By Syed Rizwan

implementing-jwt-authentication-in-a-net-core-api.html

Implementing JWT Authentication in a .NET Core API

In the realm of web development, securing your API is paramount. One of the most effective ways to ensure that only authorized users can access your resources is through authentication mechanisms. JSON Web Tokens (JWT) have emerged as a popular choice for handling authentication in modern web applications. In this article, we will explore how to implement JWT authentication in a .NET Core API, providing you with clear code examples, step-by-step instructions, and actionable insights.

What is JWT?

JWT, or JSON Web Token, is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Components of a JWT

A JWT is composed of three parts:

  1. Header: Contains metadata about the token, typically specifying the type of token and the signing algorithm.
  2. Payload: Contains the claims, which are the statements about an entity (typically, the user) and additional data.
  3. Signature: The header and payload are encoded, and then a signature is created using the specified algorithm and a secret key.

The final JWT is a base64-encoded string that looks like this: xxxxx.yyyyy.zzzzz.

Use Cases for JWT

JWTs are widely used in various scenarios, including:

  • Single Sign-On (SSO): Enabling users to log in once and access multiple applications.
  • Mobile Applications: Providing secure authentication for mobile apps.
  • Microservices: Authenticating users across distributed systems without maintaining session state.

Setting Up Your .NET Core API

To implement JWT authentication in a .NET Core API, follow these steps:

Step 1: Create a New .NET Core Web API Project

Open your terminal or command prompt and run the following command to create a new project:

dotnet new webapi -n JwtAuthDemo
cd JwtAuthDemo

Step 2: Install Necessary Packages

You will need to install the Microsoft.AspNetCore.Authentication.JwtBearer package to handle JWT authentication. Use the following command:

dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer

Step 3: Configure JWT Authentication

Next, you will configure JWT authentication in the Startup.cs file. Here’s how:

using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.IdentityModel.Tokens;
using System.Text;

public class Startup
{
    public void ConfigureServices(IServiceCollection services)
    {
        // Configure JWT authentication
        var key = Encoding.ASCII.GetBytes("YourSecretKeyHere"); // Use a secure key
        services.AddAuthentication(x =>
        {
            x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        })
        .AddJwtBearer(x =>
        {
            x.RequireHttpsMetadata = false;
            x.SaveToken = true;
            x.TokenValidationParameters = new TokenValidationParameters
            {
                ValidateIssuerSigningKey = true,
                IssuerSigningKey = new SymmetricSecurityKey(key),
                ValidateIssuer = false,
                ValidateAudience = false
            };
        });

        services.AddControllers();
    }

    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }

        app.UseRouting();

        app.UseAuthentication(); // Enable authentication
        app.UseAuthorization();  // Enable authorization

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllers();
        });
    }
}

Step 4: Create a Token Generation Method

Next, you’ll need to create a method to generate a JWT. You can create a service class for this purpose.

using Microsoft.IdentityModel.Tokens;
using System;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Text;

public class TokenService
{
    private readonly string secretKey = "YourSecretKeyHere"; // Use a secure key

    public string GenerateToken(string username)
    {
        var claims = new[]
        {
            new Claim(ClaimTypes.Name, username)
        };

        var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(secretKey));
        var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);

        var token = new JwtSecurityToken(
            issuer: null,
            audience: null,
            claims: claims,
            expires: DateTime.Now.AddMinutes(30),
            signingCredentials: creds);

        return new JwtSecurityTokenHandler().WriteToken(token);
    }
}

Step 5: Create a Login Endpoint

Now, create a controller with a login endpoint that uses the TokenService to generate a token when the user logs in.

using Microsoft.AspNetCore.Mvc;

[ApiController]
[Route("[controller]")]
public class AuthController : ControllerBase
{
    private readonly TokenService _tokenService;

    public AuthController(TokenService tokenService)
    {
        _tokenService = tokenService;
    }

    [HttpPost("login")]
    public IActionResult Login([FromBody] UserLoginDto userLogin)
    {
        // Validate the user credentials (this is just a placeholder)
        if (userLogin.Username == "test" && userLogin.Password == "password")
        {
            var token = _tokenService.GenerateToken(userLogin.Username);
            return Ok(new { Token = token });
        }

        return Unauthorized();
    }
}

public class UserLoginDto
{
    public string Username { get; set; }
    public string Password { get; set; }
}

Step 6: Protecting Routes with JWT

To protect your API routes, use the [Authorize] attribute on any controller or action that you want to secure.

[Authorize]
[ApiController]
[Route("[controller]")]
public class ProtectedController : ControllerBase
{
    [HttpGet]
    public IActionResult GetSecret()
    {
        return Ok("This is a protected route.");
    }
}

Testing Your API

  1. Start your API: Run the application using dotnet run.

  2. Obtain a JWT: Use a tool like Postman to send a POST request to /auth/login with the body:

json { "username": "test", "password": "password" }

  1. Access a Protected Route: Use the token received in the login response to access the /protected route by adding an Authorization header with the value Bearer {your_token}.

Conclusion

Implementing JWT authentication in a .NET Core API enhances your application’s security by ensuring that only authorized users can access protected resources. With the step-by-step guide provided, you can easily integrate JWT into your applications. As always, remember to use a strong secret key and follow best practices for securing your API.

By leveraging JWT, you can create a robust authentication mechanism that supports various use cases, from mobile applications to microservices. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.