How to unencrypt Web API 2 JWT tokens?

Question

I\'m trying to work with the OAuth bearer tokens Web API 2 supplies but I don\'t know how to unencrypt them or get the data out.

What I\'d really like to do is either fi

Answer 1

You are correct about the generation of the token. This token is an encrypted or signed string contains the de-serialized version of all the claims and ticket properties for the signed in user. If in IIS mode (SystemWeb), the encryption and signing is done via the "decryptionKey" and "validationKey" key values in machineKey node. If running as a self-host OWIN application, the encryption uses the DPAPI to protect it and that actually uses the 3DES algorithm.

To decrypt it you need to invoke this code in your API controller action method (not necessary but if you want to see what inside this encrypted token) :

string token = "Your token goes here";
Microsoft.Owin.Security.AuthenticationTicket ticket= Startup.OAuthBearerOptions.AccessTokenFormat.Unprotect(token);

If you need to configure your AuthZ server to issue JWT signed tokens so you can deconde them using someone line tool such as Google JWT decoder; then I recommend you to read my blog post here about JSON Web Token in ASP.NET Web API 2 using Owin