According to AuthO, JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.
In using jwt, the information in the token, is the only thing required to authenticate a user. so our main here is to validate the information in the token and convert jwt to IPrincipal object. Iprincipal object, according to msdn, simply means the functionality of a principal object, what then is a principal object, A principal object represents the security context of the user on whose behalf the code is running, including that user's identity (IIdentity) and any roles to which they belong.
To make this JWT authentication to work, we must utilize a message handler, a message handler is simply a class that receives an HTTP request and returns an HTTP response. Instead of implementing our own message handler, we are going to be using an existing nugget package, JWTAuthForWepAPI.
The information structure in JWT token it’s as follows
1.Header: JSON format which is encoded as a base64
2. Claims: JSON format which is encoded as a base64.
3. Signature: Created and signed based on Header and Claims which is encoded as a base64.
Setting up JWTAuthForWepAPI
JWTAuthForWepAPI is a delegatingHandler that creates a new ClaimsPrincipal based on incoming token and assigned it to the current thread. This delegateHanlder will make the authentication to operate at the level of HTTP message rather than controller and actions.
Get JWTAuthForWepAPI from Nugget. Then proceed to add the following to your webconfig file.
To generate the needed token you can use System.IdentityModel.Tokens.Jwt from MS or HMACSHA256 with SymmetricKey or may be any other provider that you desire.
The next steps is to add codes that configure the associated messagehandler. A message handler is simply a class that receives an HTTP request and returns an HTTP response.
var tokenBuilder = new SecurityTokenBuilder();
var configReader = new ConfigurationReader();
var jwtHandlerSharedKey = new JwtAuthenticationMessageHandler
AllowedAudience = configReader.AllowedAudience,
Issuer = configReader.Issuer,
SigningToken = tokenBuilder.CreateFromKey(configReader.SymmetricKey),
At this point our service can accept json web token, signed with a particular symmetric key.
Creating a valid Jwt
The code listed below will create a valid jwt that will be available for authentication.
public const string Secret = "95896GREJBA3B06519C8DDDBC80JHI80553"; // your symmetric
public static string GetToken(string username, int lifetime = 30)
var symmetricKey = Convert.FromBase64String(Secret);
var tokenHandler = new JwtSecurityTokenHandler();
var today = DateTime.UtcNow;
var tokenDescriptor = new SecurityTokenDescriptor
Subject = new ClaimsIdentity(new
new Claim(ClaimTypes.Name, username)
TokenIssuerName = configReader.Issuer,
AppliesToAddress = configReader.AllowedAudience,
Expires = today.AddMinutes(Convert.ToInt32(lifetime)),
SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(symmetricKey), SecurityAlgorithms.HmacSha256Signature)
var stoken = tokenHandler.CreateToken(tokenDescriptor);
var token = tokenHandler.WriteToken(stoken);
Because the jwt based handler was configured and added to the ASP.NET WEB API message handler collection , it can now accept JWT authentication.