Allow creation of a customized header using JsonWebTokenHandler

[GeoK]

Some customers have expressed the need for a facility that allows setting custom attributes in the header part, during token creation.

[steveoshima]

FYI, this currently isnt working with RSA-PSS support.
For more info see code snippet below:
var handler = new JsonWebTokenHandler(); handler.SetDefaultTimesOnTokenCreation = false; return handler.CreateToken(jwt.Payload, new SigningCredentials(key, SecurityAlgorithms.RsaSsaPssSha256), new Dictionary<string, object>());
The key generation code is not shown but can confirm it works with standard RSA algorithm just not RSA-PSS.

I have tried a few branches which have the customized header support on the CreateToken function but all behave the same when using the RSA-PSS algorithm.

I will try and dedicate more time to add some tests. or an example repo if the above isnt enough.
FYI using .net core 2.2.100 on macos. Building branch mafurman/customJwtHeader using build.sh
When I use dev branch the additional header params are not supported in the CreateToken function.
Thanks.

[steveoshima]

You will see the testin is missing additonal header setup, if this is added im sure the error will occur. -

azure-activedirectory-identitymodel-extensions-for-dotnet/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerTests.cs

Line 1347 in 1c16adc

#if NET461 || NET_CORE

[GeoK]

Hi @steveoshima - There is support for additional header claims, in both dev5x and dev branches.

I wasn't able to reproduce the issue you are facing, both on Windows and Mac, using different .net frameworks, even when changing the test as suggested here: #1223 (comment).

Please provide us with more information. What exactly is not working? Are you not seeing the additional header claims when you use RSA-PSS claim, or are you unable to create/sign a token?
Code sample and/or a repro project would be very helpful, together with the full stack trace.

[steveoshima]

Hi, when using public 5.5.0 nuget release it does not allow
CreateToken(jwt.Payload, new SigningCredentials(key, SecurityAlgorithms.RsaSsaPssSha256), new Dictionary<string, object>());
With a branch such as mafurman/customJwtHeader which does allow the above I find SecurityAlgorithms.RsaSsaPssSha256 is not supported when attempting to generate the signed JWT.
When I use the dev branch neither SecurityAlgorithms.RsaSsaPssSha256 nor additional header parmeters are allowed, building using build.sh then updating my project the new built nupkg from artifact folder. The dev branch causes this error using.
CreateToken(jwt.Payload, new SigningCredentials(key, SecurityAlgorithms.RsaSsaPssSha256));
NotSupportedException: IDX10634: Unable to create the SignatureProvider. Algorithm: 'PS256', SecurityKey: 'Microsoft.IdentityModel.Tokens.RsaSecurityKey' is not supported.
(yet works for public nuget 5.5.0 release)

[GeoK]

Correct, support for additional header claims is coming in v5.6.0.
How are you creating a SecurityKey ("key")?

Is your key an RSAOpenSsl object?

[steveoshima]

I'm using nuget packge PemUtils to read in a private key - https://github.com/huysentruitw/pem-utils
e.g.
using (var stream = new MemoryStream(Encoding.UTF8.GetBytes("PrivateKeyHere"))) { using (var reader = new PemReader(stream)) { var key = new RsaSecurityKey(RSA.Create(reader.ReadRsaKey())); key.KeyId = "KidHere"; var handler = new JsonWebTokenHandler(); handler.SetDefaultTimesOnTokenCreation = false; return handler.CreateToken(jwt.Payload, new SigningCredentials(key, SecurityAlgorithms.RsaSsaPssSha256)); } }

When is 5.6.0 due for release? would be useful to get asap. Thanks and good work.

[GeoK]

We will release 5.6.0 on Friday or early next week.

Can you check if your key is an RSACryptoServiceProvider or an RSAOpenSsl object?
RSACryptoServiceProvider doesn't support PSS.

[steveoshima]

The private key is generated from RSAOpenSsl object yes.