jsonwebtokens | A rust implementation of Json Web Tokens | JSON Processing library

Reason for Error CS0246 The type or namespace name "TokenValidationParameters" was not found (possibly missing a using directive or assembly reference) is Microsoft.IdentityModel.Tokens Assembly reference is missing in the .cs file. Please import the below namespace in class file.

A C# Console Application project target .NET Framework includes a reference to System.Net.Http by default. If you're not using that reference then you can remove it and that will clear your warning.

Thank you Michal for confirming that what I was doing should have worked, and spurring me to debug the JSONWebToken Nuget package. Since there is no debug info included in the NuGet package I built Microsoft.IdentityModel.JsonWebTokens from source and stepping through that led to the answers.

There were two issues, both fatal.

1. The JWT decryption key ID needs to match the provided decryption key ID, and I was not copying the KID from the JWKS to the RSA object. While I was fixing this I also copied the key size, although the default would have worked. My example code needed to be changed as follows:

You generally have two options:

1. Coerce the result to a IVerified like you do there (you might have to do return (user as any) as IVerified; though to get typescript to do what you want. This is fine as long as you can guarantee that the object returned from jwt.verify adheres to the IVerified interface.

2. Create a helper function that takes in a string | object and does the necessary logic to do runtime validation, deserialization, etc, in order to ensure you get an IVerified back:

Since you did not use either of the libraries(Microsoft.IdentityModel.Clients.ActiveDirectory and Microsoft.Identity.Client) and you only use Azure AD for authentication, so I don't think this change will affect your project.

For your question about why they reference MSAL and Microsoft Graph but not ADAL and Azure AD Graph. In fact, the two are similar and changes are minor. You can refer to this document to know the differences between them.

How do I load a “user” in a micronaut backend when JWT is provided?

I am reading this as you plan to load some kind of User object your database and access it in the controller. If this is the case you need to hook into the place where Authentication instance is created to read the "sub" (username) of the token and then load it from the database.

How to extend authentication attributes with more details ?

By default for JWT authentication is created using JwtAuthenticationFactory and going more concrete default implementation is DefaultJwtAuthenticationFactory. If you plan to load more claims this could be done by replacing it and creating extended JWTClaimsSet or your own implementation of Authentication interface.

How do I access jwt claims ?

You need to check SecurityService -> getAuthentication() ->getAttributes(), it returns a map of security attributes which represent your token serialised as a map.

How to validate that the JWT is valid?

There is a basic validation rules checking the token is not expired and properly signed, all the rest validations especially for custom claims and validating agains a third parties sources have to be done on your own.

If you plan to validate your custom claims, I have already open source a project in this scope, please have a look.

https://github.com/traycho/micronaut-security-attributes

How to extend existing token with extra claims during its issuing ?

It is required to create your own claims generator extending JWTClaimsSetGenerator

I think I solved it. I read that it could have to do with lack of access. I guess on of my tasks in my CD setup isn't working right, because I tried running an APP CMD command to set user profile to loaded as true for my app pool. Supposedly, if this flag is false, the application will by default try to store the private key as the current user, but since no user is loaded, this doesn't work. So I tried with ephemeral keyset instead(in-memory) to avoid access issues and now it works. Not sure what the consequences are of using an in-memory keyset, if the keys are appropriate etc.

You have just configured authorization inside of your pipeline. You need to configure authentication as well. And remember it has to be done prior to authorization inside of the pipeline. Order matters because first we need to authenticate on who the user is and then we need to check what permissions he/she has.

In your code you added expiresIn as part of the payload. But there expiresIn has no meaning and you need to use the standard expclaim for expiration: