How do you manage JWT authentication in a .NET Core Web API?

Question

How do you manage JWT authentication in a .NET Core Web API, and what steps do you take to secure and validate tokens?

Ck Nitin · Answer

To secure and validate JWT tokens in a .NET Core Web API, you follow a series of steps that ensure the integrity, authenticity, and safety of the token during issue of token, transmission, and validation. Secure Token Issuance When generating a JWT, make sure it includes: Claims : Include roles or permissions. Expiration ( exp ) : Set a short lifetime (e.g., 30–60 minutes). Issuer ( iss ) and Audience ( aud ) : Validate these on both sides. Signing Algorithm : Use strong algorithms like HS256 or RS256 . var tokenDescriptor = new SecurityTokenDescriptor { Subject = new ClaimsIdentity(new[] { new Claim(ClaimTypes.Name, user.Username), new Claim(ClaimTypes.Role, "User") }), Expires = DateTime.UtcNow.AddMinutes(30), Issuer = _configuration["Jwt:Issuer"], Audience = _configuration["Jwt:Audience"], SigningCredentials = new SigningCredentials( new SymmetricSecurityKey(keyBytes), SecurityAlgorithms.HmacSha256Signature) }; Validate Tokens During Authentication Use the built-in JWT Bearer authentication middleware to validate tokens automatically. services.AddAuthentication(options => { options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; }) .AddJwtBearer(options => { options.TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = true, ValidateAudience = true, ValidateLifetime = true, ValidateIssuerSigningKey = true, ValidIssuer = configuration["Jwt:Issuer"], ValidAudience = configuration["Jwt:Audience"], IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configuration["Jwt:Key"])) }; }); This ensures: The token was issued by a trusted party ( ValidateIssuer ) It’s intended for this service ( ValidateAudience ) It hasn’t expired ( ValidateLifetime ) It wasn’t tampered with ( ValidateIssuerSigningKey ) Secure Storage of Signing Keys Never hardcode secrets in source code. Best Practices: Store signing keys in: Environment variables Azure Key Vault AWS Secrets Manager Configuration files outside source control (like appsettings.Production.json ) Rotate keys periodically. "Jwt": { "Key": "YOUR_STRONG_SECRET_KEY_123!@#", "Issuer": "https://your-api.com ", "Audience": "MyWebApp" }

How do you manage JWT authentication in a .NET Core Web API?

Answers (1)