JWT Guard

[wcabus]

JWT Guard is a free, open source, integration test suite written in C# for testing the security of JSON Web Token (JWT) implementations. Using a dotnet new template, you can easily add an JWT Guard integration test project to your existing ASP.NET Core Web API if it uses access tokens for gaining access to your API's resources.

At this moment, the tests will verify:

• valid/invalid audiences
• valid/invalid token types
• valid/invalid issuers
• allowed/disallowed signature algorithms
• self-signed tokens are blocked (using jwk, jku, x5c and x5u claims)

The test suite uses Duende IdentityServer currently only to generate signature key material and to allow the API to find the public keys using the .well-known endpoint, but you could add additional tests which make use of Duende's additional capabilities (refreshing tokens, validating against replay attacks, ...)

If you want to give JWT Guard a go, head over to https://jwtguard.net for more documentation or https://github.com/wcabus/jwt-guard for the source code 🙂

[maartenba]

That's pretty cool! Thanks for sharing @wcabus!

This makes me wonder if it would also make sense to have a similar setup for the client, e.g. to check the configuration in terms of flow to use, secrets, audience, ... is configured correctly. (though this is probably more of an integration test scenario)

[wcabus]

Yes, a similar question came up when I gave a session about (integration) testing access token validation at a conference. Every bit of your security configuration which is static could benefit from an integration test to verify that settings don't change abruptly. Or when you update a dependency, that default settings don't suddenly change for the worse!