ASP.NET Core: How to validate a JWT without access to the internet

Question

So this is how I validate a JWT bearer token in backend:

services.AddAuthentication(options =>
            {
                options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
            }).AddJwtBearer(options =>
            {
                options.Authority = $"https://{Configuration["Auth0:Authority"]}";
                options.Audience = Configuration["Auth0:Audience"];
            });

It works fine as .Net core consults with the authority to get required info (such as signing key) under the hood. In my case it talks to Auth0 servers via https://< MY TENANT > .auth0.com/.well-known/openid-configuration.

The problem is my application cannot talk to the Auth0 server when I deploy it in an Intranet which doesn't have access to the internet. Here's the error I get:

System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://< My TENANT >.auth0.com/.well-known/openid-configuration'.

I tried feeding RSA key manually, but not luck and same error:

AddJwtBearer(options =>
            {
                options.Authority = $"https://{Configuration["Auth0:Domain"]}";
                options.Audience = Configuration["Auth0:Audience"];
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateLifetime = true,
                    RequireSignedTokens = true,
                    ValidateIssuerSigningKey = true,
                    IssuerSigningKey = GetRsaKey(),
                };
            }); 

 private SecurityKey GetRsaKey()
        {
            byte[] modulus = Decode("r5cpJ....-fUGjJCH1QQ");
            byte[] exponent = Decode("A...AB");

            var rsaParameters = new RSAParameters
            {
                Modulus = modulus,
                Exponent = exponent
            };

            using var rsaProvider = new RSACryptoServiceProvider();
            rsaProvider.ImportParameters(rsaParameters);
            return new RsaSecurityKey(rsaProvider);
        }

Any workaround?

Answer 1

TokenValidationParameters can be used in scenario that you want to validate tokens without access to the issuing server. Then you can not set the Authority , setting ValidateIssuerSigningKey and ValidateIssuer , and finally set IssuerSigningKey which is the public key used for validating incoming JWT tokens. Here and here are code samples.

But the problem is because you can't talk to Auth0 , that means you can't get the latest publick key to validate the token which issued by Auth0 , you should confirm that your local public key sync with the newest publich ones by Auth0 . If authentication is also controlled by you , you can consider using Identity Server4 which is a local authentication/SSO framework , or you can implement JWT authentication as shown here .