Introduction
Token-based security is commonly used in today’s security architecture. There are several token-based security techniques. JWT is one of the more popular techniques. JWT token is used to identify authorized users.
What is the JWT WEB TOKEN?
- Open Standard: Means anywhere, anytime, and anyone can use JWT.
- Secure data transfer between any two bodies, any two users, any two servers.
- It is digitally signed: Information is verified and trusted.
- There is no alteration of data.
- Compact: because JWT can be sent via URL, post request & HTTP header.
- Fast transmission makes JWT more usable.
- Self Contained: because JWT itself holds user information.
- It avoids querying the database more than once after a user is logged in and has been verified.
JWT is useful for
- Authentication
- Secure data transfer
JWT Token Structure
A JWT token contains a Header, a Payload, and a Signature.
Header
Header contains the algorithms like RSA or HMACSHA256 and the information of the type of Token.
- {
- “alg” : ”” Algorithm like RSA or HMACSHA256
- “Type” : ”” Type of JWT Token
- }
Payload
Payload contains the information of rows, i.e., user credentials.
- {
- “loginname” : ”Gajendra”
- “password”:”123#”
- }
- It contains claims.
- Claims are user details or additional information
Signature
{ base64urlencoded (header) +”.”+ base64urlencoded (payload) +”.”+ secret }
- Combine base64 encoded Header , base64 encoded Payload with secret
- These provide more security.
A combination of all headers, payload and signatures converts into JWT TOKEN.
How Does JWT Work?
Step 1
Client logs in with his/her credentials.
Step 2
Server generates a Jwt token at server side.
Step 3
After token generation, the server returns a token in response.
Step 4
Now, the client sends a copy of the token to validate the token.
Step 5
The server checks JWT token to see if it's valid or not.
Step 6
After the token is validated, the server sends a status message to the client.
![How To Use JWT Authentication With WEB API]()
Working With JWT
Step 1
User Login - User normally logs in with his/her credentials such as User Name and Password.
- [Route("UserLogin")]
- [HttpPost]
- public ResponseVM UserLogin(LoginVM objVM) {
- var objlst = wmsEN.Usp_Login(objVM.UserName, UtilityVM.Encryptdata(objVM.Passward), "").ToList < Usp_Login_Result > ().FirstOrDefault();
- if (objlst.Status == -1) return new ResponseVM {
- Status = "Invalid", Message = "Invalid User."
- };
- if (objlst.Status == 0) return new ResponseVM {
- Status = "Inactive", Message = "User Inactive."
- };
- else return new ResponseVM {
- Status = "Success", Message = TokenManager.GenerateToken(objVM.UserName)
- };
- }
Step 2
Server generates a JWT token.
- private static string Secret = "ERMN05OPLoDvbTTa/QkqLNMI7cPLguaRyHzyg7n5qNBVjQmtBhz4SzYh4NBVCXi3KJHlSXKP+oi2+bXr6CUYTR==";
Create Jwt Token
First you have to add Microsoft.IdentityModel.Tokens and System.IdentityModel.Tokens.Jwt references from NuGet Package Manager.
- public static string GenerateToken(string username) {
- byte[] key = Convert.FromBase64String(Secret);
- SymmetricSecurityKey securityKey = new SymmetricSecurityKey(key);
- SecurityTokenDescriptor descriptor = new SecurityTokenDescriptor {
- Subject = new ClaimsIdentity(new [] {
- new Claim(ClaimTypes.Name, username)
- }),
- Expires = DateTime.UtcNow.AddMinutes(30),
- SigningCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256Signature)
- };
- JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
- JwtSecurityToken token = handler.CreateJwtSecurityToken(descriptor);
- return handler.WriteToken(token);
- }
- public static ClaimsPrincipal GetPrincipal(string token) {
- try {
- JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
- JwtSecurityToken jwtToken = (JwtSecurityToken) tokenHandler.ReadToken(token);
- if (jwtToken == null) return null;
- byte[] key = Convert.FromBase64String(Secret);
- TokenValidationParameters parameters = new TokenValidationParameters() {
- RequireExpirationTime = true,
- ValidateIssuer = false,
- ValidateAudience = false,
- IssuerSigningKey = new SymmetricSecurityKey(key)
- };
- SecurityToken securityToken;
- ClaimsPrincipal principal = tokenHandler.ValidateToken(token, parameters, out securityToken);
- return principal;
- } catch {
- return null;
- }
- }
Step 3
Check for token validation.
- [Route("Validate")]
- [HttpGet]
- public ResponseVM Validate(string token, string username) {
- int UserId = new UserRepository().GetUser(username);
- if (UserId == 0) return new ResponseVM {
- Status = "Invalid", Message = "Invalid User."
- };
- string tokenUsername = TokenManager.ValidateToken(token);
- if (username.Equals(tokenUsername)) {
- return new ResponseVM {
- Status = "Success",
- Message = "OK",
- };
- }
- return new ResponseVM {
- Status = "Invalid", Message = "Invalid Token."
- };
- }
- public static string ValidateToken(string token) {
- string username = null;
- ClaimsPrincipal principal = GetPrincipal(token);
- if (principal == null) return null;
- ClaimsIdentity identity = null;
- try {
- identity = (ClaimsIdentity) principal.Identity;
- } catch (NullReferenceException) {
- return null;
- }
- Claim usernameClaim = identity.FindFirst(ClaimTypes.Name);
- username = usernameClaim.Value;
- return username;
- }
Here is the complete TokenManager class.
- using Microsoft.IdentityModel.Tokens;
- using System;
- using System.Collections.Generic;
- using System.IdentityModel.Tokens.Jwt;
- using System.Linq;
- using System.Security.Claims;
- using System.Web;
-
- namespace WMS.Models.VM
- {
- public class TokenManager
- {
- private static string Secret = "ERMN05OPLoDvbTTa/QkqLNMI7cPLguaRyHzyg7n5qNBVjQmtBhz4SzYh4NBVCXi3KJHlSXKP+oi2+bXr6CUYTR==";
- public static string GenerateToken(string username)
- {
- byte[] key = Convert.FromBase64String(Secret);
- SymmetricSecurityKey securityKey = new SymmetricSecurityKey(key);
- SecurityTokenDescriptor descriptor = new SecurityTokenDescriptor
- {
- Subject = new ClaimsIdentity(new[] {
- new Claim(ClaimTypes.Name, username)}),
- Expires = DateTime.UtcNow.AddMinutes(30),
- SigningCredentials = new SigningCredentials(securityKey,
- SecurityAlgorithms.HmacSha256Signature)
- };
-
- JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
- JwtSecurityToken token = handler.CreateJwtSecurityToken(descriptor);
- return handler.WriteToken(token);
- }
- public static ClaimsPrincipal GetPrincipal(string token)
- {
- try
- {
- JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
- JwtSecurityToken jwtToken = (JwtSecurityToken)tokenHandler.ReadToken(token);
- if (jwtToken == null)
- return null;
- byte[] key = Convert.FromBase64String(Secret);
- TokenValidationParameters parameters = new TokenValidationParameters()
- {
- RequireExpirationTime = true,
- ValidateIssuer = false,
- ValidateAudience = false,
- IssuerSigningKey = new SymmetricSecurityKey(key)
- };
- SecurityToken securityToken;
- ClaimsPrincipal principal = tokenHandler.ValidateToken(token,
- parameters, out securityToken);
- return principal;
- }
- catch
- {
- return null;
- }
- }
- public static string ValidateToken(string token)
- {
- string username = null;
- ClaimsPrincipal principal = GetPrincipal(token);
- if (principal == null)
- return null;
- ClaimsIdentity identity = null;
- try
- {
- identity = (ClaimsIdentity)principal.Identity;
- }
- catch (NullReferenceException)
- {
- return null;
- }
- Claim usernameClaim = identity.FindFirst(ClaimTypes.Name);
- username = usernameClaim.Value;
- return username;
- }
-
- }
- }
Summary
In this article, I have explained the Jwt token authentication and how it works.