How to use JWT in MVC application for authentication and authorization?

by

In order for MVC to understand anything about your JWT you basically have to tell it 🙂 . First, install the Jwt package from nuget:

Install-Package Microsoft.Owin.Security.Jwt

Then open up your Startup.cs file and add a new funtion that will tell MVC how to consume JWT. At basics your Startup will look something like:

using System.Configuration;
using Microsoft.Owin;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.DataHandler.Encoder;
using Microsoft.Owin.Security.Jwt;
using Owin;

[assembly: OwinStartupAttribute(typeof(TOMS.Frontend.Startup))]
namespace TOMS.Frontend
{
    public partial class Startup
    {
        public void Configuration(IAppBuilder app)
        {
            ConfigureAuth(app);
            ConfigureOAuthTokenConsumption(app);
        }

        private void ConfigureOAuthTokenConsumption(IAppBuilder app)
        {
            var issuer = ConfigurationManager.AppSettings["Issuer"];
            var audienceId = ConfigurationManager.AppSettings["AudienceId"];
            var audienceSecret = TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["AudienceSecret"]);

            // Api controllers with an [Authorize] attribute will be validated with JWT
            app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
            {
                AuthenticationMode = AuthenticationMode.Active,
                AllowedAudiences = new[] { audienceId },
                IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
                {
                    new SymmetricKeyIssuerSecurityTokenProvider(issuer, audienceSecret) 
                }
            });
        }
    }
}

You will notice that I am placing the issuer, audienceId and audienceSecret in my Web.config file. (Those values should match the ones on your Resource Server). Also, you might want to ensure you have an updated System.IdentityModel.Tokens.Jwt running:

Update-package System.IdentityModel.Tokens.Jwt

With those set, you may decorate your controller Action with the [Authorize] attribute and play ball.

Play ball of course meaning fire your request from your javascript to your protected controller action:

//assuming you placed the token in a sessionStorage variable called tokenKey when it came back from your Authorization Server
    var token = sessionStorage.getItem(tokenKey);
    var headers = {};
    if (token) {
        headers.Authorization = 'Bearer ' + token;
    }

    $.ajax({
        type: 'GET',
        url: 'CONTROLLER/ACTION',
        headers: headers
    }).done(function (data) {
        self.result(data);
    }).fail(showError);

UPDATE
By The way, if you wish to add the values in your web.config file in order to retrieve them as I did above; simply add them under the AppSettings:

<configuration>
 <appSettings>
    <add key="Issuer" value="YOUR_ISSUER" />
    <add key="AudienceId" value="YOUR_AUDIENCEID" />
    <add key="AudienceSecret" value="YOUR_AUDIENCESECRET" />
 </appSettings>
</configuration>

…of course, replacing the “values” with your own

More Related Contents:

  1. How to implement custom authentication in ASP.NET MVC 5
  2. Token Based Authentication in ASP.NET Core (refreshed)
  3. ASP.NET Identity Cookie across subdomains
  4. Simple token based authentication/authorization in asp.net core for Mongodb datastore
  5. Two type of Login – One System Integrate (MVC)
  6. Setting the default JSON serializer in ASP.NET MVC
  7. How to pass IEnumerable list to controller in MVC including checkbox state?
  8. Token based authentication in Web API without any user interface
  9. Simple post to Web Api
  10. Token Based Authentication in ASP.NET Core
  11. Logging request/response messages when using HttpClient
  12. ASP.NET Core 2.0 LDAP Active Directory Authentication
  13. Linq join iquery, how to use defaultifempty
  14. Error making Azure Management Library API call when authenticating with azure active directory
  15. client-side validation in custom validation attribute – asp.net mvc 4
  16. How to put conditional Required Attribute into class property to work with WEB API?
  17. how to generate a unique token which expires after 24 hours?
  18. MVC 5 Dynamic Rows with BeginCollectionItem
  19. Return HTML from ASP.NET Web API
  20. The controller for path was not found or does not implement IController
  21. Using WebSockets with ASP.NET Web API
  22. ASP.NET MVC 4 + Ninject MVC 3 = No parameterless constructor defined for this object
  23. Updating PartialView mvc 4
  24. How to force BundleCollection to flush cached script bundles in MVC4
  25. The HTTP request is unauthorized with client authentication scheme ‘Ntlm’ The authentication header received from the server was ‘NTLM’
  26. The HTTP request is unauthorized with client authentication scheme ‘Negotiate’. The authentication header received from the server was ‘NTLM’
  27. Configure Unity DI for ASP.NET Identity
  28. How to add and get Header values in WebApi
  29. Web API in MVC solution in separate project
  30. MVC4 – Bundling does not work when optimizations are set to true

Leave a Comment