DEV Community

Benjamin Mikkelsen for IT Minds

Posted on • Updated on

Getting started with JWT authorization - .NET Core edition

This blog post will teach you how to issue JSON Web Tokens (JWT) from a .NET Core 3.1 Web API – the guide should also be somewhat applicable to .NET Core 2.2.

JWTs makes it possible to securely transmit data between parties – such as a client and a server. A JWT consists of three things:

  1. A header that usually defines the signing algorithm and the token type,
  2. A payload containing claims such as expiration time and custom data such as user UID and user type,
  3. A signature consisting of Base 64 Url encoded header and Base 64 Url encoded payload and a secret key.

A JWT will look something like this:


Which basically translates to the following:

base64urlEncoding(header) + '.' + base64urlEncoding(payload) + '.' + base64urlEncoding(HMAC-SHA256(secret,base64urlEncoding(header) + '.' +base64urlEncoding(payload)))

This JWT is taken from, where you can decode, verify and generate tokens.

For this guide I assume you have already created a basic .NET Core Web API. If you haven't, then use dotnet new webapi in an empty folder.

The code used in the example can be found on GitHub

Installing required NuGet Packages

For this demo you have to add the following NuGet packages to your solution:

  • Microsoft.AspNetCore.Authentication.JwtBearer
  • Microsoft.EntityFrameworkCore.SqlServer

Basic setup of models and Authorize Attribute

I’ll be using EF Core to save information to a database for this demonstration. The relevant information regarding the User model can be seen here:

    public class User
        public Guid Id { get; set; }
        public string UserName { get; set; }
        public string Password { get; set; }
        public UserType Type { get; set; }

    public enum UserType
        Regular = 1,
        Admin = 2,
        SuperUser = 3
Enter fullscreen mode Exit fullscreen mode

In this instance a user can have one of three types. These types will be used to restrict some endpoints - and therefore implement authorization.

To implement these roles in your controllers, you must create a custom AuthorizeAttribute as such:

    public class AuthorizeRolesAttribute : AuthorizeAttribute
        public AuthorizeRolesAttribute(params UserType[] roles) : base()
            Roles = string.Join(",", roles);
Enter fullscreen mode Exit fullscreen mode

Doing this allows you to restrict endpoint to specific user types, simply by using a AuthorizeRoles-tag such as [AuthorizeRoles(UserType.Regular)]

Using EF Core

To use EF Core add the following to appsettings.development.json.

  "ConnectionStrings": {
    "DefaultConnection": "Server=(localdb)\\MSSQLLocalDB;Integrated Security=true;Database=JwtExample"
Enter fullscreen mode Exit fullscreen mode

This defines which database to connect to. Afterwards, implement a DbContext class as such:

    public class JwtExampleContext : DbContext
        public DbSet<User> Users { get; set; }

        public JwtExampleContext(DbContextOptions options) : base(options)

        protected override void OnModelCreating(ModelBuilder builder)
                .HasIndex(x => x.UserName)

            var regularUser = new User { Id = Guid.Parse("54D39F1A-EF2D-4816-B2E8-90991F548BF0"), UserName = "Regular", Password = "RegularPassword", Type = UserType.Regular };
            var adminUser = new User { Id = Guid.Parse("36F72591-1D95-4E4F-877C-261D3386DF94"), UserName = "Admin", Password = "AdminPassword", Type = UserType.Admin };
            var superUser = new User { Id = Guid.Parse("FB270C9A-9479-4BD0-9C86-589F3FA84527"), UserName = "Super", Password = "SuperPassword", Type = UserType.SuperUser };
            builder.Entity<User>().HasData(regularUser, adminUser, superUser);

Enter fullscreen mode Exit fullscreen mode

To connect to the database write the following lines in Startup.cs.

var connectionString = Configuration.GetConnectionString("DefaultConnection");
services.AddDbContext<JwtExampleContext>(options => options.UseSqlServer(connectionString));

Enter fullscreen mode Exit fullscreen mode

Running dotnet ef migrations add Initial will create a migration file. To create and seed the database use dotnet ef database update which will run the migration script. Please note, passwords should never be stored as plain text in a database. This is only for demonstration purposes.

To see how the context is being used, look at UserRepository.cs

Token related setup

First, you must configure your IServiceCollection to add Authentication and JwtBearer. This can be done by adding the following lines to ConfigureServices in Startup.cs file in your .NET Core project:

            var key = Configuration.GetValue<string>("jwt-signing-key");
            services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
                options.TokenValidationParameters = new TokenValidationParameters
                    ValidateIssuer = true,
                    ValidateAudience = true,
                    ValidateLifetime = true,
                    ValidateIssuerSigningKey = true,
                    ValidIssuer = "http://localhost:5000",
                    ValidAudience = "http://localhost:5000",
                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key))
Enter fullscreen mode Exit fullscreen mode

These settings might not necessarily fit your needs and should possibly be adjusted. The key comes from appsettings.development.json. This key is used to sign the token and should always be kept secret.

You also must also call UseAuthentication()and UseAuthorization ()in Configure. These methods should be called after UseRouting() but before UseEndpoints, which should look similar to this:

        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
            if (env.IsDevelopment())



            app.UseEndpoints(endpoints =>
Enter fullscreen mode Exit fullscreen mode

Issuing the tokens

I’ve made a LoginController with a single POST endpoint (api/login). This endpoint takes an UserDTO containing username and password. The LoginController calls an AuthenticationService which is responsible for generating tokens. The methods in the AuthenticationService can be seen below:

        public async Task<string> Login(UserDTO user)
            var dbUser = await _repository.GetUser(user.UserName, user.Password);
            var jwt = GenerateJwt(dbUser);
            return jwt;

        private string GenerateJwt(User user)
            var key = _configuration.GetValue<string>("jwt-signing-key");
            var secretKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key));
            var signinCredentials = new SigningCredentials(secretKey, SecurityAlgorithms.HmacSha256);
            var tokenOptions = new JwtSecurityToken(
                issuer: "http://localhost:5000",
                audience: "http://localhost:5000",
                claims: new List<Claim>
                    new Claim(ClaimTypes.NameIdentifier,user.Id.ToString()),
                    new Claim(ClaimTypes.Role,user.Type.ToString()),
                expires: DateTime.Now.AddHours(24),
                signingCredentials: signinCredentials

            return new JwtSecurityTokenHandler().WriteToken(tokenOptions);

Enter fullscreen mode Exit fullscreen mode

It’s very important that the key, issuer and audience matches the options in Startup.cs. Otherwise your backend will return forbidden for all requests requiring authorization, since it’s validating the signature, issuer and audience.

Calling the endpoint will return something similar to this:


And that’s it! You now know how to issue tokens. However, you might ask: how do I use them?

Using the token

It’s actually fairly simple! First you make a POST call to api/login with your login credentials. This’ll return a token as seen in the previous section. This token needs to be set as a HTTP Header as ‘Authorization: Bearer token’. This header should be present for all calls to the API.
Afterwards, you simply create a new endpoint in a controller. I’ve created a new controller named DataController for this purpose. This controller has four endpoints:

  1. GET api/data - Doesn’t require authorization
  2. GET api/data/user - Available to all user types
  3. GET api/data/admin - Available to admins and superusers
  4. GET api/data/superuser - Available to superusers

All endpoints will return a small greeting and the usertype of the user. The code snippet below shows the implementation for api/data/admin.

        [AuthorizeRoles(UserType.Admin, UserType.SuperUser)]
        public IActionResult GetAdminData()
                var role = User.Claims.First(x => x.Type == ClaimTypes.Role).Value;
                var text = $"Hello from DataController. Only users above admin can access this endpoint. Your role is {role}.";
                return Ok(text);
            catch (Exception)
                return BadRequest();

Enter fullscreen mode Exit fullscreen mode

Calling an endpoint that requires authorization without a valid token will result in HTTP 401 - also known as unauthorized. Calling an endpoint that doesn't match your authorization level will result in HTTP 403 - also known as forbidden.

And that's it! You know now how to implement authorization with JWTs.

But what now?

If you’re interested in the full code for this example, feel free to check out the repository here.

You might need to restore NuGet packages before you can build the project.

If you’re further interested in how JWT works, I highly recommend visiting

Thanks for reading this blog post. I hoped you enjoyed it – feel free to ask any questions.

Top comments (2)

himanshu2454 profile image
Himanshu Chouhan

Any idea, what's the preferred choice for authentication/autherization on enterprise applications ?

I see alot ways floating around if search for similar topics like indentity, jwt, bearer I'm not sure they are all same or not, lol.

bmi profile image
Benjamin Mikkelsen

Hi there, sorry for the late answer!

The enterprise applications I've been working on have primarily been using custom JWTs (like this example), Windows Authentication or Azure Active Directory - depending on the existing infrastructure of the company.

Bearer authentication/authorization can be implemented with JWTs. Some people refer to JWTs as 'JWT Bearer Access Tokens'. Which itself, usually, is an implementation of OAuth 2. JWT is a token format and OAuth 2 is a protocol that defines how tokens should be transferred.

There's no right or wrong when it comes to deciding upon authentication/authorization. It comes down to your specific use case and existing infrastructure :-)