7

I have created custom middleware class which validates the JWT token. I am calling this method before app.AddMvc() in configure method. ***

I would like to know what are the things that I should add to Configuration services to authenticate my web API using JWT? I have added [Authorize] in my Controller class

Do I need to call my middleware class which validates the JWT token first in Configure method? or I should call App.UseAuthentication() I am using the following order :

 app.UseAuthentication();
 app.MessageHandlerMiddleware();
 app.UseMvc();

I am new to .net web API implementation. Could you please help me out?

Minhaj Patel
  • 579
  • 1
  • 6
  • 21
Girish
  • 2,449
  • 3
  • 9
  • 11
  • 2
    What's the reason for creating a "custom middleware class" for the JWT validation? Is there a specific reason you can't use the built-in validation process? – Kirk Larkin Aug 21 '18 at 07:46
  • To be frank, I am not sure how to validate it using built in validation process!! Due to which I have created y own stuff for authentication – Girish Aug 21 '18 at 09:25
  • 1
    Have a read through [Securing ASP.NET Core 2.0 Applications with JWTs](https://auth0.com/blog/securing-asp-dot-net-core-2-applications-with-jwts/) and see if it helps. – Kirk Larkin Aug 21 '18 at 11:15
  • Thanks Kirik Larkin. Let me check it – Girish Aug 21 '18 at 12:07

1 Answers1

4

From one of my answers you can see how we pass JWT token and how the code looks for classic .NET (non-core) ASP.NET WebAPI 2.

There are not many differences, the code for ASP.NET Core looks similar.

The key aspect is - when you add JWT config in Startup the app handles validation automatically.

services
    .AddAuthentication(options =>
    {
        options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
        options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
    })
    .AddJwtBearer(x =>
    {
        x.RequireHttpsMetadata = false;
        x.SaveToken = true;
        x.TokenValidationParameters = new TokenValidationParameters()
        {
            ValidateIssuerSigningKey = true,
            ValidateLifetime = true,
            IssuerSigningKey = _configuration.GetSymmetricSecurityKey(),
            ValidAudience = _configuration.GetValidAudience(),
            ValidIssuer = _configuration.GetValidIssuer()
        };
    });

(use the above link to see the implementation of GetSymmetricSecurityKey, GetValidAudience, GetValidIssuer ext. methods)

Also very important part:

services.AddAuthorization(auth =>
{
    auth
    .AddPolicy(
        _configuration.GetDefaultPolicy(),
        new AuthorizationPolicyBuilder()
            .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme‌​)
            .RequireAuthenticatedUser().Build()
    );
});
Alex Herman
  • 2,708
  • 4
  • 32
  • 53