CALL US
EMAIL US
MENU

Home
ABOUT US
JOBS
OUR SERVICES
OUR SERVICES
CREATIVE & TECHNOLOGY CONSULTANCY DIGITAL Design & DEVELOPMENTImmersive XR Development
CASE STUDIES
INTERNATIONAL TOWERS
DIGITAL ECOSYSTEMCRAVEABLEVIVID 2019 TUMBALONG
LIGHTSNeurotechnologyBox Office VRThe White Rabbit GalleryLatham ARScale Heli Pilot
NEWS & BLOGCONTACT US
SHORTCUTS
DIGITAL
DISCOVERY
PROCESS
DIGITAL TRANSFORMATION
FOR YOUR BUSINESS
3D SCAN YOUR PROPERTY / BUSINESS
QUALITY ASSURANCE SERVICES
© 42 INTERACTIVE PTY LTD
black navigational close icon
HOW CAN WE HELP YOU?

July 22, 2019

Json Web Token (JWT) Authentication. A How to Guide

Home » Blog »
Json Web Token (JWT) Authentication. A How to Guide
A young boy wearing a white VR headset

Web API is a common thing to implement these days. It gives flexibility and great separation between presentation and business logic layers.

When we are implementing mobile applications or Single Page Applications (SPA) we will need to use Web API. One of the challenges of implementing Web API is security. This is because it is globally accessible through the internet, and so we will need a way to secure it.

If we are using ASP.NET Core there are a couple ways to secure our Web Api, we can use Identity Server with the Oauth2 protocol and the other is using Json Web Token(JWT) Authentication

Often when we are implementing Web API we just need a simple authentication scheme using username and password, and after the authentication passes, token identification can be used. JWT is an open standard for case like this, the concept is simple and ASP.NET Core has an Identity Model and JWT middleware that will help us to implement this simply and quickly.

In this article, I would like to share my way of implementing JWT Authorization that we are using in one of our projects at 42 Interactive. It’s a SPA Project and we are using Vue.js on the front-end and Web API with ASP.NET Core 2.2 on the back-end so it needs to be secured.

Configure Authentication

After theASP.NET Core Api project has been created we will need to configure our authentication. Firstly, we need to configure some settings in app settings.json that we will use later on.

As a note, when using HmacSha256 the keys encoded length should be more than 128 bits otherwise the token generation will fail. That said, it is recommended to use long complex keys to prevent a potential brute force attack.

Next, we need to setup our authentication by declaring the JWT service to the application pipeline. We do this in the ConfigureServices method of the application startup class (startup.cs).

With that piece of code we are saying:

  1. authorize by default using the JWTscheme,
  2. we want to validate the Issuer, Audience, Lifetime and Signing key,
  3. the ValidIssuer is from our config,
  4. the ValidAudience is from our config, and
  5. the key is a Symmetric Security Keybase on the value in our config

So every time and authorization validation request is needed the token will be validated basedon the above criteria.

ASP.NETCore has a well known Identity model used as a standard. Facilitating best practise, we also want to use it in our implementation, so we can define the configuration like this:

Since we are using only WebApi we will need AddIdentityCore<TUser> and not AddIdentity<TUser,TRole> . Using the later extended method will cause problems for us because of the extra settings relevant to websites and their routing.

That’s it! We have now added authentication middleware to our application pipeline, next we need to create a mechanism to add users.

New User Registration

In the project, we are using Entity Framework (EF) code first as the database ORM(Object Relational Mapping). I won’t explain much about EF code first, basically we have a DbContext and use it to add a new user to our IdentityDatabase and if you haven’t used this library we highly recommend you look it up.(https://docs.microsoft.com/en-us/ef/ef6/modeling/code-first/workflows/new-database).

Next we need to create a new controller. Let us call it AccountController, and use someDependency Injection (DI) magic from .Net Core to match objects to our variables via constructor injection:

Now we can create a register method to add a new user to our custom Identity User table and another non-Identity table

Now we are done with the register method, for simplicity we called a basic database operation using DBContext. Ensure this method is free from authorization. Otherwise, we will get a ‘401 Unauthorized http’ exception.

We can now register users so lets move on to authenticating them and issuing their identity tokens.

Validate User and Issuing JWT

And it all comes down to this section when implementing JWT, we will need to validate our user and then issue the JWT. We will do this in the AccountController, lets create a Login method to validate our user

The logic is very simple because of the help ASP.NET Core Identity provides, we just needto check the password is correct and then generate the JWT. Upon success we can use the following method to generate the JWT.

There arecouple of common algorithms for signing JWTs such as HMAC + SHA256(HmacSha256),RS256, or ES256. The simplest one is HmacSHA256 because it only uses a secretwithout any need of private and public keys. If you want to know more aboutthis signing algorithm, you can visit this reference: “Brute Forcing HS256 is Possible: TheImportance of Using Strong Keys in Signing JWTs

Here wedefine the key that we need and the issuer to generate the token, along withthe use of HmacSha256 encryption for [SM11] [os12] the credential. It will give us a random token every time login requesthappens.

In this process the user just needs to send their username and password once, then a token is returned, after that the client side uses the token for every request. The token will be validated using the token and its expiry time to avoid hijacking used by an undesired person.

Usage and Testing of JWT Authentication

I will use Postman for testing, this tool will allow us to send and receive API requests with an easy intuative UI.

When creating the Web API project there is a ValueController class that is generated by default from the project template. Let’s use this controller for some testing] . We can decorate this controller with Authorize attribute and try to access it, it should return an Unauthorized HTTP code (401).

Now, we want to access it using a token from our implemented solution. First things first, we need to register a new user:

Then after the user has been created we can try to login.

The login will return a token, and this token can be use to call the API endpoint in ValueController that previously returned 401-Unathorized. Lets call it again and define the Authorization Header the value is “bearer ” + the token we received

As you can see in the screenshot above, the API can be accessed now and that’s the end of our small beginning of JWT Authentication journey.[

Conclusion

A JWT Implementation in ASP.NET Core is a very straight forward and simple authentication method to implement. We can Integrate it with ASP.NET identity model without much difficulty. Using JWT we also avoid sending sensitive information like a password again and again.

So if we just need a simple Authentication paradigm when implementing SPA or a Mobile Application we can just use JWT Authentication. It will save time because its less complex than other methods and it’s readily available by .net core.

What’s Next

In this article, we created a simple authorization process to secure our API. This method needs the user to be Authenticated, but very often we will need to do more complex Authorization the API can only be accessed if the user is manager, or the API can only be accessed if the age of a user is more than 18. We can use Claim based authorization for these use cases by storing this information in a certain section of the token then call on it later. For more information about claim and how to use it, please visit this reference.

PREVIOUS STORY

loading

NEXT STORY

loading

Building a Voice Assistant Mobile App with React Native and ChatGPT Integration
Developing a Simple E-commerce Mobile App with Flutter & GetX using the MVVM Pattern
The Power of Internet of Things and Hyperconnectivity!
Software Quality Metrics: Measuring and Improving Quality Assurance [QA] Efforts
Unveiling the Female FIFA Village Exhibition through Matterport Scanning
The Evolution of Test Management: Tools & Techniques
The Impact of 5G Technology on Digital Experience
42 Interactive Insights: Solutions for Small Businesses in Tech and Web Development
When My Role Was Temporarily Handed Over to an Avatar
Essential Tips That Will Transform Your Virtual Productivity
Quality Assurance in XR
Reflecting on 2023 and Looking forward to 2024
How Creative and Technology Partnerships are Driving Global Innovation
42 Little Known Facts About Creative Technology
Discover the Secrets of Risk Management in Quality Assurance
Exploring The Beauty: A Voyage Inside the White Rabbit Gallery
360° Scans: Igniting a Booking Revolution for Hotels/Villas
Leveraging The Potential of Cloud Computing: Exploring the Advantages of Cloud-based Solutions
Enhancing Customer Experience and Safety - Red Rooster Pickup Options
Enhancing Customer Experience and Streamlining Design with Augmented Reality [AR]: The Case of Latham Australia
Streamlining Success: 42 Interactive's Seamless Salesforce Integration for Craveable Brands
Exploring the Future of Office Design: Matterport Scan Transforms Visualisation at International Tower in Sydney
Mastering the Testing Superpower: Exploratory Testing's Role
The Potential of Native Mobile Apps: Increase User Engagement with a Single Click
Streamlining Business Processes with Digital Transformation
Unveiling the Game-Changing Secret: How Automation Revolutionises QA Forever!
QA Perspective for Red Rooster Brand Merge Website
Bringing Hope and Smiles to These Brave Little Warriors
The International Towers - Mobile Access Pass
Cracking the Code: The Ultimate Guide to Overcoming Mobile App Testing Nightmares for Digital Companies!
Craveable Brands' Successful Website Merger for Red Rooster
Digitising a High Rise Commercial Building's Access Permit
10 Benefits of Using Virtual Tours in Your Market Development Strategy
International Towers' Hubspot CMS Development and Integration
Changing the Business World with VR :  Where will Virtual Reality take us
Unlocking Success: How Digital Transformation Propels Businesses into the Digital Age
Innovate Pain Clinic - Drug Free and Surgery Free Chronic Pain Management
Box Office VR - Theatre Performance Anywhere Anytime
AWS Migration Done Right: Waterfield & 42 Interactive Study
Full Body Tracking Using Webcams
Beyond Boundaries: Exploring White Rabbit Gallery Virtually
Why Work with a Creative and Technology Partner?
Choosing the Right QA as a Service: Best Practices
Testing Troubles: Common QA Errors and How to Avoid Them
Quality Assurance [QA] and Testing for Web App Development
Digital Platforms for Business
Transforming the Customer Journey: Digital Innovation and CX
The Art of Brand Strategy: Crafting a Winning Marketing Plan
Quality Assurance: A Key Player in Cyber Security Defense
Digital Transformation Acceleration
Digital Transformation - Efforts and Strategies in a Digital Company
Accelerate Time-to-Market: Benefits of QA as a Service
Exploring the Boundaries: The Evolution of Virtual Reality
Sitecore and Its Benefits
The Joy of Playgrounds: Essential for Child Development
Merry Christmas 2022 and Happy New Year 2023
Decoding UX and UI: Understanding the Differences in Design
Digital Marketing Tips for Small Businesses
Lessons in Leadership: Insights from a Japanese Tea Ceremony
How to Find Unlimited Content Ideas for Social Media
Mastering Search: How Algolia API Optimizes User Engagement
Achieving Excellence: Essential Tips for Managing Your Digital Team
Digital Deepthought Process
Secrets to Success: Small Business Marketing Skills
VR Made Easy: A Beginner's Handbook and Top Headset Picks
Promote and Prosper: Key Strategies for Mobile App Success
The Significance of Page Titles and Meta Descriptions for SEO
Have An Interactive Play With Our 5 Year Anniversary Model
Interactive Immersion of Commercial Property
42 Interactive 5th Anniversary
Optimizing for Success: The Technical SEO Audit Blueprint
42 interactive - Past Projects, Client and Partner Highlights
How does a search engine work?
Content Management Systems (CMS)
Boosting Business Online Using SEO
Creating Innovative Products and Services
Keyword Cannibalisation and How to Fix It
Using VR to Manage Chronic Pain
Beyond the Stage: Enter a New Dimension with Box Office VR
3 Tech Trends You Should Use for Your Business in 2022
Design with Confidence: Explore Top UI/UX Prototyping Tools
Quick and Effective QA Testing as a Service Techniques
Driving Business Growth: The Power of Digital Transformation
Beyond Reality: Embracing the Potential of the Metaverse
Beyond Photography: Crafting Engaging Property Virtual Tours
3d property scanner|matterport 3d camera|matterport 3d tour|matterport 3d virtual tour|matterport camera|matterport pro2|matterport virtual tour
Everything You Need to Know About Good Branding And Design Process
Crafting Immersive Experiences: How Are VR Headsets Made?
The Use of Digital Twins in Aged Care Services
Building Blocks of Effective Software Testing Strategies
Emerging Trends: AR & VR's Lightning-fast Development
The Power Duo: Creativity and Innovation in Digital Agencies
The Value of Quality Assurance in Software Development
Maximize Data Potential: Embracing the Benefits of Power BI
Why Is Blogging Crucial to Your Brand?
The Advantages Of Utilising A CRM For Your Business
How Is Augmented Reality Utilised In Healthcare Sector?
Contactless Technologies: Why Your Business Needs Them?
The Advantages Of Contactless Delivery for Business
From Frames to Rankings: Boosting SEO with Quality Videos
Online Business Through E-commerce