DEV Community

Cover image for JWT in dotnet core
Arjun Shetty
Arjun Shetty

Posted on

JWT in dotnet core

#jwt #dotnetcore #security #api

One of the ways to secure the API's is using JWT. This is how it works, We will create a controller with an AllowAnonymous action. Make sure you have Authorize attribute over all of your controllers otherwise you have a potential loophole dangling in there.

jwt flow diagram

Here is the Action method

[AllowAnonymous]
[HttpPost]
public IActionResult Login([FromBody]User user)
{
    var authUserToken = _loginService.Login(user.Username, user.Password);

    if (authUserToken == null)
        return BadRequest(new { message = "Username or password is incorrect" });

    return Ok(new { AccessToken = authUserToken });
}
Enter fullscreen mode Exit fullscreen mode

The login service is another entity which actually generates the Web Token using Microsoft.IdentityModel.Tokens

private string GenerateJSONWebToken(User user)
{
    //secret token and the algorithm to use
    var secretToken = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_settings.SecretToken));
    var credentials = new SigningCredentials(secretToken, SecurityAlgorithms.HmacSha256);

    // creating a with one hour validity. 
    var token = new JwtSecurityToken(_settings.TokenIssuer,
    null,
    null,
    expires: DateTime.Now.AddHours(1),
    signingCredentials: credentials);

    return new JwtSecurityTokenHandler().WriteToken(token);
}
Enter fullscreen mode Exit fullscreen mode

To generate token we need to pass a secret string which ideally should be long enough otherwise, it will fail to generate. Here we are creating a token which is valid for 1 hour.

The generated token will be in this format xxxxx.yyyyy.zzzzz which is equivalent to header.payload.signature. You can verify the generated and the signature using jwt.io.

Any request to your API now should send this below header

Authorization:Bearer {{jwt}}

Which will be intercepted by the Authorize attribute and verified.

For Authorize attribute to work, we need to say dotnetcore using ConfigureServices like this in StartUp.cs file

services.AddAuthentication(a =>
{
    a.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    a.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(x =>
{
    x.RequireHttpsMetadata = false;
    x.SaveToken = true;
    x.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuerSigningKey = true,
        IssuerSigningKey = new SymmetricSecurityKey(secretToken),
        ValidateIssuer = false,// validate the server that generates the token
        ValidateAudience = false//validate the user who generates token is authorized
    };
});
Enter fullscreen mode Exit fullscreen mode

Photo by ZSun Fu on Unsplash

Top comments (0)

Read next

websitedevelopmentco profile image

Why we use API in mobile application development?

Algosoft Apps Technologies -

jeanvittory profile image

JWT & Refresh Tokens 🔒

Jean Carlo Vittory Laguna -

craigmcl profile image

The good, the bad and the ugly of the XZ vulnerability (CVE 2024-3094)

Craig McLuckie -

jimmydqv profile image

Protect API Gateway with Amazon Verified Permissions

Jimmy Dahlqvist -