Now a days, all the functionalities available in your business applications are required to be available everywhere. Everybody wants the application to be available at their finger tips. Your customers can use your applications on any device including (but not limited to) mobile, iPad, laptop.
In order to make your applications work on variety of devices, applications generally designed to use APIs which can cater the required functionalities to web applications, desktop applications or mobile applications. Most of the times these APIs are using JWT Bearer Token Authentication.
That’s why I thought it would be nice idea to compile the required steps in a blog post. In this article we will use ASP .NET Core identity to validation users and then create the JWT tokens. For the sake of keeping it simple, we will not discuss about refresh tokens in this article..
JWT stands for JSON Web Token.
Every JWT token has three parts separated by dots, which are as below.
- Header, which contains two fields – first one is signing
algorithmused for signing the token and second one is
typewhich is JWT.
- Payload, contains claims which are required by your application
- Signature, to create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.
Every part is then Base64 URL encoded, and separated by dots to form the JWT.
Signature is used to make sure that the token was not changed along the way.
The output is three Base64-URL strings separated by dots that can be easily passed in HTML and HTTP environments, while being more compact when compared to XML-based standards such as SAML.
If you want to play with JWT and put these concepts into practice, you can use jwt.io Debugger to decode, verify, and generate JWTs.
The Demo Solution
NuGet package references
You will need to add the package reference to NuGet package Microsoft.AspNetCore.Authentication.JwtBearer.
As you can see, we have enabled validation for issuer, audience and issuer signing key. Below is small explanation of properties which we have sent in TokenValidationParameters.
- Issuer, is the principal that has issued JWT. If token has different issuer than expected, the validation will fail and caller will receive 401 unauthorized.
- Audience, is the recipient that JWT is intended for. If token contains different audience than expected, the validation will fail and caller will receive 401 unauthorized.
- Signing Key, is the key you use for signing the token.
- ClockSkew, has been set to TimeSpan.Zero. The this represents the time duration after expiry of token, for which the token should be considered valid. I wanted to immediately invalidate the token after expiry time, so I set it to TimeSpan.Zero.
The Authentication middleware is added in
Startup.Configure by calling the UseAuthentication extension method on the app’s
The call of
UseAuthentication registers the middleware which uses the previously registered authentication schemes. Ideally, you should call
UseAuthentication before any middleware that depends on users being authenticated.
When using endpoint routing, the call to
UseAuthentication must go:
UseRouting, so that route information is available for authentication decisions.
UseEndpoints, so that users are authenticated before accessing the endpoints.
As you can see, the AuthController code is simple. It has 3 APIs – User Registration, Login and Logout.
In User Registration API, it creates a new identity under the AspNetCore identity database.
The Login API validates user credentials. After successful validation, it creates the token for the user. For demo purpose, we have added only two claims, but you can add more claims as per requirement of your application’s design. You can also create authorization policies to allow user access to some API only if he has specific claim.
The Logout method is pretty empty. Huh.. why ?
How does logout happen ?
I am assuming all of you have a driving license. Every driving license has expiry date. Whenever authority wants to check your driving license, it checks the expiry date and which type of vehicles are allowed to drive using that license.
So if the authority who issued driving license, wants to invalidate someone’s license which has expiry date after years, how will they do this ?
There is no way for them to immediately invalidate the license. They can probably maintain a list of prematurely invalidated driving license. Then next time authority asks you driving license, they will check if this license is not in the invalidated list.
Are you with me so far ?
This description above is perfectly analogous with JWT. Once a user has JWT, there is no way for you to invalidate the token immediately.
So, how will you logout user ?
You can keep the expiry time to be very short. You can also use refresh tokens to refresh the JWT tokens.
The above approach will not immediately logout user. For immediate logout, you can maintain a cache of invalidated tokens on your server. So every-time a request comes, you can check the cache to see if this token was already invalidated.
Download Completed Solution
You can find the completed solution at this place in my GitHub repository.
Test with Postman
The solution has a JSON file which you can import in postman and it will give you requests for user registration, login, get weather forecast and logout APIs. If you execute them in this order, you should be able to see that all APIs are working.
After calling Login endpoint, you will get a token if login is successful. You will have to use this token while calling weather forecast API.
Under Headers, add new header with name Authorization and in its value add Bearer token-value where token-value is the actual token you copied from the output of login API.
Just for testing purpose, if you call get weather forecast before login, you should see 401 unauthorized response. Also, in case, if the token is expired, the get weather forecast will return 401 unauthorized.
I hope you enjoyed this article. Let me know your thoughts.