Added SigningKey parameter to JWT Token generator (fixes #913) (#914)

* Added SigningKey parameter to JWT Token generator fixes #913

* Added BadRequest result if signing key lenght is lower then 32 or empty

---------

Co-authored-by: Luca Congiu <luca.congiu@microsoft.com>
Co-authored-by: Waldek Mastykarz <waldek@mastykarz.nl>

Author: 3 people

dev-proxy/ApiControllers/ProxyController.cs

@@ -55,6 +55,11 @@ public void StopProxy()
     [HttpPost("createJwtToken")]
     public IActionResult CreateJwtToken([FromBody] JwtOptions jwtOptions)
     {
+        if (jwtOptions.SigningKey != null && jwtOptions.SigningKey.Length < 32)
+        {
+            return BadRequest("The specified signing key is too short. A signing key must be at least 32 characters.");
+        }
+
         var token = JwtTokenGenerator.CreateToken(jwtOptions);
 
         return Ok(new JwtInfo { Token = token });

dev-proxy/CommandHandlers/JwtBinder.cs

@@ -6,8 +6,8 @@
 using System.CommandLine.Binding;
 
 namespace Microsoft.DevProxy.CommandHandlers
-{    
-    public class JwtBinder(Option<string> nameOption, Option<IEnumerable<string>> audiencesOption, Option<string> issuerOption, Option<IEnumerable<string>> rolesOption, Option<IEnumerable<string>> scopesOption, Option<Dictionary<string, string>> claimsOption, Option<double> validForOption) : BinderBase<JwtOptions>
+{
+    public class JwtBinder(Option<string> nameOption, Option<IEnumerable<string>> audiencesOption, Option<string> issuerOption, Option<IEnumerable<string>> rolesOption, Option<IEnumerable<string>> scopesOption, Option<Dictionary<string, string>> claimsOption, Option<double> validForOption, Option<string> signingKeyOption) : BinderBase<JwtOptions>
     {
         private readonly Option<string> _nameOption = nameOption;
         private readonly Option<IEnumerable<string>> _audiencesOption = audiencesOption;
@@ -16,6 +16,7 @@ public class JwtBinder(Option<string> nameOption, Option<IEnumerable<string>> au
         private readonly Option<IEnumerable<string>> _scopesOption = scopesOption;
         private readonly Option<Dictionary<string, string>> _claimsOption = claimsOption;
         private readonly Option<double> _validForOption = validForOption;
+        private readonly Option<string> _signingKeyOption = signingKeyOption;
 
         protected override JwtOptions GetBoundValue(BindingContext bindingContext)
         {
@@ -27,7 +28,8 @@ protected override JwtOptions GetBoundValue(BindingContext bindingContext)
                 Roles = bindingContext.ParseResult.GetValueForOption(_rolesOption),
                 Scopes = bindingContext.ParseResult.GetValueForOption(_scopesOption),
                 Claims = bindingContext.ParseResult.GetValueForOption(_claimsOption),
-                ValidFor = bindingContext.ParseResult.GetValueForOption(_validForOption)
+                ValidFor = bindingContext.ParseResult.GetValueForOption(_validForOption),
+                SigningKey = bindingContext.ParseResult.GetValueForOption(_signingKeyOption)
             };
         }
     }

dev-proxy/Jwt/JwtCreatorOptions.cs

@@ -1,6 +1,8 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 
+using System.Security.Cryptography;
+
 namespace Microsoft.DevProxy.Jwt;
 
 internal sealed record JwtCreatorOptions
@@ -14,6 +16,7 @@ internal sealed record JwtCreatorOptions
     public required IEnumerable<string> Roles { get; init; }
     public required IEnumerable<string> Scopes { get; init; }
     public required Dictionary<string, string> Claims { get; init; }
+    public required string SigningKey { get; init; }
 
     public static JwtCreatorOptions Create(JwtOptions options)
     {
@@ -27,7 +30,8 @@ public static JwtCreatorOptions Create(JwtOptions options)
             Scopes = options.Scopes ?? [],
             Claims = options.Claims ?? [],
             NotBefore = DateTime.UtcNow,
-            ExpiresOn = DateTime.UtcNow.AddMinutes(options.ValidFor ?? 60)
+            ExpiresOn = DateTime.UtcNow.AddMinutes(options.ValidFor ?? 60),
+            SigningKey = (string.IsNullOrEmpty(options.SigningKey) ? RandomNumberGenerator.GetHexString(32) : options.SigningKey)
         };
     }
 }

dev-proxy/Jwt/JwtOptions.cs

@@ -12,4 +12,5 @@ public class JwtOptions
     public IEnumerable<string>? Scopes { get; set; }
     public Dictionary<string, string>? Claims { get; set; }
     public double? ValidFor { get; set; }
+    public string? SigningKey { get; set; }
 }

dev-proxy/Jwt/JwtTokenGenerator.cs

@@ -2,7 +2,7 @@
 // Licensed under the MIT License.
 
 using System.IdentityModel.Tokens.Jwt;
-using System.Security.Cryptography;
+using System.Text;
 
 namespace Microsoft.DevProxy.Jwt;
 
@@ -14,7 +14,7 @@ internal static string CreateToken(JwtOptions jwtOptions)
 
         var jwtIssuer = new JwtIssuer(
             options.Issuer,
-            RandomNumberGenerator.GetBytes(32)
+            Encoding.UTF8.GetBytes(options.SigningKey)
         );
 
         var jwtToken = jwtIssuer.CreateSecurityToken(options);

dev-proxy/ProxyHost.cs

@@ -382,14 +382,15 @@ public RootCommand GetRootCommand(ILogger logger)
 
         var jwtClaimsOption = new Option<Dictionary<string, string>>("--claims",
             description: "Claims to add to the token. Specify once for each claim in the format \"name:value\".",
-            parseArgument: result => {
+            parseArgument: result =>
+            {
                 var claims = new Dictionary<string, string>();
                 foreach (var token in result.Tokens)
                 {
                     var claim = token.Value.Split(":");
 
                     if (claim.Length != 2)
-                    {   
+                    {
                         result.ErrorMessage = $"Invalid claim format: '{token.Value}'. Expected format is name:value.";
                         return claims ?? [];
                     }
@@ -416,7 +417,26 @@ public RootCommand GetRootCommand(ILogger logger)
         jwtValidForOption.AddAlias("-v");
         jwtCreateCommand.AddOption(jwtValidForOption);
 
-        jwtCreateCommand.SetHandler( 
+        var jwtSigningKeyOption = new Option<string>("--signing-key", "The signing key to sign the token. Minimum length is 32 characters.");
+        jwtSigningKeyOption.AddAlias("-k");
+        jwtSigningKeyOption.AddValidator(input =>
+        {
+            try
+            {
+                var value = input.GetValueForOption(jwtSigningKeyOption);
+                if (string.IsNullOrWhiteSpace(value) || value.Length < 32)
+                {
+                    input.ErrorMessage = $"Requires option '--{jwtSigningKeyOption.Name}' to be at least 32 characters";
+                }
+            }
+            catch (InvalidOperationException ex)
+            {
+                input.ErrorMessage = ex.Message;
+            }
+        });
+        jwtCreateCommand.AddOption(jwtSigningKeyOption);
+
+        jwtCreateCommand.SetHandler(
             JwtCommandHandler.GetToken,
             new JwtBinder(
                 jwtNameOption,
@@ -425,7 +445,8 @@ public RootCommand GetRootCommand(ILogger logger)
                 jwtRolesOption,
                 jwtScopesOption,
                 jwtClaimsOption,
-                jwtValidForOption
+                jwtValidForOption,
+                jwtSigningKeyOption
             )
         );
         jwtCommand.Add(jwtCreateCommand);