In the second part on JWT Tokens we will implement a basic user authentication in a REST app based on ASP.NET WEB API 2.
In the first part we’ve learnt about JWT structure and found out how Tokens are working. In the following examples we will use RSA for signing (an asymmetric coding algorithm) and Unity as a dependency injection container.
JWT Token example
To create, sign and validate tokens you can use an existing library provided by Microsoft: System.IdentityModel.Tokens.Jwt. You can download it right through NuGet.
The architecture of our app
MembershipProvider
In the beginning we create a new class (MembershipProvider), which is responsible for downloading claims and validating the user.
using System.Collections.Generic;
using System.Security.Claims;
using Zaven.Practices.Auth.JWT.Providers.Interfaces;
...
public class MembershipProvider : IMembershipProvider
{
public List GetUserClaims(string username)
{
List claims = new List();
claims.Add(new Claim(ClaimTypes.Role, "Admin"));
claims.Add(new Claim(ClaimTypes.Email, "admin93@gmail.com"));
return claims;
}
public bool VerifyUserPassword(string username, string password)
{
if (username == "admin93" && password == "password")
return true;
return false;
}
}
RSAKeyProvider
RSAKeyProvider is responsible for providing the RSA key to encrypt/decrypt the JWT Token. In our example the RSA key is downloaded from a file in our repository, but in a real case scenario it should be kept in a safe place somewhere else.
using System;
using System.IO;
using System.Threading.Tasks;
using System.Security.Cryptography;
using Zaven.Practices.Auth.JWT.Providers.Interfaces;
...
public class RSAKeyProvider : IRSAKeyProvider
{
private string rsaKeyPath;
public RSAKeyProvider()
{
rsaKeyPath = AppDomain.CurrentDomain.BaseDirectory + @"RsaKeys\RsaUserKey.txt";
}
public async Task GetPrivateAndPublicKeyAsync()
{
string result = await ReadPrivateAndPublicKeyAsync();
if (string.IsNullOrEmpty(result))
{
string key = CreatePrivateAndPublicKey();
Boolean isInserted = await InsertPrivateAndPublicKeyAsync(key);
if (isInserted)
result = key;
}
return result;
}
private string CreatePrivateAndPublicKey()
{
RSACryptoServiceProvider myRSA = new RSACryptoServiceProvider(2048);
RSAParameters publicKey = myRSA.ExportParameters(true);
string publicAndPrivateKey = myRSA.ToXmlString(true);
return publicAndPrivateKey;
}
private async Task InsertPrivateAndPublicKeyAsync(string key)
{
Boolean result = false;
try
{
using (StreamWriter fileStream = new StreamWriter(rsaKeyPath))
{
await fileStream.WriteLineAsync(key);
result = true;
}
}
catch(Exception ex)
{
Debug.WriteLine(ex.Message);
result = false;
}
return result;
}
private async Task ReadPrivateAndPublicKeyAsync()
{
String result = null;
try
{
using (StreamReader fileStream = new StreamReader(rsaKeyPath))
{
result = await fileStream.ReadToEndAsync();
}
}
catch(Exception ex)
{
Debug.WriteLine(ex.Message);
}
return result;
}
}
The RSA key is generated in the CreatePrivateAndPublicKey() method using the existing RSACryptoServiceProvider class. The ToXmlString(true) method generates both public and private, while ToXmlString(false) only the public one.
In the next part we’ll move on to AuthService. This is the most important element of the application because it’s responsible for creating, signing and verifying the incoming JWT token.
Sources:
Popular posts
From Hype to Hard Hats: Practical Use Cases for AI chatbots in Construction and Proptech.
Remember the multimedia craze in the early 2000s? It was everywhere, but did it truly revolutionize our lives? Probably not. Today, it feels like every piece of software is labeled "AI-powered." It's easy to dismiss AI chatbots in construction as just another tech fad.
Read more
Fears surrounding external support. How to address concerns about outsourcing software development?
Whether you’ve had bad experiences in the past or no experience at all, there will always be fears underlying your decision to outsource software development.
Read more
What do you actually seek from external support? Identify what’s preventing you from completing a project on time and within budget
Let’s make it clear: if the capabilities are there, a project is best delivered internally. Sometimes, however, we are missing certain capabilities that are required to deliver said project in a realistic timeline. These may be related to skills (e.g. technical expertise, domain experience), budget (hiring locally is too expensive) or just capacity (not enough manpower). What are good reasons for outsourcing software development?
Read more
