JWT authentication in asp.net web api
Branch: master
Clone or download
cizu64 Update README.md
Updated the readme file
Latest commit 19a3b63 Dec 25, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
JWTAuth Update JWTDecoder.cs Dec 25, 2018
LICENSE Initial commit Dec 25, 2018
README.md Update README.md Dec 25, 2018



JWT authentication in asp.net web api

Add the jwt key in the web.config

<add key="jwtKey" value="cXdlcnR5dWlvcGFzZGZnaGprbHp4Y3Zibm0xMjM0NTY=" />

Add the message handler to the request pipeline in the WebApiConfig class

   public static void Register(HttpConfiguration config)
      config.MessageHandlers.Add(new JwtAuthHandler()); //use custom jwt authentication

Create the Login action method in the AccountController class

    public async Task<IHttpActionResult> Login(LoginDto dto)
            //can login with email               
            if (dto.Email != "johndoe@gmail.com" && dto.Password!"johndoe1")
                return Content(HttpStatusCode.BadRequest, new
                    Message = "Invalid credentials",
                    Err_Code = ErrorCode.BadEmailOrPassword,
                    Succeeded = false
            var userDto = new DTO.User
                Email = dto.Email,
                Id = 1,
                UserRoles = string.Join(",", new[]{"Admin","User"});
            object dbUser;
            var token = JwtManager.CreateToken(userDto, out dbUser);
            return Ok(new { token });
        catch (Exception ex)
            return BadRequest();

Getting access to a protected resource

    [Authorize(Roles = "Admin")]
    public IHttpActionResult GetUser(int Id)
       //Get data using some repository pattern with EF
       var user = repo.GetUser(u=>u.Id==Id);
       return Ok(user);

Note, if your not authorized to call the GetUser endpoint, you would see a 403 response from the server. But if you pass the token return after login in, to the request header with the right credentials, 403 would not occur.

You also don't need to worry about token expiration and re-validation, the JwtManager class already has that in place. If the token becomes invalid, it would bounce back to a 403 response meaning authentication is required.