JWT Token Authentication And Authorizations In .Net Core 6.0 Web API
Introduction
In this step-by-step tutorial, I will demonstrate how to use the JWT token in your web API .net core 6.0 project. This tutorial covers the following topics.
How to create a JWT access token
How to authorize any web API endpoint
Before we start you must be knowing the following concepts - Authentication and Authorization. According to Wikipedia,
Authentication - is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity.
Authorization - is the function of specifying access rights/privileges to resources, which is related to general information security and computer security, and to access control in particular.
Step 1. Creating a Web API project
Let's start. First, need to open Visual Studio and create a new Project
Now Select Web API Template.
Then give a name to the solution and select the folder where want to place the solution
Chose .net 6 frameworks and Authentication type as None because we are implementing custom JWT Authentications
Step 2. Install Nuget Packages
Then open Nuget Package manager and install latest version of following packages,
Microsoft.AspNetCore.Authentication.JwtBearer
Microsoft.IdentityModel.JsonWebTokens
System.IdentityModel.Tokens.Jwt
Step 3. Add Model and settings
Add a new folder to your project root directory name as “Models” and a new class named “JwtSettings” and “UserTokens”.
Then we have to add some settings in app settings so we can globally change the token generation settings from appsettings.json without changing any LOC(Line of code).
Note: Please don’t forget to change the local URL of the valid issuer and valid audience.
The next step is to add JWT Helper class that is used to create a Token and Refresh Token and validation of Token.
To add class first create “JwtHelpers” folder in the root project then create a class.
Add code given below,
usingMicrosoft.IdentityModel.Tokens;usingSystem.IdentityModel.Tokens.Jwt;usingSystem.Security.Claims;usingWebApplication.Models;namespaceWebApplication.JwtHelpers {publicstaticclassJwtHelpers {publicstaticIEnumerable < Claim > GetClaims(thisUserTokens userAccounts,Guid Id) {IEnumerable < Claim > claims =newClaim[] {newClaim("Id",userAccounts.Id.ToString()),newClaim(ClaimTypes.Name,userAccounts.UserName),newClaim(ClaimTypes.Email,userAccounts.EmailId),newClaim(ClaimTypes.NameIdentifier,Id.ToString()), new Claim(ClaimTypes.Expiration, DateTime.UtcNow.AddDays(1).ToString("MMM ddd dd yyyy HH:mm:ss tt"))
};return claims; }publicstaticIEnumerable < Claim > GetClaims(thisUserTokens userAccounts,outGuid Id) { Id =Guid.NewGuid();returnGetClaims(userAccounts, Id); }publicstaticUserTokensGenTokenkey(UserTokens model,JwtSettings jwtSettings) {try {var UserToken =newUserTokens();if (model ==null) thrownewArgumentException(nameof(model)); // Get secret keyvar key =System.Text.Encoding.ASCII.GetBytes(jwtSettings.IssuerSigningKey);Guid Id =Guid.Empty;DateTime expireTime =DateTime.UtcNow.AddDays(1);UserToken.Validaty=expireTime.TimeOfDay; var JWToken = new JwtSecurityToken(issuer: jwtSettings.ValidIssuer, audience: jwtSettings.ValidAudience, claims: GetClaims(model, out Id), notBefore: new DateTimeOffset(DateTime.Now).DateTime, expires: new DateTimeOffset(expireTime).DateTime, signingCredentials: new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256));
UserToken.Token=newJwtSecurityTokenHandler().WriteToken(JWToken);UserToken.UserName=model.UserName;UserToken.Id=model.Id;UserToken.GuidId= Id;return UserToken; } catch (Exception) {throw; } } }}
Here GetClaims() Method is used to create return claims list from user token details.
// Get secret keyvar key =System.Text.Encoding.ASCII.GetBytes(jwtSettings.IssuerSigningKey);Guid Id =Guid.Empty;DateTime expireTime =DateTime.UtcNow.AddDays(1);
Now get byte arrays of specified keys in appsettings and here we define expiry of token as one day from the day when token is generated.
var JWToken = new JwtSecurityToken(issuer: jwtSettings.ValidIssuer, audience: jwtSettings.ValidAudience, claims: GetClaims(model, out Id), notBefore: new DateTimeOffset(DateTime.Now).DateTime, expires: new DateTimeOffset(expireTime).DateTime, signingCredentials: new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256));
UserToken.Token=newJwtSecurityTokenHandler().WriteToken(JWToken);
Then we assigned generated security token and access token by using JwtSecurityTokenHandler’s WriteToken() method/ function.
Then we have to do some settings in the program file. We need to inject services to use JWT Token.
In a previous version of .net3.1, we have separated startup files where we have to inject services and use them in your project but the .net6 startup file is no longer exists. So, to inject services let's create a New Class named “AddJWTTokenServicesExtensions” to the separation of concern and without messing off the program.cs first create folder named “Extensions” in your root project. Then create class AddJWTTokenServicesExtensions.
Note Here we need to make these classes static classes because we need to call that method in program.cs.
Add above code to your “AddJWTTokenServicesExtensions.cs” file
Then add the need to call this extension method in the program.cs class.
Add using in the first line of the program.cs
e.g.
usingWebApplication.Extensions;
After builder object creation call method AddJWTTokenServices()
e.g.
usingWebApplication.Extensions;var builder =Microsoft.AspNetCore.Builder.WebApplication.CreateBuilder(args);// Add services to the container.builder.Services.AddJWTTokenServices(builder.Configuration);
your program. cs file to look like below.
Let's move to the next step that is controller implementations.
Add new WebAPI Controller Named “AccountController”
Here we don’t use any database, we just static values to validate a user and generate Access Token and Authenticate and Authorized Web API Controller
In the above Account, the controller created a List of Login Details that are valid users. You can use database records to validate user logins. Next, we created a method to validate login credentials and generate tokens with the help of JWT Hepler.
And to check authorization from swagger replace open program.cs
builder.Services.AddSwaggerGen();
with following code
builder.Services.AddSwaggerGen(options => {options.AddSecurityDefinition("Bearer",newMicrosoft.OpenApi.Models.OpenApiSecurityScheme { Name ="Authorization", Type =Microsoft.OpenApi.Models.SecuritySchemeType.Http, Scheme ="Bearer", BearerFormat ="JWT", In =Microsoft.OpenApi.Models.ParameterLocation.Header, Description ="JWT Authorization header using the Bearer scheme." });options.AddSecurityRequirement(newMicrosoft.OpenApi.Models.OpenApiSecurityRequirement { {newMicrosoft.OpenApi.Models.OpenApiSecurityScheme { Reference =newMicrosoft.OpenApi.Models.OpenApiReference { Type =Microsoft.OpenApi.Models.ReferenceType.SecurityScheme, Id ="Bearer" } },newstring[] {} } });});
To check web api with swagger we need to add authorization security options in swagger, so used AddSecurityDefination() and AddSecurityRequirement() function to add Security options.
After running the application you will get the result of the swagger just shown below:
Let’s try to get Token by specifying username and password.
You will get tokens as shown below.
Without passing the token result will be shown below it will give a 401 error.
To Validate or pass the token in the header click on validate button paste generated token in the textbox click on login. And close the popup dialog.
Then try to get a list of accounts you will get all details.
Summary
In this article, I discussed how we can create a JWT access token. We also saw how we can authorize the WEB API endpoint.