here: Auth0 ASP.NET Core MVC SDK Quickstarts: Login

Consuming the token
We have tried to adapt the example found on github: auth0-wcf-rest-sample/Wcf-Sample-Net4 at master · auth0/auth0-wcf-rest-sample · GitHub but this example shows using a Symmetric key
This doesn’t appear in the dotnet-core web API example: auth0-aspnetcore-webapi-samples/Quickstart/01-Authorization at master · auth0-samples/auth0-aspnetcore-webapi-samples · GitHub

Does anyone have a working example of authorizing a call to WCF by accepting a JWT access token?

Hi @andrew. auth0-wcf-rest-sample/Wcf-Sample-Net4 at master · auth0/auth0-wcf-rest-sample · GitHub is definitely an old sample, using that JTW.cs file for validating and parsing the JSON web token instead of using the more modern Microsoft libraries from Sytem.IdentityModel.Tokens.Jwt, and only support symmetric keys.

When you create an API in Auth0, however, you can change the token signature algorithm to HS256, however. Have you considered that option?

1 Like

@jamie.hughes pointed me to this gist that might be useful if you want to use RS256:

It’s not a direct fit, but can basically replace lines 48-54 with

    Thread.CurrentPrincipal = tokenHandler.ValidateToken(token, validationParameters, out securityToken);

If you create the TokenValidationParameters instance every time you will be loading an external certificate an unnecessary number of times. You might want to cache the instance with an IoC framework, but that’s up to you.

1 Like