How to Validate JWTs in .NET

Learn how to validate a JSON Web Token (JWT) in different contexts using C# in .NET.
Read more…

:writing_hand:t2: Brought to you by @andrea.chiarelli

1 Like

What are your thoughts, folks? Share it in the comments!

1 Like

While it seems interesting, the challenge I have is that my web server is behind two reverse proxies and does not have direct access to the Internet. Visitors first get on the main server, which will filter based on IP address to block hackers and malicious entities. Then the request gets passed to the second server which will mostly handle the frontend, but can make calls to the backend. Then this second server makes requests to my Web API, where I need authentication. But this server has no connection to the outside World.
So my challenge is to get things to work, and a simple username/password scheme is doable. Something like OpenID is also possible, but requires the website to accept incoming request from the OpenAI server and pass this on to my Web API.
It works okay, though. But that AddOpenIDConnect() part with the callback is a challenge. It means my website needs to understand some of the JWT while I want the Web API to handle it all.
I am not allowed to connect this Web API directly to the Internet, so some of this is very tricky…

Hey @Katje,
Welcome to the Auth0 Community!

While I understand the issue of having an API behind a reverse proxy, it’s not clear to me your specific issue :thinking: In particular,

But that AddOpenIDConnect() part with the callback is a challenge. It means my website needs to understand some of the JWT while I want the Web API to handle it all.

What JWT do you refer to? The ID token or the access token?

If you are talking about the ID token, you shouldn’t send it to the Web API. The ID token is intended for the client (the web app in your case)

If you are talking about the access token, your web app shouldn’t decode it, because it’s intended for the Web API. I understand that you can’t access the .well-known URL from your API in your scenario. In this case, you can validate the access token by providing the security key after manually getting it from the .well-known URL (see this doc for more info)

The problem is indeed the web site calling the web API on the local intranet connection. My gateway to the Internet would be at and my web server at and has a second network connection at to a second gateway at with a Web API at and thus I have two internal networks. The Web API has no access to the Internet and should never have direct access to the Internet.
But the Web API also needs to handle all user information while the website just sees an encrypted token. Any information the site needs about the user needs to be retrieved from the API and each access gets logged.
Which causes a bigger issue as the OpenID authentication is between user and website, but does not get passed on to the Web API. It needs a reliable link to a user in the Web API in some way. But the OpenAI authentication would not be available in the API so somehow, the website needs to link it to an API account.
But the website is not allowed to store any data outside the API.
Also, there is no .well-known url on my Web API as it’s an internal service only, running only internally on a special port without HTTPS. The whole system was internal-use-only but we want to extend functionality to the outside World, in a secure way. Which is why the website gets near the gate to the outside Internet and this one does use SSL and a .well-known folder.
So the problem is that the API knows all the security parts but has no access to the Internet. And the site has access to the Internet but can’t easily access the secure data. There’s the challenge.

Looks like your scenario is more complex than something that can be addressed in a community thread. You may need to speak with someone on the Professional Services team.

1 Like

Meh. We can work out some solution ourselves. There’s plenty of experience in my team. But there are decisions that need to be made to allow some outside access to what’s just an internal project. We want to get around the need of VPN servers for access.
I’m dealing with layers of networks around data, with each layer adding more security. (Most of it sensitive financial data.)
Adding additional professionals to this project would include multiple NDAs and background checks and a lot of hassle.
The biggest problem I have is that no external connection will be allowed for the Web API so we can’t even set up a remote environment for these Professional Services. Only external access would be to the website, which needs to be secure on both sides. Yet the site cannot save any data itself… (Except for some configuration settings in the environment.)
Right now, I’m creating a special login that would allow applications access to the API through an API key and their fixed IP address. This is not considered secure enough yet. Thing is, how to make it more secure?