ServiceStack.Jwks

A ServiceStack v5 plugin to expose and consume Json Web Key sets using a subset of the OpenID Connect discovery document.

Potential use cases:

• simplify JSON Web token key rotation between ServiceStack services
• protect a stateless ServiceStack service with a third-party authentication service that supports Open ID connect - Azure AD, Auth0, Okta, ...
• protect an ASP.NET Core app with the Microsoft.AspNetCore.Authentication.JwtBearer middleware using the OpenID discovery document from a ServiceStack Authentication service.

Getting Started

Add the ServiceStack.Jwks Nuget package:

dotnet add package ServiceStack.Jwks --version 1.0.0

Authentication service

Register JwksFeature in the AuthFeature:

// existing Auth feature using the JwtAuthProvider
var authFeature = new AuthFeature(...);

authFeature.RegisterPlugins.Add(new JwksFeature());

The Discovery document is now accessible at /openid-config and the JSON Web key set at /jwks.

Protected ServiceStack service

Register JwksFeature in the AuthFeature:

// existing Auth feature using the JwtAuthProviderReader
var authFeature = new AuthFeature(...);

authFeature.RegisterPlugins.Add(new JwksFeature() {
    OpenIdDiscoveryUrl = "https://myauthapi.example.com/openid-config"
    // or JwksUrl = "https://myauthapi.example.com/jwks"
});

Protected ASP.NET Core service

public class StartUp {
    public void ConfigureServices(IServiceCollection services) {
        ...
        services.AddAuthentication(options => {
            options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        }).AddJwtBearer(options => {
            // must match the configured audience on the ServiceStack Auth service
            options.Audience = "my-audience"; 
            // ServiceStack Auth service discovery url
            options.MetadataAddress = "https://myauthapi.example.com/openid-config" 
            // optional to map the Identity Name property to the `name` claim used by ServiceStack.
            options.TokenValidationParameters.NameClaimType = "name"; 
        });
    }

    public void Configure(IApplicationBuilder app) {
        ...
        // authenticate the user in the presence of a JWT Bearer token
        app.UseAuthentication(); 
        ...
    }
}

Notes

Supported algorithms are the Asymetric RSA algorithms (RS256, RS384, RS512).

The metadata isn't technically valid according to OpenID connect metadata specifications.
ServiceStack isn't an OpenID provider and the metadata is only used to expose information about the JWTAuthProvider.