DEV Community

loading...
Cover image for JWT in dotnet core

JWT in dotnet core

Arjun Shetty
・2 min read

One of the ways to secure the API's is using JWT. This is how it works, We will create a controller with an AllowAnonymous action. Make sure you have Authorize attribute over all of your controllers otherwise you have a potential loophole dangling in there.

jwt flow diagram

Here is the Action method

[AllowAnonymous]
[HttpPost]
public IActionResult Login([FromBody]User user)
{
    var authUserToken = _loginService.Login(user.Username, user.Password);

    if (authUserToken == null)
        return BadRequest(new { message = "Username or password is incorrect" });

    return Ok(new { AccessToken = authUserToken });
}
Enter fullscreen mode Exit fullscreen mode

The login service is another entity which actually generates the Web Token using Microsoft.IdentityModel.Tokens

private string GenerateJSONWebToken(User user)
{
    //secret token and the algorithm to use
    var secretToken = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_settings.SecretToken));
    var credentials = new SigningCredentials(secretToken, SecurityAlgorithms.HmacSha256);

    // creating a with one hour validity. 
    var token = new JwtSecurityToken(_settings.TokenIssuer,
    null,
    null,
    expires: DateTime.Now.AddHours(1),
    signingCredentials: credentials);

    return new JwtSecurityTokenHandler().WriteToken(token);
}
Enter fullscreen mode Exit fullscreen mode

To generate token we need to pass a secret string which ideally should be long enough otherwise, it will fail to generate. Here we are creating a token which is valid for 1 hour.

The generated token will be in this format xxxxx.yyyyy.zzzzz which is equivalent to header.payload.signature. You can verify the generated and the signature using jwt.io.

Any request to your API now should send this below header

Authorization:Bearer {{jwt}}

Which will be intercepted by the Authorize attribute and verified.

For Authorize attribute to work, we need to say dotnetcore using ConfigureServices like this in StartUp.cs file

services.AddAuthentication(a =>
{
    a.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    a.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(x =>
{
    x.RequireHttpsMetadata = false;
    x.SaveToken = true;
    x.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuerSigningKey = true,
        IssuerSigningKey = new SymmetricSecurityKey(secretToken),
        ValidateIssuer = false,// validate the server that generates the token
        ValidateAudience = false//validate the user who generates token is authorized
    };
});
Enter fullscreen mode Exit fullscreen mode

Photo by ZSun Fu on Unsplash

Discussion (1)