JSON Web Token (JWT) is a common authentication method in modern web development In this article, we will explore How to implement JWT Authentication and Authorization in ASP.NET Core application.
Create an Asp.NET Core Web API Project
Assuming you have Visual Studio 2019 or Visual Studio 2022 installed, follow these steps to create a new ASP.NET Core Project
- Open the visual studio (IDE).
- Click on the “Create new project” option.
- Choose “ASP.NET Core Web API” from the list of available templates.
- Click the Next button.
- The configure a new project, specify the name and location of your project.
- Click the “Next” button.
- Then select .Net Core as the runtime and choose the version from the dropdown list at the top.
- Make sure to uncheck the checkboxes for “Enable Docker Support” and “Configure for HTTPS” since we won’t be using authentication.
- Click the “Create” button
Install the JwtBearer NuGet Package
Add the “Microsoft.AspNetCore.Authentication.JwtBearer” NuGet package to your project.
- Select the project Solution in the Explorer window
- Right-click and select “Manage NuGet Packages”
- In the NuGet Package Manager window, search for the “Microsoft.AspNetCore.Authentication.JwtBearer”
- Click on the Install button.
Another way to install the package “Microsoft.AspNetCore.Authentication.JwtBearer” via Package Manager Console
PM> Install-Package Microsoft.AspNetCore.Authentication.JwtBearer
Specify a Secret Key in the appsettings.json file
Add the following information in the appettings.json file.
"JWT": {
"key": "YouSecreteKeyforAuthenticationtovalidateApplication",
"Issuer": "reactconf.org",
"Audience": "reactconf.org"
},Configure JWT authentication in the Program.cs file
using dotNet8CRUDWebAPI.Services;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.IdentityModel.Tokens;
using System.Text;
var builder = WebApplication.CreateBuilder(args);
// Add services to the container.
builder.Services.AddAuthentication(option =>
{
option.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
option.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
option.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(opt =>
{
opt.TokenValidationParameters = new TokenValidationParameters
{
ValidIssuer = builder.Configuration["Jwt:Issuer"],
ValidAudience= builder.Configuration["Jwt:Audience"],
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"])),
ValidateIssuer=true,
ValidateAudience=true,
ValidateLifetime=false,
ValidateIssuerSigningKey=true
};
});
builder.Services.AddControllers();
builder.Services.AddSingleton<IDepartment,DepartmentServices>();
var app = builder.Build();
// Configure the HTTP request pipeline.
app.UseHttpsRedirection();
app.UseAuthentication();
app.UseAuthorization();
app.MapControllers();
app.Run();
Create a User Model in ASP.NET Core
For storing the login credentials of the users, we need to create a class named Login in the Model folder.
namespace dotNet8CRUDWebAPI.Model
{
public class Login
{
public string username { get; set; }
public string password { get; set; }
}
}
Generate JWT Tokens
We are Creating another controller named “TokenGenerate” to generate and validate the JWT. Create action method “Post”, this method generated token in response to an initial request to the API, then use it for authorization in all subsequent requests.
using dotNet8CRUDWebAPI.Model;
using Microsoft.AspNetCore.DataProtection.KeyManagement;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Identity.Data;
using Microsoft.AspNetCore.Mvc;
using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Text;
namespace dotNet8CRUDWebAPI.Controllers
{
[Route("api/[controller]")]
[ApiController]
public class TokenGenerateController : ControllerBase
{
private readonly IConfiguration _configuration;
//private SymmetricSecurityKey _key;
public TokenGenerateController(IConfiguration configuration)
{
_configuration = configuration;
}
[HttpPost]
public IActionResult Post(Login loginRequest)
{
if (loginRequest.username == "Admin" || loginRequest.password == "Passw0rd")
{
var issuer = _configuration["Jwt:Issuer"];
var audience = _configuration["Jwt:Audience"];
var _key = Encoding.ASCII.GetBytes(_configuration["Jwt:Key"]);
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new[]
{
new Claim("Id",Guid.NewGuid().ToString()),
new Claim(JwtRegisteredClaimNames.Sub, loginRequest.username),
new Claim(JwtRegisteredClaimNames.Email, loginRequest.username),
new Claim(JwtRegisteredClaimNames.Jti,Guid.NewGuid().ToString())
}),
Expires = DateTime.UtcNow.AddMinutes(10),
Issuer = issuer,
Audience = audience,
SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(_key), SecurityAlgorithms.HmacSha256Signature)
};
var tokenHandler = new JwtSecurityTokenHandler();
var token = tokenHandler.CreateToken(tokenDescriptor);
var jwttoken = tokenHandler.WriteToken(token);
var stringToken = tokenHandler.WriteToken(token);
return Ok(stringToken);
}
return Ok("Unauthorized");
}
}
}Handling Authorization Checks
To handle authorization checks, you can use the [Authorize] attribute on controller and actions method.
namespace dotNet8CRUDWebAPI.Controllers
{
[Authorize]
[Route("api/[controller]")]
[ApiController]
public class DepartmentController : ControllerBase
{
private readonly IDepartment _department;
public DepartmentController(IDepartment department)
{
_department = department;
}
[HttpGet]
public IActionResult Get([FromQuery] bool? isActive=null)
{
return Ok(_department.GetAllList(isActive));
}
}
}Now simply run the application or press F5 to run
Generate Token
Authorization Checks
