JWT Token Based Authorization

Introduction

JWT stands for Json Web Token,It is open standard which means anyone can use it. JWT certified with RFC 7519. It securely transfer information between any two bodies with secret key. Token gets verified on server to allow requested resouce or information. JWT can be send via URL,POST req or HTTP header. 

JWTToken(header.payload.signature) 

 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ

.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

 

Above is token return from server once user authenticate the website successfully, Token is encrypted and uderstand by server only and client will store token in client storage and pass token in http request, server Read token sent from browser and verify the token and authorize requested resource to browser request.  For more details visit https://jwt.io/introduction

 

JWT token divided in 3 parts Header, Payload and Signature

 

1. Header : Json below from header section decides algorithm(HS256) for JWT token.Header is encoded with base64 format                                                                                                                                                   { "alg": "HS256", "typ": "JWT" }
2. Payload: It is json object which contains information of claims. claims are user details or additional data like expiry date of token ,admin etc. It is again encoded with Base64 format to form second part.                                                                                                                                                                        { "sub":"1234567890", "name":"Asif S", "admin":"true" }
3. Signature : It is most important part of Token. It combine base64 header and payload with secret key. Secret key declared on server and it is not visible or decode. Signature is combination of base64 format of header, payload and secret key shown below                                                          HMACSHA256( base64urlEncode(header).base64urlEncode(payload), secret key from server).

 

Client send credentials to authenticate, server authenticate user if valid and return response with token. Client stores the token on browser memory (local storage) and send back token with next http request. Server reads token from incoming http request and validate token if client not modify anyting on token its get verified and allow requested resource or information back.

 

JWT token is not stored on server memory like session Token but token generated on server and return to client once authenticate, now its clients resposibility to pass that token for next http request to access authorized information from server.

  

 Follow below steps to create application. 

1. Create AspNet Core Web Api project using visual studio 2019.

 

 2. Create Model Folder at root directory and create class inside model folder with name ApplicationUser.cs

 

3. Create AccountController.cs under Controllers folder

 

 

 4. Update Startup.cs class 

 

5.Update Appsettings.json file

  

To download sample from Github 

https://github.com/asifin90/TokenBasedAuthorization