Using using Microsoft.AspNetCore.Authentication.JwtBearer; I have been unable to figure out how to change the "Bearer " key in the header to something else, in this case I'd like it to be "Token ".
Startup.cs
services.AddAuthentication(x =>
{
x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(x =>
{
x.RequireHttpsMetadata = false;
x.SaveToken = true;
x.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(key),
ValidateIssuer = false,
ValidateAudience = false,
ValidateLifetime = true,
ValidIssuer = Configuration.GetValue<string>("JwtIssuer"),
ValidAudience = Configuration.GetValue<string>("JwtAudience"),
};
x.Events = new JwtBearerEvents
{
OnAuthenticationFailed = context =>
{
if (context.Exception.GetType() == typeof(SecurityTokenExpiredException))
{
context.Response.Headers.Add("Token-Expired", "true");
}
return Task.CompletedTask;
}
};
});
When I do something like
GET {{protocol}}://{{url}}/users HTTP/1.1
Authorization: Bearer {{token}}
The token works, but I could not figure out how to customize it to be something like.
GET {{protocol}}://{{url}}/users HTTP/1.1
Authorization: Token {{token}}
The implementation of the JwtBearer authentication handler lives inside of JwtBearerHandler, where the Authorization header is read and split using the format Bearer .... Here's what that looks like:
string authorization = Request.Headers["Authorization"]; // If no authorization header found, nothing to process further if (string.IsNullOrEmpty(authorization)) { return AuthenticateResult.NoResult(); } if (authorization.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase)) { token = authorization.Substring("Bearer ".Length).Trim(); } // If no token found, no further work possible if (string.IsNullOrEmpty(token)) { return AuthenticateResult.NoResult(); }
As the code above shows, this is hardcoded to use Bearer. However, JwtBearerEvents includes an OnMessageReceived property that allows you to hook into the process for retrieving the JWT from the incoming request. If you provide an implementation for this event, you can use your own processing to extract the JWT however you'd like.
Taking the implementation from above with a few changes, that event handler implementation would like something like this:
x.Events = new JwtBearerEvents
{
// ...
OnMessageReceived = context =>
{
string authorization = context.Request.Headers["Authorization"];
// If no authorization header found, nothing to process further
if (string.IsNullOrEmpty(authorization))
{
context.NoResult();
return Task.CompletedTask;
}
if (authorization.StartsWith("Token ", StringComparison.OrdinalIgnoreCase))
{
context.Token = authorization.Substring("Token ".Length).Trim();
}
// If no token found, no further work possible
if (string.IsNullOrEmpty(context.Token))
{
context.NoResult();
return Task.CompletedTask;
}
return Task.CompletedTask;
}
};