In this article, I will explain how to create the JWT token and how to Authenticate and Authorize it in very simple steps.
1. Add ASP.Net Core API Application
Open visual studio 2022 click on create new project –> Select ASP.Net Core Web API –> Next
Give desired project and solution name –> Next –> select framework .Net 6.0 –> Create
2. Add Nuget Packages
Add the following packages from nuget package manager.
- Microsoft.AspNetCore.Authentication.JwtBearer
- Microsoft.IdentityModel.Tokens
- System.IdentityModel.Tokens.Jwt
3. Add setting in appsetting.json
Open appsetting.json and add following Key, Issuer and Audience
* To generate the random key use
* For issuer and audience local URL follow the below steps
Project properties –> Debug –> General –> Open Debug Launch Profile UI
Select IIS Express and pick the App URL
1 2 3 4 5 | "Jwt": { "Key": "ACDt1vR3lXToPQ1g3MyN", //Generate random String from https://www.random.org/strings "Issuer": "http://localhost:28747/", //Project Property-> Debug-> IIS-->App URL (you can local host url as well) "Audience": "http://localhost:28747/" }, |
4. Register JWT token for Authentication in Program.cs file
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | using Microsoft.AspNetCore.Authentication.JwtBearer; using Microsoft.IdentityModel.Tokens; using System.Text; var builder = WebApplication.CreateBuilder(args); // Add services to the container. builder.Services.AddControllers(); // Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle builder.Services.AddEndpointsApiExplorer(); builder.Services.AddSwaggerGen(); //JWT Authentication builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options => { options.TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = true, ValidateAudience = true, ValidateLifetime = true, ValidateIssuerSigningKey = true, ValidIssuer = builder.Configuration["Jwt:Issuer"], ValidAudience = builder.Configuration["Jwt:Audience"], IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"])) }; }); var app = builder.Build(); // Configure the HTTP request pipeline. if (app.Environment.IsDevelopment()) { app.UseSwagger(); app.UseSwaggerUI(); } app.UseHttpsRedirection(); app.UseAuthentication(); app.UseAuthorization(); app.MapControllers(); app.Run(); |
5. Create Models (UserLogin, UserModel and UserConstant)
Add a new folder with Models name and create UserLogin, UserModel and UserConstant classes.
1 2 3 4 5 6 7 8 9 | namespace JWTLoginAuthenticationAuthorization.Models { public class UserModel { public string Username { get; set; } public string Password { get; set; } public string Role { get; set; } } } |
1 2 3 4 5 6 7 8 | namespace JWTLoginAuthenticationAuthorization.Models { public class UserLogin { public string Username { get; set; } public string Password { get; set; } } } |
1 2 3 4 5 6 7 8 9 10 11 | namespace JWTLoginAuthenticationAuthorization.Models { // We are not taking data from data base so we get data from constant public class UserConstants { public static List<UserModel> Users = new() { new UserModel(){ Username="naeem",Password="naeem_admin",Role="Admin"} }; } } |
6. Create LoginAPI Controller (Authenticate user and generate token)
Add a new Empty API controller name “LoginController” in controller folder.
Here creates one Post Action method for Login and two methods for Authenticating the user credentials and Generate the token (if user is authenticated).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 | using JWTLoginAuthenticationAuthorization.Models; using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Microsoft.IdentityModel.Tokens; using System.IdentityModel.Tokens.Jwt; using System.Security.Claims; using System.Text; namespace JWTLoginAuthenticationAuthorization.Controllers { [Route("api/[controller]")] [ApiController] public class LoginController : ControllerBase { private readonly IConfiguration _config; public LoginController(IConfiguration config) { _config = config; } [AllowAnonymous] [HttpPost] public ActionResult Login([FromBody] UserLogin userLogin) { var user = Authenticate(userLogin); if (user != null) { var token = GenerateToken(user); return Ok(token); } return NotFound("user not found"); } // To generate token private string GenerateToken(UserModel user) { var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_config["Jwt:Key"])); var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256); var claims = new[] { new Claim(ClaimTypes.NameIdentifier,user.Username), new Claim(ClaimTypes.Role,user.Role) }; var token = new JwtSecurityToken(_config["Jwt:Issuer"], _config["Jwt:Audience"], claims, expires: DateTime.Now.AddMinutes(15), signingCredentials: credentials); return new JwtSecurityTokenHandler().WriteToken(token); } //To authenticate user private UserModel Authenticate(UserLogin userLogin) { var currentUser = UserConstants.Users.FirstOrDefault(x => x.Username.ToLower() == userLogin.Username.ToLower() && x.Password == userLogin.Password); if (currentUser != null) { return currentUser; } return null; } } } |
7. Create User API Controller to authorize user role
Add new empty API controller named “UserController.cs” in controller folder.
Here we will authorize the endpoint on the behalf of role.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | namespace JWTLoginAuthenticationAuthorization.Controllers { [Route("api/[controller]")] [ApiController] public class UserController : ControllerBase { //For admin Only [HttpGet] [Route("Admins")] [Authorize(Roles = "Admin")] public IActionResult AdminEndPoint() { var currentUser = GetCurrentUser(); return Ok($"Hi you are an {currentUser.Role}"); } private UserModel GetCurrentUser() { var identity = HttpContext.User.Identity as ClaimsIdentity; if (identity != null) { var userClaims = identity.Claims; return new UserModel { Username = userClaims.FirstOrDefault(x => x.Type == ClaimTypes.NameIdentifier)?.Value, Role = userClaims.FirstOrDefault(x => x.Type == ClaimTypes.Role)?.Value }; } return null; } } } |
8. Test the API endpoint in Postman with Token
Run the application and copy the URL domain from the browser.
Now open the Postman, give the URL with correct API route and select post request –> Body –> Json –> give the value of Username and Password
After clicking on send button we will get the JWT token in response.
Now copy this token and add a new Get request in postman and add the JWT token Authorization Tab –> Select Bearer –> Insert token and click on send button to test the authorization with given token.
If the token is not valid token then we will get 401 Error otherwise will get the bolow result.
Summary
So we created the token and did the authentication on the behalf of username and password then check the user authorization.
