Better way to get the Json Web Key in AddJwtBearer

[Vaccano]

Is your feature request related to a problem? Please describe.

I am trying to set the IssuerSigningKey (aka Json Web Key) for the TokenValidationParameters that is provided in AddJwtBearer options class (JwtBearerOptions). I get this value from a web page provided by my IDP.

It is a common practice to put this (and other settings for the IDP, like issuer) on a page hosted by the IDP under .well-known/openid-configuration.

When setting up the AddJwtBearer lambda, there is no way to get access to any classes/objects that are setup to do this. (I wrote the class to get the value and cache it, but I can't get access to it.)

This is because you have two access points in relation to AddJwtBearer:
1. ConfigureServices:
When you define AddJwtBearer in ConfigureServices cannot get any dependency injected services without calling BuildServiceProvider. (Which, if you do, causes two of your singletons to be created for your application.) The other option is to new an object outside the Dependency Injection system. (Which gives you an extra instance as well.)

Either way, if you do this, you can access the value as an implicitly captured closure inside the AddJwtBearer. While ugly, this is the only way that can actually work.

2. When the AddJwtBearer Lambda is Invoked:
At this point there is no way to get access to any dependency injection objects. Not because the graph is not created, but because you don't have an instance of the ServiceProvider to call GetService on.

Describe the solution you'd like

Allow the JwtBearerOptions to call GetRequiredService. Or have an instance of ServiceProvider on it. Or some other way to access the Dependency Injection system in the lambda for AddJwtBearer.

That way you can get an object that will make the call to the IDP page and download the IssuerSigningKey (also known as the Json Web Key).

Additional context

As a side note, it would be nice if the call to AddJwtBearer did not happen during the first call. (That way the first call does not have to take the hit for calling out to the IDP page.) Some point in time around when Configure is called would be nice (after the ServiceProvider is built, but before calls are coming in.)

[javiercn]

@Vaccano thanks for contacting us.

You can create a class that implements IConfigureOptions, register it on DI, resolve dependencies in the constructor and make any configuration you have to within the implementation of Configure.

Would that not work?

[Vaccano]

I would love to do that. But I gave that a go, but it does not seem to work for JwtBearerOptions. Maybe I did it wrong? This is the class I made:

public class ConfigureJwtBearerOptions : IConfigureOptions<JwtBearerOptions>
{
    public ConfigureJwtBearerOptions() { }

    public void Configure(JwtBearerOptions options)
    {
        options.Audience = "RandomTestValue";
    }
}

And then I called it like this:

services.AddSingleton<IConfigureOptions<JwtBearerOptions>, ConfigureJwtBearerOptions>();

The constructor for ConfigureJwtBearerOptions is called at what seems to be the right time (I call httpContext.AuthenticateAsync manually, it is called then.) But ConfigureJwtBearerOptions.Configure is not called. When I get to my breakpoint for the AddJwtBearer lambda, the JwtBearerOptions is there, but the value for Audience is null. (Because Configure is never called.)

I would love to be able to use this pattern if I could get it to work.

[javiercn]

@Vaccano you need to call a different DI overload. TryAddEnumerable(ServiceDescriptor.Singleton<...> and that would do the trick.

[Vaccano]

@javiercn - Thank you!

For any who follow after me, this is what I finally did to get it working. I think it is important to note that I have two different calls to AddJwtBearer (because I get two JWTs in each web call):

services.AddAuthentication()
        // The options for these are setup in ConfigureJwtBearerOptions
        .AddJwtBearer("UserJwt", options =>{})
        .AddJwtBearer("ApplicationJwt", options =>{});

To get this to work right I had to call configure like this:

services.AddTransient<IConfigureOptions<JwtBearerOptions>, ConfigureJwtBearerOptions>();

and then setup my class like this:

public class ConfigureJwtBearerOptions : IConfigureNamedOptions<JwtBearerOptions>
{
    public ConfigureJwtBearerOptions() { }

    public void Configure(JwtBearerOptions options)
    {
        // I decided to throw an exception here.
    }

    public void Configure(string name, JwtBearerOptions options)
    {
        // Setup Stuff Here
    }
}

The key to making this work is that your class has to implement IConfigureNamedOptions but when you register it you have to register it as IConfigureOptions. I don't know why this is, but when I registered it as an IConfigureNamedOptions it did not work. I got that tip from here

Once I did that, the Configure method with a name parameter was called with the name of the AddJwtBearer that was passed in as the first param to that method! I added some of my own classes to the ConfigureJwtBearerOptions constructor for dependency injection to create and it all worked.

It is nothing short of glorious!

Thank you again @javiercn for showing me how to do this!