🔐 Building JWT Authentication in ASP.NET Core (Step-by-Step)

In modern web applications, JWT (JSON Web Token) is a powerful and widely used technique for securing APIs. This guide will walk you through how to implement JWT authentication in an ASP.NET Core MVC project using a practical controller and configuration example.

🧱 Prerequisites

• .NET Core SDK installed
• Visual Studio or VS Code
• Basic understanding of ASP.NET Core
• NuGet packages:

Microsoft.AspNetCore.Authentication.JwtBearer

System.IdentityModel.Tokens.Jwt

🎯 Project Overview

We are building a simple API that:

• Accepts login credentials
• Generates a JWT token if the credentials are correct
• Provides a protected endpoint (TestApi2) accessible only with a valid token

🛠 Step 1: Configure JWT in Startup.cs

🔐 ConfigureServices– JWT Setup

public void ConfigureServices(IServiceCollection services)
{
    string securityKey = "Your256BitSecretKeyWhichNeedsToBe32BytesLong!"; // Must be 32 bytes
    var symmetricSecurityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(securityKey));

    services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        .AddJwtBearer(options =>
        {
            options.TokenValidationParameters = new TokenValidationParameters
            {
                ValidateIssuer = true,
                ValidateAudience = true,
                ValidateIssuerSigningKey = true,
                ValidIssuer = "myshop.com.in",
                ValidAudience = "user",
                IssuerSigningKey = symmetricSecurityKey
            };
        });

    services.Configure<CookiePolicyOptions>(options =>
    {
        options.CheckConsentNeeded = context => true;
        options.MinimumSameSitePolicy = SameSiteMode.None;
    });

    services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
}

✅ Key points:

• The securityKey must be 32 bytes when using HMAC SHA-256.
• The token is validated based on Issuer, Audience, and SigningKey.

🔁 Configure– Middleware

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseExceptionHandler("/Home/Error");
    }

    app.UseAuthentication(); // 🔐 Add JWT Authentication middleware
    app.UseStaticFiles();
    app.UseCookiePolicy();

    app.UseMvc(routes =>
    {
        routes.MapRoute(
            name: "default",
            template: "{controller=Home}/{action=Index}/{id?}");
    });
}

✅ Important: app.UseAuthentication() must be called before UseMvc().

📦 Step 2: Create JWT Controller

Here’s a breakdown of your TestJWTController.

[HttpPost]
public IActionResult GetToken()
{
    string securityKey = "Your256BitSecretKeyWhichNeedsToBe32BytesLong!";
    var symmetricSecurityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(securityKey));
    var signingCredentials = new SigningCredentials(symmetricSecurityKey, SecurityAlgorithms.HmacSha256);

    var token = new JwtSecurityToken(
        issuer: "myshop.com.in",
        audience: "user",
        expires: DateTime.Now.AddHours(1),
        signingCredentials: signingCredentials
    );

    return Ok(new JwtSecurityTokenHandler().WriteToken(token));
}

🔐 /GetToken Endpoint
This endpoint generates a JWT token signed with your securityKey.
The token is valid for 1 hour.

*🧪 /Login Endpoint (Dummy Authentication)
*

[HttpPost]
public string Login([FromBody] LoginModel login)
{
    if (login.Username == "sabir" && login.Password == "sabir")
    {
        return "Success";
    }
    return "Unauthorized";
}

• Simple login check with hardcoded credentials.
• In a real-world app, validate against a database.

*🔓 /TestApi – Public Endpoint
*

[HttpPost]
public string TestApi()
{
    byte[] key = new byte[16];
    using (var rng = new RNGCryptoServiceProvider())
    {
        rng.GetBytes(key);
    }

    return Convert.ToBase64String(key);
}

• Generates a 128-bit random key.
• This API is accessible without authentication.

*🔐 /TestApi2 – Protected with [Authorize]
*

[HttpPost]
[Authorize]
public string TestApi2()
{
    byte[] key = new byte[16];
    using (var rng = new RNGCryptoServiceProvider())
    {
        rng.GetBytes(key);
    }

    return "Auth" + Convert.ToBase64String(key);
}

You must send a valid JWT token in the Authorization header to access this.

Example:

Authorization: Bearer <your_token_here>

📦 LoginModel Class

Used to bind JSON payload during login:

public class LoginModel
{
    public string Username { get; set; }
    public string Password { get; set; }
}

🧪 Testing the Flow

1. Get Token
POST /TestJWT/GetToken
→ Returns JWT token

2. Access Unprotected API
POST /TestJWT/TestApi
→ Always works

3. Access Protected API
POST /TestJWT/TestApi2 with Header:
Authorization: Bearer
→ Returns response only if token is valid

✅ Final Thoughts

• 🔒 JWT is great for securing APIs in stateless applications.
• 🚫 Do not hardcode credentials or secrets in production.
• 🛡 Always store JWT secret keys in a secure config like Azure Key Vault or AWS Secrets Manager.
• 👨‍💻 Use middleware and services to centralize token handling and validation.