This is just a simple implementation of JWT authentication to get you started.
- Add the package
Microsoft.AspNetCore.Authentication.JwtBearer
-
You need a secret key, store it using
user-secrets
:
dotnet user-secrets init dotnet user-secrets set "Authentication:JwtSecret" "thisismysecret"
Warning! User secret feature is not intended to be used in production.
-
In your
Program.cs
orStartup.cs
:
using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc.Authorization; using Microsoft.IdentityModel.Tokens; using System.Text;
Add the service:
builder.Services .AddAuthentication() .AddJwtBearer("JwtScheme", options => { options.TokenValidationParameters = new TokenValidationParameters { ValidIssuer = "https://localhost:<port>", ValidAudience = "https://localhost:<port>", ValidateIssuer = true, ValidateAudience = true, ValidateLifetime = true, ValidateIssuerSigningKey = true, IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(builder.Configuration["Authentication:JwtSecret"])), }; })
Tell MVC that users should be authenticated and with
JWTScheme
.
builder.Services.AddControllers(options => { options.Filters.Add(new AuthorizeFilter (new AuthorizationPolicyBuilder() .RequireAuthenticatedUser() .AddAuthenticationSchemes("JwtScheme") .Build())); })
Alternatively, you can use
Authorize
attribute for each controller or endpoint, specifying the scheme(s) to be allowed:
[Authorize(AuthenticationSchemes = "JwtScheme")] [ApiController] [Route("api/[controller]")] public class ProductsController : ControllerBase { ... }
In the HTTP Request pipeline, add before mapping controllers:
app.UseAuthentication(); app.UseAuthorization();
-
In your authentication controller:
using Microsoft.IdentityModel.Tokens; using System.IdentityModel.Tokens.Jwt; using System.Security.Claims; using System.Text; . . //inject `IConfiguration` to `_configuration` in the constructor.
In your login method, add
[AllowAnonymous]
attribute. Then:
//validate credentials and get user details here var key = Encoding.ASCII.GetBytes(_configuration["Authentication:JwtSecret"]); var claims = new List<Claim> { new Claim("sub", user.Id), new Claim("name", user.FullName) }; var tokenDescriptor = new SecurityTokenDescriptor { Subject = new ClaimsIdentity(claims), Issuer = "https://localhost:<port>", Audience = "https://localhost:<port>", Expires = DateTime.UtcNow.AddDays(7), SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature), }; var tokenHandler = new JwtSecurityTokenHandler(); var token = tokenHandler.CreateToken(tokenDescriptor); return tokenHandler.WriteToken(token);
The login method will return the token generated.
In your client's HTTP request, add the
Authorize
header with the valueBearer <the token generated>
. You can test it via Postman or any testing program you prefer.
Resource
auth0 - Claims
Infoworld Article - JWT
Microsoft Docs - User Secrets
Top comments (0)