JWT authentication for ASP NET Web API

Question

I m trying to support JWT bearer token  JSON Web Token  in my web API application and I m getting lost   I see support for  NET Core and for OWIN applications  I m currently hosting my application in IIS   How can I achieve this authentication module in my application  Is there any way I can use the  lt authentication gt  configuration similar to the way I use forms Windows authentication

User · Accepted Answer

I answered this question  How to secure an ASP NET Web API 4 years ago using HMAC  Now  lots of things changed in security  especially that JWT is getting popular  In this answer  I will try to explain how to use JWT in the simplest and basic way that I can  so we won t get lost from jungle of OWIN  Oauth2  ASP NET Identity       If you don t know about JWT tokens  you need to take a look at  https   tools ietf org html rfc7519 Basically  a JWT token looks like this   lt base64-encoded header gt   lt base64-encoded claims gt   lt base64-encoded signature gt   Example   eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 eyJ1bmlxdWVfbmFtZSI6ImN1b25nIiwibmJmIjoxNDc3NTY1NzI0LCJleHAiOjE0Nzc1NjY5MjQsImlhdCI6MTQ3NzU2NTcyNH0 6MzD1VwA5AcOcajkFyKhLYybr3h13iZjDyHm9zysDFQ  A JWT token has three sections   Header  JSON format which is encoded in Base64 Claims  JSON format which is encoded in Base64  Signature  Created and signed based on Header and Claims which is encoded in Base64   If you use the website jwt io with the token above  you can decode the token and see it like below   Technically  JWT uses a signature which is signed from headers and claims with security algorithm specified in the headers  example  HMACSHA256   Therefore  JWT must be transferred over HTTPs if you store any sensitive information in its claims  Now  in order to use JWT authentication  you don t really need an OWIN middleware if you have a legacy Web Api system  The simple concept is how to provide JWT token and how to validate the token when the request comes  That s it  In the demo I ve created  github   to keep the JWT token lightweight  I only store username and expiration time  But this way  you have to re-build new local identity  principal  to add more information like roles  if you want to do role authorization  etc  But  if you want to add more information into JWT  it s up to you  it s very flexible  Instead of using OWIN middleware  you can simply provide a JWT token endpoint by using a controller action  public class TokenController   ApiController          This is naive endpoint for demo  it should use Basic authentication        to provide token or POST request      AllowAnonymous      public string Get string username  string password                if  CheckUser username  password                         return JwtManager GenerateToken username                      throw new HttpResponseException HttpStatusCode Unauthorized              public bool CheckUser string username  string password                   should check in the database         return true           This is a naive action  in production you should use a POST request or a Basic Authentication endpoint to provide the JWT token  How to generate the token based on username  You can use the NuGet package called System IdentityModel Tokens Jwt from Microsoft to generate the token  or even another package if you like  In the demo  I use HMACSHA256 with SymmetricKey       lt summary gt      Use the below code to generate symmetric Secret Key         var hmac   new HMACSHA256            var key   Convert ToBase64String hmac Key        lt  summary gt  private const string Secret    quot db3OIsj BXE9NZDy0t8W3TcNekrF 2d 1sFnWG4HnV8TZY30iTOdtVWJG8abWvB1GlOgJuQZdcF2Luqm hccMw   quot    public static string GenerateToken string username  int expireMinutes   20        var symmetricKey   Convert FromBase64String Secret       var tokenHandler   new JwtSecurityTokenHandler         var now   DateTime UtcNow      var tokenDescriptor   new SecurityTokenDescriptor               Subject   new ClaimsIdentity new                         new Claim ClaimTypes Name  username                       Expires   now AddMinutes Convert ToInt32 expireMinutes                     SigningCredentials   new SigningCredentials              new SymmetricSecurityKey symmetricKey                SecurityAlgorithms HmacSha256Signature              var stoken   tokenHandler CreateToken tokenDescriptor       var token   tokenHandler WriteToken stoken        return token     The endpoint to provide the JWT token is done  How to validate the JWT when the request comes  In the demo  I have built JwtAuthenticationAttribute which inherits from IAuthenticationFilter  more detail about authentication filter in here   With this attribute  you can authenticate any action  you just have to put this attribute on that action  public class ValueController   ApiController        JwtAuthentication      public string Get                 return  quot value quot            You can also use OWIN middleware or DelegateHander if you want to validate all incoming requests for your WebAPI  not specific to Controller or action  Below is the core method from authentication filter  private static bool ValidateToken string token  out string username        username   null       var simplePrinciple   JwtManager GetPrincipal token       var identity   simplePrinciple Identity as ClaimsIdentity       if  identity    null          return false       if   identity IsAuthenticated          return false       var usernameClaim   identity FindFirst ClaimTypes Name       username   usernameClaim  Value       if  string IsNullOrEmpty username          return false          More validate to check whether username exists in system      return true     protected Task lt IPrincipal gt  AuthenticateJwtToken string token        string username       if  ValidateToken token  out username                    based on username to get more information from database             in order to build local identity         var claims   new List lt Claim gt                        new Claim ClaimTypes Name  username                 Add more claims if needed  Roles                          var identity   new ClaimsIdentity claims   quot Jwt quot            IPrincipal user   new ClaimsPrincipal identity            return Task FromResult user              return Task FromResult lt IPrincipal gt  null      The workflow is to use the JWT library  NuGet package above  to validate the JWT token and then return back ClaimsPrincipal  You can perform more validation  like check whether user exists on your system  and add other custom validations if you want  The code to validate JWT token and get principal back  public static ClaimsPrincipal GetPrincipal string token        try               var tokenHandler   new JwtSecurityTokenHandler            var jwtToken   tokenHandler ReadToken token  as JwtSecurityToken           if  jwtToken    null              return null           var symmetricKey   Convert FromBase64String Secret            var validationParameters   new TokenValidationParameters                         RequireExpirationTime   true              ValidateIssuer   false              ValidateAudience   false              IssuerSigningKey   new SymmetricSecurityKey symmetricKey                      SecurityToken securityToken          var principal   tokenHandler ValidateToken token  validationParameters  out securityToken            return principal            catch  Exception                  should write log         return null           If the JWT token is validated and the principal is returned  you should build a new local identity and put more information into it to check role authorization  Remember to add config Filters Add new AuthorizeAttribute      default authorization  at global scope in order to prevent any anonymous request to your resources  You can use Postman to test the demo  Request token  naive as I mentioned above  just for demo   GET http   localhost  port  api token username cuong amp password 1  Put JWT token in the header for authorized request  example  GET http   localhost  port  api value  Authorization  Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 eyJ1bmlxdWVfbmFtZSI6ImN1b25nIiwibmJmIjoxNDc3NTY1MjU4LCJleHAiOjE0Nzc1NjY0NTgsImlhdCI6MTQ3NzU2NTI1OH0 dSwwufd4-gztkLpttZsZ1255oEzpWCJkayR 4yvNL1s  The demo can be found here  https   github com cuongle WebApi Jwt

User · Answer

I think you should use some 3d party server to support the JWT token and there is no out of the box JWT support in WEB API 2  However there is an OWIN project for supporting some format of signed token  not JWT   It works as a reduced OAuth protocol to provide just a simple form of authentication for a web site  You can read more about it e g  here  It s rather long  but most parts are details with controllers and ASP NET Identity that you might not need at all  Most important are  Step 9  Add support for OAuth Bearer Tokens Generation Step 12  Testing the Back-end API  There you can read how to set up endpoint  e g   quot  token quot   that you can access from frontend  and details on the format of the request   Other steps provide details on how to connect that endpoint to the database  etc  and you can chose the parts that you require

User · Answer

In my case the JWT is created by a separate API so ASP NET need only decode and validate it    In contrast to the accepted answer we re using RSA which is a non-symmetric algorithm  so the SymmetricSecurityKey class mentioned above won t work     Here s the result   using Microsoft IdentityModel Protocols  using Microsoft IdentityModel Protocols OpenIdConnect  using Microsoft IdentityModel Tokens  using System  using System IdentityModel Tokens Jwt  using System Threading  using System Threading Tasks       public static async Task lt JwtSecurityToken gt  VerifyAndDecodeJwt string accessToken                try                       var configurationManager   new ConfigurationManager lt OpenIdConnectConfiguration gt     securityApiOrigin   well-known openid-configuration   new OpenIdConnectConfigurationRetriever                 var openIdConfig   await configurationManager GetConfigurationAsync CancellationToken None               var validationParameters   new TokenValidationParameters                                 ValidateLifetime   true                  ValidateAudience   false                  ValidateIssuer   false                  RequireSignedTokens   true                  IssuerSigningKeys   openIdConfig SigningKeys                             new JwtSecurityTokenHandler   ValidateToken accessToken  validationParameters  out var validToken                  threw on invalid  so                return validToken as JwtSecurityToken                    catch  Exception ex                        logger Info ex Message               return null

User · Answer

I ve managed to achieve it with minimal effort  just as simple as with ASP NET Core    For that I use OWIN Startup cs file and Microsoft Owin Security Jwt library   In order for the app to hit Startup cs we need to amend Web config    lt configuration gt     lt appSettings gt       lt add key  owin AutomaticAppStartup  value  true    gt            Here s how Startup cs should look   using MyApp Helpers  using Microsoft IdentityModel Tokens  using Microsoft Owin  using Microsoft Owin Security  using Microsoft Owin Security Jwt  using Owin    assembly  OwinStartup typeof MyApp App Start Startup     namespace MyApp App Start       public class Startup               public void Configuration IAppBuilder app                        app UseJwtBearerAuthentication                  new JwtBearerAuthenticationOptions                                       AuthenticationMode   AuthenticationMode Active                      TokenValidationParameters   new TokenValidationParameters                                                 ValidAudience   ConfigHelper GetAudience                            ValidIssuer   ConfigHelper GetIssuer                            IssuerSigningKey   ConfigHelper GetSymmetricSecurityKey                            ValidateLifetime   true                          ValidateIssuerSigningKey   true                                                               Many of you guys use ASP NET Core nowadays  so as you can see it doesn t differ a lot from what we have there   It really got me perplexed first  I was trying to implement custom providers  etc  But I didn t expect it to be so simple  OWIN just rocks   Just one thing to mention - after I enabled OWIN Startup NSWag library stopped working for me  e g  some of you might want to auto-generate typescript HTTP proxies for Angular app    The solution was also very simple - I replaced NSWag with Swashbuckle and didn t have any further issues     Ok  now sharing ConfigHelper code   public class ConfigHelper       public static string GetIssuer                 string result   System Configuration ConfigurationManager AppSettings  Issuer            return result             public static string GetAudience                 string result   System Configuration ConfigurationManager AppSettings  Audience            return result             public static SigningCredentials GetSigningCredentials                 var result   new SigningCredentials GetSymmetricSecurityKey    SecurityAlgorithms HmacSha256           return result             public static string GetSecurityKey                 string result   System Configuration ConfigurationManager AppSettings  SecurityKey            return result             public static byte   GetSymmetricSecurityKeyAsBytes                 var issuerSigningKey   GetSecurityKey            byte   data   Encoding UTF8 GetBytes issuerSigningKey           return data             public static SymmetricSecurityKey GetSymmetricSecurityKey                 byte   data   GetSymmetricSecurityKeyAsBytes            var result   new SymmetricSecurityKey data           return result             public static string GetCorsOrigins                 string result   System Configuration ConfigurationManager AppSettings  CorsOrigins            return result            Another important aspect - I sent JWT Token via Authorization header  so typescript code looks for me as follows    the code below is generated by NSWag    Injectable   export class TeamsServiceProxy       private http  HttpClient      private baseUrl  string      protected jsonParseReviver    key  string  value  any    gt  any    undefined   undefined       constructor  Inject HttpClient  http  HttpClient   Optional    Inject API BASE URL  baseUrl   string            this http   http          this baseUrl   baseUrl   baseUrl    https   localhost 44384              add input  TeamDto   null   Observable lt boolean gt            let url    this baseUrl     api Teams Add           url    url  replace     amp                    const content    JSON stringify input            let options    any                 body  content               observe   response               responseType   blob               headers  new HttpHeaders                    Content-Type    application json                     Accept    application json                    Authorization    Bearer     localStorage getItem  token                               See headers part -  Authorization    Bearer     localStorage getItem  token

User · Answer

Here s a very minimal and secure implementation of a Claims based Authentication using JWT token in an ASP NET Core Web API   first of all  you need to expose an endpoint that returns a JWT token with claims assigned to a user         lt summary gt              Login provides API to verify user and returns authentication token              API Path   api account login              lt  summary gt               lt param name  paramUser  gt Username and Password lt  param gt               lt returns gt  Token   Token    lt  returns gt           HttpPost  login             AllowAnonymous          public async Task lt IActionResult gt  Login  FromBody  UserRequestVM paramUser  CancellationToken ct                         var result   await UserApplication PasswordSignInAsync paramUser Email  paramUser Password  false  lockoutOnFailure  false                if  result Succeeded                                UserRequestVM request   new UserRequestVM                    request Email   paramUser Email                    ApplicationUser UserDetails   await this GetUserByEmail request                   List lt ApplicationClaim gt  UserClaims   await this ClaimApplication GetListByUser UserDetails                    var Claims   new ClaimsIdentity new Claim                                                                         new Claim JwtRegisteredClaimNames Sub  paramUser Email ToString                                         new Claim UserId  UserDetails UserId ToString                                                            Adding UserClaims to JWT claims                 foreach  var item in UserClaims                                        Claims AddClaim new Claim item ClaimCode  string Empty                                       var tokenHandler   new JwtSecurityTokenHandler                         this information will be retrived from you Configuration                   I have injected Configuration provider service into my controller                 var encryptionkey   Configuration  Jwt Encryptionkey                    var key   Encoding ASCII GetBytes encryptionkey                   var tokenDescriptor   new SecurityTokenDescriptor                                       Issuer   Configuration  Jwt Issuer                        Subject   Claims                      this information will be retrived from you Configuration                   I have injected Configuration provider service into my controller                     Expires   DateTime UtcNow AddMinutes Convert ToDouble Configuration  Jwt ExpiryTimeInMinutes                             algorithm to sign the token                     SigningCredentials   new SigningCredentials new SymmetricSecurityKey key   SecurityAlgorithms HmacSha256Signature                                       var token   tokenHandler CreateToken tokenDescriptor                   var tokenString   tokenHandler WriteToken token                    return Ok new                                       token   tokenString                                                return BadRequest  Wrong Username or password                now you need to Add Authentication to your services in your ConfigureServices inside your startup cs to add JWT authentication as your default authentication service like this    services AddAuthentication x   gt                                x DefaultAuthenticateScheme   JwtBearerDefaults AuthenticationScheme                  x DefaultChallengeScheme   JwtBearerDefaults AuthenticationScheme                               AddJwtBearer cfg   gt                                  cfg RequireHttpsMetadata   false                   cfg SaveToken   true                   cfg TokenValidationParameters   new TokenValidationParameters                                             ValidateIssuerSigningKey   true                       IssuerSigningKey   new SymmetricSecurityKey Encoding UTF8 GetBytes configuration  JWT Encryptionkey                           ValidateAudience   false                       ValidateLifetime   true                       ValidIssuer   configuration  Jwt Issuer                           ValidAudience   Configuration  Jwt Audience                           IssuerSigningKey   new SymmetricSecurityKey Encoding UTF8 GetBytes Configuration  JWT Key                                             now you can add policies to your authorization services like this   services AddAuthorization options   gt                                options AddPolicy  YourPolicyNameHere                                   policy   gt  policy RequireClaim  YourClaimNameHere                       ALTERNATIVELY  You can also  not necessary  populate all of your claims from your database as this will only run once on your application startup and add them to policies like this     services AddAuthorization async options   gt                                var ClaimList   await claimApplication GetList applicationClaim                   foreach  var item in ClaimList                                                                options AddPolicy item ClaimCode  policy   gt  policy RequireClaim item ClaimCode                                                               now you can put the Policy filter on any of the methods that you want to be authorized like this     HttpPost  update             Authorize Policy    ACC UP            public async Task lt IActionResult gt  Update  FromBody  UserRequestVM requestVm  CancellationToken ct              your logic goes here     Hope this helps

[c#] JWT authentication for ASP.NET Web API

How to generate the token based on `username`?

How to validate the JWT when the request comes?

Examples related to c#

Examples related to security

Examples related to asp.net-web-api

Examples related to jwt