Token Based Authentication in ASP.NET Core

by

Update for .Net Core 3.1:

David Fowler (architect for the ASP .NET Core team) has put together an incredibly simple set of task applications, including a simple application demonstrating JWT. I’ll be incorporating his updates and simplistic style to this post soon.

Updated for .Net Core 2:

Previous versions of this answer used RSA; it’s really not necessary if your same code that is generating the tokens is also verifying the tokens. However, if you’re distributing the responsibility, you probably still want to do this using an instance of Microsoft.IdentityModel.Tokens.RsaSecurityKey.

  1. Create a few constants that we’ll be using later; here’s what I did:

    const string TokenAudience = "Myself";
const string TokenIssuer = "MyProject";

  2. Add this to your Startup.cs’s ConfigureServices. We’ll use dependency injection later to access these settings. I’m assuming that your authenticationConfiguration is a ConfigurationSection or Configuration object such that you can have a different config for debug and production. Make sure you store your key securely! It can be any string.

    var keySecret = authenticationConfiguration["JwtSigningKey"];
var symmetricKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(keySecret));

services.AddTransient(_ => new JwtSignInHandler(symmetricKey));

services.AddAuthentication(options =>
{
    // This causes the default authentication scheme to be JWT.
    // Without this, the Authorization header is not checked and
    // you'll get no results. However, this also means that if
    // you're already using cookies in your app, they won't be 
    // checked by default.
    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
})
    .AddJwtBearer(options =>
    {
        options.TokenValidationParameters.ValidateIssuerSigningKey = true;
        options.TokenValidationParameters.IssuerSigningKey = symmetricKey;
        options.TokenValidationParameters.ValidAudience = JwtSignInHandler.TokenAudience;
        options.TokenValidationParameters.ValidIssuer = JwtSignInHandler.TokenIssuer;
    });

    I’ve seen other answers change other settings, such as ClockSkew; the defaults are set such that it should work for distributed environments whose clocks aren’t exactly in sync. These are the only settings you need to change.

  3. Set up Authentication. You should have this line before any middleware that requires your User info, such as app.UseMvc().

    app.UseAuthentication();

    Note that this will not cause your token to be emitted with the SignInManager or anything else. You will need to provide your own mechanism for outputting your JWT – see below.

  4. You may want to specify an AuthorizationPolicy. This will allow you to specify controllers and actions that only allow Bearer tokens as authentication using [Authorize("Bearer")].

    services.AddAuthorization(auth =>
{
    auth.AddPolicy("Bearer", new AuthorizationPolicyBuilder()
        .AddAuthenticationTypes(JwtBearerDefaults.AuthenticationType)
        .RequireAuthenticatedUser().Build());
});

  5. Here comes the tricky part: building the token.

    class JwtSignInHandler
{
    public const string TokenAudience = "Myself";
    public const string TokenIssuer = "MyProject";
    private readonly SymmetricSecurityKey key;

    public JwtSignInHandler(SymmetricSecurityKey symmetricKey)
    {
        this.key = symmetricKey;
    }

    public string BuildJwt(ClaimsPrincipal principal)
    {
        var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);

        var token = new JwtSecurityToken(
            issuer: TokenIssuer,
            audience: TokenAudience,
            claims: principal.Claims,
            expires: DateTime.Now.AddMinutes(20),
            signingCredentials: creds
        );

        return new JwtSecurityTokenHandler().WriteToken(token);
    }
}

    Then, in your controller where you want your token, something like the following:

    [HttpPost]
public string AnonymousSignIn([FromServices] JwtSignInHandler tokenFactory)
{
    var principal = new System.Security.Claims.ClaimsPrincipal(new[]
    {
        new System.Security.Claims.ClaimsIdentity(new[]
        {
            new System.Security.Claims.Claim(System.Security.Claims.ClaimTypes.Name, "Demo User")
        })
    });
    return tokenFactory.BuildJwt(principal);
}

    Here, I’m assuming you already have a principal. If you are using Identity, you can use IUserClaimsPrincipalFactory<> to transform your User into a ClaimsPrincipal.

  6. To test it: Get a token, put it into the form at jwt.io. The instructions I provided above also allow you to use the secret from your config to validate the signature!

  7. If you were rendering this in a partial view on your HTML page in combination with the bearer-only authentication in .Net 4.5, you can now use a ViewComponent to do the same. It’s mostly the same as the Controller Action code above.

More Related Contents:

  1. Token Based Authentication in ASP.NET Core (refreshed)
  2. Simple JWT authentication in ASP.NET Core 1.0 Web API
  3. How to read request body in an asp.net core webapi controller?
  4. Token based authentication in Web API without any user interface
  5. ASP.NET Core 2.0 authentication middleware
  6. ASP.NET Core 2.0 LDAP Active Directory Authentication
  7. .NET Core Identity Server 4 Authentication VS Identity Authentication
  8. Custom Authentication in ASP.Net-Core
  9. ASP.NET Core 2.0 disable automatic challenge
  10. How to to return an image with Web API Get method
  11. ASP.NET Core disable authentication in development environment
  12. TempData null in asp.net core
  13. ASP.NET Core API only returning first result of list
  14. Error handling (Sending ex.Message to the client)
  15. Simple token based authentication/authorization in asp.net core for Mongodb datastore
  16. ASP.NET Core Web API Authentication
  17. How to read AppSettings values from a .json file in ASP.NET Core
  18. Access the current HttpContext in ASP.NET Core
  19. Return file in ASP.Net Core Web API
  20. How to set ASPNETCORE_ENVIRONMENT to be considered for publishing an ASP.NET Core application
  21. Dynamically access table in EF Core 2.0
  22. How to create roles in ASP.NET Core and assign them to users?
  23. Multiple Controller Types with same Route prefix ASP.NET Web Api
  24. .Net Core 3.0 JsonSerializer populate existing object
  25. Asp.net WEB API – What problems could arise if I use POST instead of PUT and DELETE?
  26. In-memory database doesn’t save data
  27. System.Text.Json: Deserialize JSON with automatic casting
  28. How to map fallback in ASP .NET Core Web API so that Blazor WASM app only intercepts requests that are not to the API
  29. What Nuget packages must be referenced by an ASP.NET Core 6 application parts project
  30. What is the difference between DependencyResolver.SetResolver and HttpConfiguration.DependencyResolver in WebAPI

Leave a Comment