What is JWT
JSON Web Token( JWT) is an open standard used for securely transmitting information between parties as a JSON object. JSON Web Tokens are very useful for various scenarios like authorization purposes or Information exchange using digitally signed key-value pairs. Below is sample JWT token example:
We shall be creating a simple .NET Core service which will create JWT token programmatically for a given set of credentials. However, you can use any project type as needed.
Build the JWT Token
We shall be making use of class JwtSecurityToken for initializing new instances of token-based in parameters like Symmterickey, credentials, and expiry, etc.
Here I shall be making use above class within a .NET Core Controller so that we are able to expose an API endpoint for returning newly generated JWT token to the user.
Let’s define the configuration properties to be used for generating the JWT token. Here below is an example of a configuration we shall be used to generate the JWT.
As above I have defined the properties to be used in class JwtSecurityToken.
- SecretKey– SigningCredentials with Secured algorithm and key that signs the security token.
- Issuer – A valid issuer that will be used to check against the token’s issuer.
- Audience – A valid audience that will be used to check against the token’s audience
- TokenExpiry– Define the lifetime expiry of the token once issued from current date and timestamp
Note: The secret key length should be a minimum of 128 bits i.e (16 bytes)
Below is the basic implementation of the custom BuildToken() method.
The above generic method can be used in any type of application like batch, or console, etc if needed. Lets now complete our Controller method using the above logic.
In the below implementation, I have added additional security on the Controller method to validate the user credentials requesting the new JWT token.
I have used the POST method so that login credentials can be sent before issuing the JWT token.
Below is the method to validate the user requesting new JWT token,
LoginModel class is defined as below,
Now you can use the above token to secure your API to validate the authentication and see if it is working fine.
JWT Authentication example
We shall now cover below aspects of enabling JWT authentication in ASP.NET Core API,
- Install the JWT middleware
- Configure the JWT Bearer scheme
- Securing an API
- Generate JWT Token
- Verifying Secured API Responses HttpStatus(200 and 401)
Enable JWT Authentication scheme
Enabling JWT authentication in ASP.NET Core WebAPI is about registering the JWT Authentication middleware within the request pipeline.
Please note that the JWT middleware component was built into .NET Core 2.2 frameworks previously. But ASP.NET Core 3.0 onwards it needs to be installed through the Nuget package separately.
NuGet Package Manager CLI
Now let’s see step by steps required for enabling JWT bearer scheme by adding the below using namespaces to use the same in the code,
In Startup.cs please update ConfigServices() method to register JWT Authentication scheme and use AddAuthentication() extension methods for setting up authentication services in a ServiceCollection as below.
Here we have set DefaultAuthenticateScheme as JwtBearerDefaults.
You may want to set up the configuration accordingly if supporting multiple authentication scheme in the same API.
TokenValidationParameters are explained as below. This is as per the MSDN definition.
- ValidateIssuerSigningKey – Gets or sets a boolean that controls if validation of the SecurityKey that signed the securityToken is called.
- ValidIssuer – Gets or sets a String that represents a valid issuer that will be used to check against the token’s issuer.
- ValidateIssuer – Gets or sets a value indicating whether the Issuer should be validated. True means Yes validation required.
- ValidAudience – Gets or sets a string that represents a valid audience that will be used to check against the token’s audience.
- ValidateAudience – Gets or sets a boolean to control if the audience will be validated during token validation.
- ValidateLifetime – Gets or sets a boolean to control if the lifetime will be validated during token validation.
The following is the final implementation of the Configure() method.
In the above example, CORS will be needed only if your API needs to be supporting cross-domain calls.
The next step is to enable authentication using [Authorize] attribute as below. [Authorize] attribute can also be applied at the Controller level (if you need to secure all methods within a Controller)
Configure Secretes Key and Token
The configuration file used in applications is as shown below.
The appsetting.json file has specified the values for the issuer, the audience, and the signing key, and these key-value pairs will be accessible through the configuration in ASP.NET Core using Dependency Injection easily. One can supply required values through an Environment variable or YAML or Secrete Storage if any (if the host environment is Cloud etc.)
There is a limitation of the SecretKey length used in the SymmetricSecurityKey before signing and generating the signed credentials. It’s recommended using a 128-bit key, generated with cryptographic algorithms as per RFC2104. For .NET/.NET Core, the key Secret key should be a minimum of 128 bits i.e (16 bytes).
Secured programming is not an afterthought process. It needs to be considered on the day first. It is an integral part of any application development and today in this article we understood how to create/generate JSON Web Token (JWT) token to secure .NET Core applications like WebAPI or other types in a few simple steps. We understood how to use the JWT bearer token to secure ASP .NET Core applications in a few easy steps. We also exposed this functionally as an API/Service so that it can be leveraged by other API or Applications.