DEV Community

Cover image for JWT in dotnet core
Arjun Shetty
Arjun Shetty

Posted on

JWT in dotnet core

#jwt #dotnetcore #security #api

One of the ways to secure the API's is using JWT. This is how it works, We will create a controller with an AllowAnonymous action. Make sure you have Authorize attribute over all of your controllers otherwise you have a potential loophole dangling in there.

jwt flow diagram

Here is the Action method

[AllowAnonymous]
[HttpPost]
public IActionResult Login([FromBody]User user)
{
    var authUserToken = _loginService.Login(user.Username, user.Password);

    if (authUserToken == null)
        return BadRequest(new { message = "Username or password is incorrect" });

    return Ok(new { AccessToken = authUserToken });
}
Enter fullscreen mode Exit fullscreen mode

The login service is another entity which actually generates the Web Token using Microsoft.IdentityModel.Tokens

private string GenerateJSONWebToken(User user)
{
    //secret token and the algorithm to use
    var secretToken = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_settings.SecretToken));
    var credentials = new SigningCredentials(secretToken, SecurityAlgorithms.HmacSha256);

    // creating a with one hour validity. 
    var token = new JwtSecurityToken(_settings.TokenIssuer,
    null,
    null,
    expires: DateTime.Now.AddHours(1),
    signingCredentials: credentials);

    return new JwtSecurityTokenHandler().WriteToken(token);
}
Enter fullscreen mode Exit fullscreen mode

To generate token we need to pass a secret string which ideally should be long enough otherwise, it will fail to generate. Here we are creating a token which is valid for 1 hour.

The generated token will be in this format xxxxx.yyyyy.zzzzz which is equivalent to header.payload.signature. You can verify the generated and the signature using jwt.io.

Any request to your API now should send this below header

Authorization:Bearer {{jwt}}

Which will be intercepted by the Authorize attribute and verified.

For Authorize attribute to work, we need to say dotnetcore using ConfigureServices like this in StartUp.cs file

services.AddAuthentication(a =>
{
    a.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    a.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(x =>
{
    x.RequireHttpsMetadata = false;
    x.SaveToken = true;
    x.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuerSigningKey = true,
        IssuerSigningKey = new SymmetricSecurityKey(secretToken),
        ValidateIssuer = false,// validate the server that generates the token
        ValidateAudience = false//validate the user who generates token is authorized
    };
});
Enter fullscreen mode Exit fullscreen mode

Photo by ZSun Fu on Unsplash

Top comments (0)

Read next

uendi_hoxha profile image

Dockerfile Best Practices: Writing Efficient and Secure Docker Images

Uendi Hoxha -

sertxudev profile image

Create a self-signed certificate with your own root CA

Sergio Peris -

daviekim13 profile image

The Evolution of File Access Security in Android: Navigating Path Restrictions from Android 1.0 to Android 15

David Njoroge -

neelp03 profile image

10 Common API Development Mistakes and How to Avoid Them

Neel Patel -