DEV Community: Benjamin Mikkelsen The latest articles on DEV Community by Benjamin Mikkelsen (@bmi). https://dev.to/bmi https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F456357%2Fa28008e7-dac3-4c89-9efe-a49e5cddc7fa.jpg DEV Community: Benjamin Mikkelsen https://dev.to/bmi en Getting started with JWT authorization - .NET Core edition Benjamin Mikkelsen Fri, 11 Sep 2020 07:57:04 +0000 https://dev.to/itminds/getting-started-with-jwt-authorization-net-core-edition-20ae https://dev.to/itminds/getting-started-with-jwt-authorization-net-core-edition-20ae <p>This blog post will teach you how to issue JSON Web Tokens (JWT) from a .NET Core 3.1 Web API – the guide should also be somewhat applicable to .NET Core 2.2. </p> <p>JWTs makes it possible to securely transmit data between parties – such as a client and a server. A JWT consists of three things:</p> <ol> <li>A header that usually defines the signing algorithm and the token type,</li> <li>A payload containing claims such as expiration time and custom data such as user UID and user type,</li> <li>A signature consisting of Base 64 Url encoded header and Base 64 Url encoded payload and a secret key.</li> </ol> <p>A JWT will look something like this: </p> <p><code>eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c</code></p> <p>Which basically translates to the following:</p> <p><code>base64urlEncoding(header) + '.' + base64urlEncoding(payload) + '.' + base64urlEncoding(HMAC-SHA256(secret,base64urlEncoding(header) + '.' +base64urlEncoding(payload)))</code></p> <p>This JWT is taken from <a href="https://jwt.io/">https://jwt.io/</a>, where you can decode, verify and generate tokens.</p> <p>For this guide I assume you have already created a basic .NET Core Web API. If you haven't, then use <code>dotnet new webapi</code> in an empty folder.</p> <p>The code used in the example can be found <a href="https://github.com/Drsela/JSON-Web-Token-NET-Core-Example">on GitHub</a></p> <h1> Installing required NuGet Packages </h1> <p>For this demo you have to add the following NuGet packages to your solution:</p> <ul> <li>Microsoft.AspNetCore.Authentication.JwtBearer</li> <li>Microsoft.EntityFrameworkCore.SqlServer</li> </ul> <h1> Basic setup of models and Authorize Attribute </h1> <p>I’ll be using EF Core to save information to a database for this demonstration. The relevant information regarding the User model can be seen here:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code> <span class="k">public</span> <span class="k">class</span> <span class="nc">User</span> <span class="p">{</span> <span class="p">[</span><span class="n">Key</span><span class="p">]</span> <span class="k">public</span> <span class="n">Guid</span> <span class="n">Id</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="k">set</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="kt">string</span> <span class="n">UserName</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="k">set</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="kt">string</span> <span class="n">Password</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="k">set</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="n">UserType</span> <span class="n">Type</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="k">set</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">public</span> <span class="k">enum</span> <span class="n">UserType</span> <span class="p">{</span> <span class="n">Regular</span> <span class="p">=</span> <span class="m">1</span><span class="p">,</span> <span class="n">Admin</span> <span class="p">=</span> <span class="m">2</span><span class="p">,</span> <span class="n">SuperUser</span> <span class="p">=</span> <span class="m">3</span> <span class="p">}</span> </code></pre> </div> <p>In this instance a user can have one of three types. These types will be used to restrict some endpoints - and therefore implement authorization. </p> <p>To implement these roles in your controllers, you must create a custom <strong>AuthorizeAttribute</strong> as such:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code> <span class="k">public</span> <span class="k">class</span> <span class="nc">AuthorizeRolesAttribute</span> <span class="p">:</span> <span class="n">AuthorizeAttribute</span> <span class="p">{</span> <span class="k">public</span> <span class="nf">AuthorizeRolesAttribute</span><span class="p">(</span><span class="k">params</span> <span class="n">UserType</span><span class="p">[]</span> <span class="n">roles</span><span class="p">)</span> <span class="p">:</span> <span class="k">base</span><span class="p">()</span> <span class="p">{</span> <span class="n">Roles</span> <span class="p">=</span> <span class="kt">string</span><span class="p">.</span><span class="nf">Join</span><span class="p">(</span><span class="s">","</span><span class="p">,</span> <span class="n">roles</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Doing this allows you to restrict endpoint to specific user types, simply by using a <strong>AuthorizeRoles</strong>-tag such as <code>[AuthorizeRoles(UserType.Regular)]</code></p> <h1> Using EF Core </h1> <p>To use EF Core add the following to <strong>appsettings.development.json</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="nl">"ConnectionStrings"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"DefaultConnection"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Server=(localdb)</span><span class="se">\\</span><span class="s2">MSSQLLocalDB;Integrated Security=true;Database=JwtExample"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This defines which database to connect to. Afterwards, implement a DbContext class as such:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code> <span class="k">public</span> <span class="k">class</span> <span class="nc">JwtExampleContext</span> <span class="p">:</span> <span class="n">DbContext</span> <span class="p">{</span> <span class="k">public</span> <span class="n">DbSet</span><span class="p">&lt;</span><span class="n">User</span><span class="p">&gt;</span> <span class="n">Users</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="k">set</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="nf">JwtExampleContext</span><span class="p">(</span><span class="n">DbContextOptions</span> <span class="n">options</span><span class="p">)</span> <span class="p">:</span> <span class="k">base</span><span class="p">(</span><span class="n">options</span><span class="p">)</span> <span class="p">{</span> <span class="p">}</span> <span class="k">protected</span> <span class="k">override</span> <span class="k">void</span> <span class="nf">OnModelCreating</span><span class="p">(</span><span class="n">ModelBuilder</span> <span class="n">builder</span><span class="p">)</span> <span class="p">{</span> <span class="n">builder</span><span class="p">.</span><span class="n">Entity</span><span class="p">&lt;</span><span class="n">User</span><span class="p">&gt;()</span> <span class="p">.</span><span class="nf">HasIndex</span><span class="p">(</span><span class="n">x</span> <span class="p">=&gt;</span> <span class="n">x</span><span class="p">.</span><span class="n">UserName</span><span class="p">)</span> <span class="p">.</span><span class="nf">IsUnique</span><span class="p">();</span> <span class="kt">var</span> <span class="n">regularUser</span> <span class="p">=</span> <span class="k">new</span> <span class="n">User</span> <span class="p">{</span> <span class="n">Id</span> <span class="p">=</span> <span class="n">Guid</span><span class="p">.</span><span class="nf">Parse</span><span class="p">(</span><span class="s">"54D39F1A-EF2D-4816-B2E8-90991F548BF0"</span><span class="p">),</span> <span class="n">UserName</span> <span class="p">=</span> <span class="s">"Regular"</span><span class="p">,</span> <span class="n">Password</span> <span class="p">=</span> <span class="s">"RegularPassword"</span><span class="p">,</span> <span class="n">Type</span> <span class="p">=</span> <span class="n">UserType</span><span class="p">.</span><span class="n">Regular</span> <span class="p">};</span> <span class="kt">var</span> <span class="n">adminUser</span> <span class="p">=</span> <span class="k">new</span> <span class="n">User</span> <span class="p">{</span> <span class="n">Id</span> <span class="p">=</span> <span class="n">Guid</span><span class="p">.</span><span class="nf">Parse</span><span class="p">(</span><span class="s">"36F72591-1D95-4E4F-877C-261D3386DF94"</span><span class="p">),</span> <span class="n">UserName</span> <span class="p">=</span> <span class="s">"Admin"</span><span class="p">,</span> <span class="n">Password</span> <span class="p">=</span> <span class="s">"AdminPassword"</span><span class="p">,</span> <span class="n">Type</span> <span class="p">=</span> <span class="n">UserType</span><span class="p">.</span><span class="n">Admin</span> <span class="p">};</span> <span class="kt">var</span> <span class="n">superUser</span> <span class="p">=</span> <span class="k">new</span> <span class="n">User</span> <span class="p">{</span> <span class="n">Id</span> <span class="p">=</span> <span class="n">Guid</span><span class="p">.</span><span class="nf">Parse</span><span class="p">(</span><span class="s">"FB270C9A-9479-4BD0-9C86-589F3FA84527"</span><span class="p">),</span> <span class="n">UserName</span> <span class="p">=</span> <span class="s">"Super"</span><span class="p">,</span> <span class="n">Password</span> <span class="p">=</span> <span class="s">"SuperPassword"</span><span class="p">,</span> <span class="n">Type</span> <span class="p">=</span> <span class="n">UserType</span><span class="p">.</span><span class="n">SuperUser</span> <span class="p">};</span> <span class="n">builder</span><span class="p">.</span><span class="n">Entity</span><span class="p">&lt;</span><span class="n">User</span><span class="p">&gt;().</span><span class="nf">HasData</span><span class="p">(</span><span class="n">regularUser</span><span class="p">,</span> <span class="n">adminUser</span><span class="p">,</span> <span class="n">superUser</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>To connect to the database write the following lines in <strong>Startup.cs</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="kt">var</span> <span class="n">connectionString</span> <span class="p">=</span> <span class="n">Configuration</span><span class="p">.</span><span class="nf">GetConnectionString</span><span class="p">(</span><span class="s">"DefaultConnection"</span><span class="p">);</span> <span class="n">services</span><span class="p">.</span><span class="n">AddDbContext</span><span class="p">&lt;</span><span class="n">JwtExampleContext</span><span class="p">&gt;(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="n">options</span><span class="p">.</span><span class="nf">UseSqlServer</span><span class="p">(</span><span class="n">connectionString</span><span class="p">));</span> </code></pre> </div> <p>Running <code>dotnet ef migrations add Initial</code> will create a migration file. To create and seed the database use <code>dotnet ef database update</code> which will run the migration script. Please note, passwords should never be stored as plain text in a database. This is only for demonstration purposes.</p> <p>To see how the context is being used, look at <strong>UserRepository.cs</strong></p> <h1> Token related setup </h1> <p>First, you must configure your <code>IServiceCollection</code> to add Authentication and JwtBearer. This can be done by adding the following lines to <code>ConfigureServices</code> in <strong>Startup.cs</strong> file in your .NET Core project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code> <span class="kt">var</span> <span class="n">key</span> <span class="p">=</span> <span class="n">Configuration</span><span class="p">.</span><span class="n">GetValue</span><span class="p">&lt;</span><span class="kt">string</span><span class="p">&gt;(</span><span class="s">"jwt-signing-key"</span><span class="p">);</span> <span class="n">services</span><span class="p">.</span><span class="nf">AddAuthentication</span><span class="p">(</span><span class="n">JwtBearerDefaults</span><span class="p">.</span><span class="n">AuthenticationScheme</span><span class="p">).</span><span class="nf">AddJwtBearer</span><span class="p">(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">options</span><span class="p">.</span><span class="n">TokenValidationParameters</span> <span class="p">=</span> <span class="k">new</span> <span class="n">TokenValidationParameters</span> <span class="p">{</span> <span class="n">ValidateIssuer</span> <span class="p">=</span> <span class="k">true</span><span class="p">,</span> <span class="n">ValidateAudience</span> <span class="p">=</span> <span class="k">true</span><span class="p">,</span> <span class="n">ValidateLifetime</span> <span class="p">=</span> <span class="k">true</span><span class="p">,</span> <span class="n">ValidateIssuerSigningKey</span> <span class="p">=</span> <span class="k">true</span><span class="p">,</span> <span class="n">ValidIssuer</span> <span class="p">=</span> <span class="s">"http://localhost:5000"</span><span class="p">,</span> <span class="n">ValidAudience</span> <span class="p">=</span> <span class="s">"http://localhost:5000"</span><span class="p">,</span> <span class="n">IssuerSigningKey</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">SymmetricSecurityKey</span><span class="p">(</span><span class="n">Encoding</span><span class="p">.</span><span class="n">UTF8</span><span class="p">.</span><span class="nf">GetBytes</span><span class="p">(</span><span class="n">key</span><span class="p">))</span> <span class="p">};</span> <span class="p">});</span> </code></pre> </div> <p>These settings might not necessarily fit your needs and should possibly be adjusted. The <strong>key</strong> comes from <strong>appsettings.development.json</strong>. This key is used to sign the token and should always be kept secret. </p> <p>You also must also call <code>UseAuthentication()</code>and <code>UseAuthorization ()</code>in <code>Configure</code>. These methods should be called after <code>UseRouting()</code> but before <code>UseEndpoints</code>, which should look similar to this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code> <span class="k">public</span> <span class="k">void</span> <span class="nf">Configure</span><span class="p">(</span><span class="n">IApplicationBuilder</span> <span class="n">app</span><span class="p">,</span> <span class="n">IWebHostEnvironment</span> <span class="n">env</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">env</span><span class="p">.</span><span class="nf">IsDevelopment</span><span class="p">())</span> <span class="p">{</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseDeveloperExceptionPage</span><span class="p">();</span> <span class="p">}</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseHttpsRedirection</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseRouting</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseAuthentication</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseAuthorization</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseEndpoints</span><span class="p">(</span><span class="n">endpoints</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">endpoints</span><span class="p">.</span><span class="nf">MapControllers</span><span class="p">();</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h1> Issuing the tokens </h1> <p>I’ve made a LoginController with a single POST endpoint (api/login). This endpoint takes an UserDTO containing username and password. The LoginController calls an AuthenticationService which is responsible for generating tokens. The methods in the AuthenticationService can be seen below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code> <span class="k">public</span> <span class="k">async</span> <span class="n">Task</span><span class="p">&lt;</span><span class="kt">string</span><span class="p">&gt;</span> <span class="nf">Login</span><span class="p">(</span><span class="n">UserDTO</span> <span class="n">user</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">dbUser</span> <span class="p">=</span> <span class="k">await</span> <span class="n">_repository</span><span class="p">.</span><span class="nf">GetUser</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="n">UserName</span><span class="p">,</span> <span class="n">user</span><span class="p">.</span><span class="n">Password</span><span class="p">);</span> <span class="kt">var</span> <span class="n">jwt</span> <span class="p">=</span> <span class="nf">GenerateJwt</span><span class="p">(</span><span class="n">dbUser</span><span class="p">);</span> <span class="k">return</span> <span class="n">jwt</span><span class="p">;</span> <span class="p">}</span> <span class="k">private</span> <span class="kt">string</span> <span class="nf">GenerateJwt</span><span class="p">(</span><span class="n">User</span> <span class="n">user</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">key</span> <span class="p">=</span> <span class="n">_configuration</span><span class="p">.</span><span class="n">GetValue</span><span class="p">&lt;</span><span class="kt">string</span><span class="p">&gt;(</span><span class="s">"jwt-signing-key"</span><span class="p">);</span> <span class="kt">var</span> <span class="n">secretKey</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">SymmetricSecurityKey</span><span class="p">(</span><span class="n">Encoding</span><span class="p">.</span><span class="n">UTF8</span><span class="p">.</span><span class="nf">GetBytes</span><span class="p">(</span><span class="n">key</span><span class="p">));</span> <span class="kt">var</span> <span class="n">signinCredentials</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">SigningCredentials</span><span class="p">(</span><span class="n">secretKey</span><span class="p">,</span> <span class="n">SecurityAlgorithms</span><span class="p">.</span><span class="n">HmacSha256</span><span class="p">);</span> <span class="kt">var</span> <span class="n">tokenOptions</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">JwtSecurityToken</span><span class="p">(</span> <span class="n">issuer</span><span class="p">:</span> <span class="s">"http://localhost:5000"</span><span class="p">,</span> <span class="n">audience</span><span class="p">:</span> <span class="s">"http://localhost:5000"</span><span class="p">,</span> <span class="n">claims</span><span class="p">:</span> <span class="k">new</span> <span class="n">List</span><span class="p">&lt;</span><span class="n">Claim</span><span class="p">&gt;</span> <span class="p">{</span> <span class="k">new</span> <span class="nf">Claim</span><span class="p">(</span><span class="n">ClaimTypes</span><span class="p">.</span><span class="n">NameIdentifier</span><span class="p">,</span><span class="n">user</span><span class="p">.</span><span class="n">Id</span><span class="p">.</span><span class="nf">ToString</span><span class="p">()),</span> <span class="k">new</span> <span class="nf">Claim</span><span class="p">(</span><span class="n">ClaimTypes</span><span class="p">.</span><span class="n">Role</span><span class="p">,</span><span class="n">user</span><span class="p">.</span><span class="n">Type</span><span class="p">.</span><span class="nf">ToString</span><span class="p">()),</span> <span class="p">},</span> <span class="n">expires</span><span class="p">:</span> <span class="n">DateTime</span><span class="p">.</span><span class="n">Now</span><span class="p">.</span><span class="nf">AddHours</span><span class="p">(</span><span class="m">24</span><span class="p">),</span> <span class="n">signingCredentials</span><span class="p">:</span> <span class="n">signinCredentials</span> <span class="p">);</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">JwtSecurityTokenHandler</span><span class="p">().</span><span class="nf">WriteToken</span><span class="p">(</span><span class="n">tokenOptions</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>It’s very important that the key, issuer and audience matches the options in <strong>Startup.cs</strong>. Otherwise your backend will return forbidden for all requests requiring authorization, since it’s validating the signature, issuer and audience.</p> <p>Calling the endpoint will return something similar to this:</p> <p><code>eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1laWRlbnRpZmllciI6IjM2ZjcyNTkxLTFkOTUtNGU0Zi04NzdjLTI2MWQzMzg2ZGY5NCIsImh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd3MvMjAwOC8wNi9pZGVudGl0eS9jbGFpbXMvcm9sZSI6IkFkbWluIiwiZXhwIjoxNTk4MTk2NzY2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjUwMDAiLCJhdWQiOiJodHRwOi8vbG9jYWxob3N0OjUwMDAifQ.x1vksHo5O-Fd8IXCUvEXfxcjToJXc7V7jMS7jqp0h5A</code> </p> <p>And that’s it! You now know how to issue tokens. However, you might ask: how do I use them?</p> <h1> Using the token </h1> <p>It’s actually fairly simple! First you make a POST call to api/login with your login credentials. This’ll return a token as seen in the previous section. This token needs to be set as a HTTP Header as ‘Authorization: Bearer <code>token</code>’. This header should be present for all calls to the API. <br> Afterwards, you simply create a new endpoint in a controller. I’ve created a new controller named DataController for this purpose. This controller has four endpoints:</p> <ol> <li>GET api/data - Doesn’t require authorization</li> <li>GET api/data/user - Available to all user types</li> <li>GET api/data/admin - Available to admins and superusers</li> <li>GET api/data/superuser - Available to superusers</li> </ol> <p>All endpoints will return a small greeting and the usertype of the user. The code snippet below shows the implementation for api/data/admin.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code> <span class="p">[</span><span class="nf">AuthorizeRoles</span><span class="p">(</span><span class="n">UserType</span><span class="p">.</span><span class="n">Admin</span><span class="p">,</span> <span class="n">UserType</span><span class="p">.</span><span class="n">SuperUser</span><span class="p">)]</span> <span class="p">[</span><span class="n">HttpGet</span><span class="p">]</span> <span class="p">[</span><span class="nf">Route</span><span class="p">(</span><span class="s">"admin"</span><span class="p">)]</span> <span class="k">public</span> <span class="n">IActionResult</span> <span class="nf">GetAdminData</span><span class="p">()</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">role</span> <span class="p">=</span> <span class="n">User</span><span class="p">.</span><span class="n">Claims</span><span class="p">.</span><span class="nf">First</span><span class="p">(</span><span class="n">x</span> <span class="p">=&gt;</span> <span class="n">x</span><span class="p">.</span><span class="n">Type</span> <span class="p">==</span> <span class="n">ClaimTypes</span><span class="p">.</span><span class="n">Role</span><span class="p">).</span><span class="n">Value</span><span class="p">;</span> <span class="kt">var</span> <span class="n">text</span> <span class="p">=</span> <span class="s">$"Hello from DataController. Only users above admin can access this endpoint. Your role is </span><span class="p">{</span><span class="n">role</span><span class="p">}</span><span class="s">."</span><span class="p">;</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">text</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="n">Exception</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">BadRequest</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Calling an endpoint that requires authorization without a valid token will result in HTTP 401 - also known as unauthorized. Calling an endpoint that doesn't match your authorization level will result in HTTP 403 - also known as forbidden. </p> <p>And that's it! You know now how to implement authorization with JWTs.</p> <h1> But what now? </h1> <p>If you’re interested in the full code for this example, feel free to check out the repository <a href="https://github.com/Drsela/JSON-Web-Token-NET-Core-Example">here</a>.</p> <p>You might need to restore NuGet packages before you can build the project.</p> <p>If you’re further interested in how JWT works, I highly recommend visiting <a href="https://jwt.io/">https://jwt.io/</a>. </p> <p>Thanks for reading this blog post. I hoped you enjoyed it – feel free to ask any questions.</p> netcore jwt authorization api