Securing Webapi using Json Web Token (JWT) in web api c#
Updated to use latest : System.IdentityModel.Tokens.Jwt -Version 5.1.4
Jwt Web Api c# Development Environment:
Visual Studio 2015/2013
.NET Framework 4.5.2
we can use free tool Restlet Client Chrome Plugin or Fiddler to test our webapi its completely up to you.
Nugget Packages used
System.IdentityModel.Tokens.Jwt -Version 5.1.4 -It will help in validating, parsing and generating JWT
tokens; there are other libraries that do this task you are free to choose any package that handle JWT
tokens.
Before you proceed Let’s ask our self some Prerequisite question before start working on web api c#
Prerequisite Knowledge –
Do you know what is a HttpMessageHandler & DelegatingHandler in ASP.NET ? If not then I would highly
recommended reading this post . httpmessagehandler c# example
Do you know basics of jwt web api JWT(Json Web Token)? If not then Visit jwt.io for learning more about
JWT . Chris has also provided good details about JWT info.
Let’s move on to actual work that need to be done. Two basic mechanism for securing WEB API
Using Traditional Cookie based authentication
Using Token Based Authentication – In simple words our goal is to secure data transmission between two
endpoints JWT is a way to achieve.
Json Web Token Consist of Three parts
o Header
o Claim
o Signature
Both of methods have pros and cons and that is out of the scope of this article and either of the methods should be
adopted based on circumstances. we will follow Token Based Authentication. The mechanism is not complex once
we get understanding of workflow. So the key is not to jump on code right away but understand flow of request.
Let’s do it
1. User Enter username and password on mobile/web application and press login.
2. User Credentials are sent to WEB API endpoint.
3. We Intercept HTTP Request and check if the header has JWT token(it will not be there for the first request) if
not then we verify username and password and if credentials are correct, we create a JWT token using the
library and send it is back in the response body.Next time client request protected resource with this token
in a header so for the subsequent request we intercept HTTP request and validate token.
Image below shows flow of information between your browser/mobile and server.
Let’s start coding for our JWT WEB API C#
Create a new project and name your project and solution and select ASP.NET web application
2. Select ASP.NET web API and change Authentication to None.
3. Click on OK to have a initial template of project.
4. Let’s add a Nuget this Latest package that will help to handle task related to jwt web api
System.IdentityModel.Tokens.Jwt
Install-Package System.IdentityModel.Tokens.Jwt -Version 5.1.4
Verifying The jwt web api c# :
5. we will need to add a class at root level that extends from DelegatingHandler and we will override
SendAsync method. Please note the purpose of adding this class is to intercept incoming HTTP Request and Retrieve
and Validate Token.
Untill this point if you don’t know what is purpose of DelegatingHandler is Please read this post before moving
forward. HTTP Message Handler in Web API
I will name this class TokenValidationHandler see code snippet below and follow it carefully. click on Add to add a
new class.
C#
1 using Microsoft.IdentityModel.Tokens;
2 using System;
3 using System.Collections.Generic;
4 using System.IdentityModel.Tokens;
5 using System.IdentityModel.Tokens.Jwt;
6 using System.IO;
7 using System.Linq;
8 using System.Net;
9 using System.Net.Http;
1 using System.Security.Cryptography.X509Certificates;
0 using System.Threading;
1 using System.Threading.Tasks;
1 using System.Web;
1
2 namespace WEBAPI_JWT_Authentication
1 {
3 internal class TokenValidationHandler : DelegatingHandler
1 {
4 private static bool TryRetrieveToken(HttpRequestMessage request, out string token)
1 {
5 token = null;
1 IEnumerable<string> authzHeaders;
6 if (!request.Headers.TryGetValues("Authorization", out authzHeaders) || authzHeaders.Count() > 1)
1 {
7 return false;
1 }
8 var bearerToken = authzHeaders.ElementAt(0);
1 token = bearerToken.StartsWith("Bearer ") ? bearerToken.Substring(7) : bearerToken;
9 return true;
2 }
0
2 protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken
1 cancellationToken)
2 {
2 HttpStatusCode statusCode;
2 string token;
3 //determine whether a jwt exists or not
2 if (!TryRetrieveToken(request, out token))
4 {
2 statusCode = HttpStatusCode.Unauthorized;
5 //allow requests with no token - whether a action method needs an authentication can be set with the claimsauthorization attribute
2 return base.SendAsync(request, cancellationToken);
6 }
2
7 try
2 {
8 const string sec =
2 "401b09eab3c013d4ca54922bb802bec8fd5318192b0a75f201d8b3727429090fb337591abd3e44453b954555b7a0812e1081c39b740
9 293f765eae731f5a65ed1";
3 var now = DateTime.UtcNow;
0 var securityKey = new Microsoft.IdentityModel.Tokens.SymmetricSecurityKey(System.Text.Encoding.Default.GetBytes(sec));
3 SecurityToken securityToken;
1 JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
3 TokenValidationParameters validationParameters = new TokenValidationParameters()
2 {
3 ValidAudience = "http://localhost:50191",
3 ValidIssuer = "http://localhost:50191",
3 ValidateLifetime = true,
4 ValidateIssuerSigningKey = true,
3 LifetimeValidator = this.LifetimeValidator,
5 IssuerSigningKey = securityKey
3 };
6 //extract and assign the user of the jwt
3 Thread.CurrentPrincipal = handler.ValidateToken(token, validationParameters, out securityToken);
7 HttpContext.Current.User = handler.ValidateToken(token, validationParameters, out securityToken);
3
8 return base.SendAsync(request, cancellationToken);
3 }
9 catch (SecurityTokenValidationException e)
4 {
0 statusCode = HttpStatusCode.Unauthorized;
4 }
1 catch (Exception ex)
4 {
2 statusCode = HttpStatusCode.InternalServerError;
4 }
3 return Task<HttpResponseMessage>.Factory.StartNew(() => new HttpResponseMessage(statusCode){ });
4 }
4
4 public bool LifetimeValidator(DateTime? notBefore, DateTime? expires, SecurityToken securityToken,
5 TokenValidationParameters validationParameters)
4 {
6 if (expires != null)
4 {
7 if (DateTime.UtcNow < expires) return true;
4 }
8 return false;
4 }
9 }
5 }
we wrote a custom Message Handler, we defined our own class that derived from the DelegatingHandler class and
we override SendAysnc method.
This code will intercept HTTP request and validate the JWT.
Generating the JWT Token Web Api C#:
6. Next thing is we need to create a JWT after verifying the username and password with our database. For this
purpose, I am going to create a controller. Let’s name it LoginController.cs
C#
re turn toke nString;
}
}
}
1 using System;
2 using System.Collections.Generic;
3 using System.IdentityModel.Tokens;
4 using System.IdentityModel.Tokens.Jwt;
5 using System.IO;
6 using System.Net;
7 using System.Net.Http;
8 using System.Security.Claims;
9 using System.Web;
1 using System.Web.Http;
0 using WEBAPI_JWT_Authentication.Models;
1
1
1 namespace WEBAPI_JWT_Authentication.Controllers
2 {
1 public class LoginController : ApiController
3 {
1 [HttpPost]
4 public IHttpActionResult Authenticate([FromBody] LoginRequest login)
1 {
5 var loginResponse = new LoginResponse { };
1 LoginRequest loginrequest = new LoginRequest { };
6 loginrequest.Username = login.Username.ToLower();
1 loginrequest.Password = login.Password;
7
1 IHttpActionResult response;
8 HttpResponseMessage responseMsg = new HttpResponseMessage();
1 bool isUsernamePasswordValid = false;
9
2 if(login != null)
0 isUsernamePasswordValid=loginrequest.Password=="admin" ? true:false;
2 // if credentials are valid
1 if (isUsernamePasswordValid)
2 {
2 string token = createToken(loginrequest.Username);
2 //return the token
3 return Ok<string>(token);
2 }
4 else
2 {
5 // if credentials are not valid send unauthorized status code in response
2 loginResponse.responseMsg.StatusCode = HttpStatusCode.Unauthorized;
6 response = ResponseMessage(loginResponse.responseMsg);
2 return response;
7 }
2 }
8
2 private string createToken(string username)
9 {
3 //Set issued at date
0 DateTime issuedAt = DateTime.UtcNow;
3 //set the time when it expires
1 DateTime expires = DateTime.UtcNow.AddDays(7);
3
2 //http://stackoverflow.com/questions/18223868/how-to-encrypt-jwt-security-token
3 var tokenHandler = new JwtSecurityTokenHandler();
3
3 //create a identity and add claims to the user which we want to log in
4 ClaimsIdentity claimsIdentity = new ClaimsIdentity(new[]
3 {
5 new Claim(ClaimTypes.Name, username)
3 });
6
3 const string sec =
7 "401b09eab3c013d4ca54922bb802bec8fd5318192b0a75f201d8b3727429090fb337591abd3e44453b95455
3 5b7a0812e1081c39b740293f765eae731f5a65ed1";
8 var now = DateTime.UtcNow;
3 var securityKey = new
9 Microsoft.IdentityModel.Tokens.SymmetricSecurityKey(System.Text.Encoding.Default.GetBytes(sec));
4 var signingCredentials = new
0 Microsoft.IdentityModel.Tokens.SigningCredentials(securityKey,Microsoft.IdentityModel.Tokens.SecurityAlg
4 orithms.HmacSha256Signature);
1
4
2 //create the jwt
4 var token =
3 (JwtSecurityToken)
4 tokenHandler.CreateJwtSecurityToken(issuer:"http://localhost:50191",audience:"http://localhos
4 t:50191",
4 subject: claimsIdentity, notBefore: issuedAt, expires: expires, signingCredentials:
5 signingCredentials);
4 var tokenString = tokenHandler.WriteToken(token);
6
4 return tokenString;
7 }
4 }
8 }
4
9
5
0
5
1
5
2
5
3
5
4
5
5
5
6
5
7
5
8
5
9
6
0
6
1
6
2
6
3
6
4
6
5
6
6
6
7
6
8
6
9
7
0
7
1
7
2
7
3
7
4
7
5
7
6
7
7
7
8
7
9
8
0
we have CreateToken method that generates a token and Authenticate method receive an HTTP request and we
validate the username and password and if they are valid we send back the Token.
7. Next step is where we will register Message Handler class. Add following lines in WebApiConfig.cs
config.MessageHandlers.Add(new TokenValidationHandler ());
8 . Securing our controller ; Let’s decorate our Values Controller with Authorize attribute and Run the project press
F5
9 . jwt web api c# Testing
you can use any Rest client tool to make a post call to these endpoints like Postman, fiddler or chrome extension . I
will use this Chrome Restlet Client Chrome Plugin It’s really compact and easy to use.
so here is the work flow
1- Obtaining JWT token for webapi c# : Make a POST call to Authenticate endpoint by providing username/password
to get the token.
2- Using the Token to access secure endpoint of jwt web api C#: we will use token to get access to secure resource
in our case any endpoint in values controller.
As you can see I added the token in the header do notice syntax Bearer token . we accessed our secured resource
using JWT. It is valid for about of time we set when we generated it . if we temper with it unauthorized code is
returned.
Code for JWT Web Api:
Access the code for jwt web api on github repository : JWT Authentication for Asp.Net Web Api