{"id":533,"date":"2016-09-22T16:19:10","date_gmt":"2016-09-22T14:19:10","guid":{"rendered":"https:\/\/zaven.co\/blog\/?p=533"},"modified":"2025-04-08T19:55:19","modified_gmt":"2025-04-08T17:55:19","slug":"user-authentication-asp-net-web-api-jwt-tokens","status":"publish","type":"post","link":"https:\/\/zaven.co\/blog\/user-authentication-asp-net-web-api-jwt-tokens\/","title":{"rendered":"User Authentication in ASP.NET WEB API 2 with RSA-signed JWT Tokens (part 1)"},"content":{"rendered":"<p>Are you working on a web or mobile app and looking for <strong>the easiest solution for a safe user authorization<\/strong>? If so, you can use <strong>JSON Web Token<\/strong>. Keep on reading to find out how it works and see examples of a <em>user authentication in an ASP.NET WEB API 2 application<\/em>.<!--more--><\/p>\n<p>When programming a web app, we need to take great care about its security. <strong>We want to make sure access to its resources is available only for authorized users<\/strong>. If our app is based on a REST interface, then it uses an HTTP stateless protocol. Therefore, the identifier which authorizes the access must be included in every request that is sent to the server. That is the perfect scenario for using a token.<\/p>\n<p>A token can be a random character string, include some kind of information about the user, be encoded and have limited validation time.<strong> A<\/strong> <strong>JSON Web Token stores specific user data e.g.: id, roles, access rights<\/strong>. This makes it possible to verify and also identify a specific user.<\/p>\n<h2>JSON Web Token structure<\/h2>\n<p><strong>JSON Web Token (JWT) is an open standard (RFC 7519) which defines a compact way to send information in JSON format.<\/strong> Data can be encoded with RSA or HMAC algorithms, to keep data verified and safe.<\/p>\n<p>JWT\u2019s short and concise structure makes sending tokens quick and comfortable: we can place it in an HTTP header or a URL address. At the same time the token structure itself lets us verify a user.<\/p>\n<p><strong>The main task of a JWT token is user authentication<\/strong>. It works as follows: after every correct login, a user receives a unique token which is placed in the HTTP header and validated by the server each time a request is sent. In signed tokens we can safely send any type of information.<\/p>\n<p>The information structure in JSON Web Token is as follows:<\/p>\n<ul>\n<li>Header<\/li>\n<li>Payload<\/li>\n<li>Signature<\/li>\n<\/ul>\n<p>Each of these parts must be coded and separated by a dot (e.g. <code>xxxxx.yyyyy.zzzzz<\/code>).<\/p>\n<h3>Header<\/h3>\n<p>The header is composed of two values: an encoding algorithm (e.g. HMAC, SHA256 or RSA) and the type (e.g. JWT).<\/p>\n<pre><code class=\"language-json\">\n{\n\"alg\": \"HS256\",\n\"typ\": \"JWT\"\n}\n\n<\/code><\/pre>\n<h3>Payload<\/h3>\n<p><strong>This includes claims which mostly are information about a user.<\/strong> We distinguish three types of claims:<\/p>\n<ul>\n<li><strong>Reserved claims<\/strong>: unneeded, predefined claims, which are useful when included in Token because they can be really helpful e.g. iss (issuer), exp (expiration time), aud (audience).<\/li>\n<li><strong>Public claims:<\/strong> can be defined by the ones who use JWT Tokens. To prevent a collision they should be defined in IANA JSON Web Token Registry or have such a name which won\u2019t interfere with others.<\/li>\n<li><strong>Private claims:<\/strong> non-standard claims defined by us and used only when two sides that are interacting with each other know about it.<\/li>\n<\/ul>\n<p>For example:<\/p>\n<pre><code class=\"language-json\">\n{\n\"sub\": \"1234567890\",\n\"name\": \"John Doe\",\n\"admin\": true\n}\n\n<\/code><\/pre>\n<h3>Signature<\/h3>\n<p><strong>Prior to creating a signature, you have to encode a header and token payload.<\/strong><\/p>\n<p>We also need a key to sign the data. Here\u2019s an example on how to do it using HMAC SHA256:<\/p>\n<pre><code class=\"language-csharp\">\nHMACSHA256(\n  base64UrlEncode(header) + \".\" +\n  base64UrlEncode(payload),\n  secret)<\/code><\/pre>\n<p>The signature is used to verify the token sender and check if a message hasn\u2019t been modified in the meantime.<\/p>\n<h2>Putting all together<\/h2>\n<p>By joining all three parts of the token, encoding them with Base64 and separating them by dots we are gaining a compact message, which we can easily send in an HTTP header or in a URL address. As you can see, it\u2019s very short when comparing with other types of such solutions.<\/p>\n<pre><code class=\"language-http\" style=\"white-space: pre-wrap; word-wrap: break-word;\">eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ<\/code><\/pre>\n<p>On <a href=\"https:\/\/jwt.io\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">the official JWT website<\/a> you can test your tokens (i.e. generate, decode and verify them).<\/p>\n<h2>Sending JWT tokens<\/h2>\n<p>When the user wants to gain access to protected data, the request has to include an identifier. <em>The JWT Token is usually placed in the HTTP header using the Bearer scheme<\/em>, just like that:<\/p>\n<p><code> Authorization: Bearer <\/code><\/p>\n<p>The authorization is performed in the same way as the stateless one, this means that the status of a logged in user isn\u2019t saved on the server. The token contains some coded claims, which can be downloaded only once: the first time the user logs in. With each request, the server reads the token and unambiguously identifies the user. This significantly speeds up the authentication process.<\/p>\n<div id=\"attachment_536\" style=\"width: 740px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-536\" class=\"size-medium wp-image-536\" src=\"https:\/\/zaven.co\/blog\/wp-content\/uploads\/2016\/09\/proces2.-730x409.png\" alt=\"web api 2 jwt authentication\"   srcset=\"https:\/\/zaven.co\/blog\/wp-content\/uploads\/2016\/09\/proces2.-730x409.png 730w, https:\/\/zaven.co\/blog\/wp-content\/uploads\/2016\/09\/proces2..png 1334w\" sizes=\"auto, (max-width: 730px) 100vw, 730px\" \/><p id=\"caption-attachment-536\" class=\"wp-caption-text\">The JWT Token authentication process (source: jwt.io)<\/p><\/div>\n<p>Once we\u2019re familiar with the basic JSON Web Token structure, its usage and delivery, we can move on to next steps. In the next part of the article I will describe a basic user authentication in ASP.NET WEB API 2 with <a href=\"https:\/\/zaven.co\/blog\/user-authentication-web-api-2-jwt-token\/\">RSA-signed JWT Tokens<\/a>.<\/p>\n<p><span style=\"color: #808080;\">Sources: <\/span><\/p>\n<ul>\n<li><a href=\"https:\/\/jwt.io\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Official JWT website<\/a><\/li>\n<li><a href=\"http:\/\/dotnetcodes.com\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">.NET Codes website<\/a><\/li>\n<li><a href=\"https:\/\/msdn.microsoft.com\/pl-pl\/default.aspx\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Microsoft Developer Network<\/a><\/li>\n<li><a href=\"http:\/\/www.asp.net\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">The ASP.NET Site<\/a><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Are you working on a web or mobile app and looking for the easiest solution for a safe user authorization? If so, you can use JSON Web Token. Keep on reading to find out how it works and see examples of a user authentication in an ASP.NET WEB API 2 application.<\/p>\n","protected":false},"author":12,"featured_media":578,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56,57,5],"tags":[48,47,40,8,49,41],"class_list":["post-533","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-android-development","category-ios-development","category-tutorials","tag-json-tokens","tag-jwt","tag-mobile-app","tag-tutorial","tag-user-authentication","tag-web-app"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.8.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>ASP.NET Web Api 2 JWT User Authentication | Zaven Blog<\/title>\n<meta name=\"description\" content=\"Are you working on a web or mobile app and looking for the easiest solution for a safe user authorization? If so, you can use JWT Token. Check it out!\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zaven.co\/blog\/user-authentication-asp-net-web-api-jwt-tokens\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"ASP.NET Web Api 2 JWT User Authentication | Zaven Blog\" \/>\n<meta property=\"og:description\" content=\"Are you working on a web or mobile app and looking for the easiest solution for a safe user authorization? If so, you can use JWT Token. Check it out!\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zaven.co\/blog\/user-authentication-asp-net-web-api-jwt-tokens\/\" \/>\n<meta property=\"og:site_name\" content=\"Zaven Blog\" \/>\n<meta property=\"article:published_time\" content=\"2016-09-22T14:19:10+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-04-08T17:55:19+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/zaven.co\/blog\/wp-content\/uploads\/2016\/09\/Depositphotos_63185489_original.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"4480\" \/>\n\t<meta property=\"og:image:height\" content=\"3054\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Micha\u0142 Zawadzki\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Micha\u0142 Zawadzki\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/zaven.co\/blog\/user-authentication-asp-net-web-api-jwt-tokens\/\",\"url\":\"https:\/\/zaven.co\/blog\/user-authentication-asp-net-web-api-jwt-tokens\/\",\"name\":\"ASP.NET Web Api 2 JWT User Authentication | Zaven Blog\",\"isPartOf\":{\"@id\":\"https:\/\/zaven.co\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/zaven.co\/blog\/user-authentication-asp-net-web-api-jwt-tokens\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/zaven.co\/blog\/user-authentication-asp-net-web-api-jwt-tokens\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/zaven.co\/blog\/wp-content\/uploads\/2016\/09\/Depositphotos_63185489_original.jpg\",\"datePublished\":\"2016-09-22T14:19:10+00:00\",\"dateModified\":\"2025-04-08T17:55:19+00:00\",\"author\":{\"@id\":\"https:\/\/zaven.co\/blog\/#\/schema\/person\/7398fa7d171618b07d568aea38f1d17f\"},\"description\":\"Are you working on a web or mobile app and looking for the easiest solution for a safe user authorization? If so, you can use JWT Token. Check it out!\",\"breadcrumb\":{\"@id\":\"https:\/\/zaven.co\/blog\/user-authentication-asp-net-web-api-jwt-tokens\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/zaven.co\/blog\/user-authentication-asp-net-web-api-jwt-tokens\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/zaven.co\/blog\/user-authentication-asp-net-web-api-jwt-tokens\/#primaryimage\",\"url\":\"https:\/\/zaven.co\/blog\/wp-content\/uploads\/2016\/09\/Depositphotos_63185489_original.jpg\",\"contentUrl\":\"https:\/\/zaven.co\/blog\/wp-content\/uploads\/2016\/09\/Depositphotos_63185489_original.jpg\",\"width\":4480,\"height\":3054,\"caption\":\"User Authentication in ASP.NET WEB API 2 with RSA-encrypted JWT Tokens\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/zaven.co\/blog\/user-authentication-asp-net-web-api-jwt-tokens\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/zaven.co\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"User Authentication in ASP.NET WEB API 2 with RSA-signed JWT Tokens (part 1)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/zaven.co\/blog\/#website\",\"url\":\"https:\/\/zaven.co\/blog\/\",\"name\":\"Zaven Blog\",\"description\":\"Software development blog. Generative AI, web &amp; mobile applications.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/zaven.co\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/zaven.co\/blog\/#\/schema\/person\/7398fa7d171618b07d568aea38f1d17f\",\"name\":\"Micha\u0142 Zawadzki\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/zaven.co\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/ca67b3acf11d373f6677081d08548407?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/ca67b3acf11d373f6677081d08548407?s=96&d=mm&r=g\",\"caption\":\"Micha\u0142 Zawadzki\"},\"description\":\"Micha\u0142 is at the Back-end site of our software team, specializing in .NET web apps. Apart from being an excellent table tennis player, he\u2019s very much into sci-fi literature and computer games.\",\"sameAs\":[\"https:\/\/pl.linkedin.com\/in\/micha\u0142-zawadzki-003428126\"],\"url\":\"https:\/\/zaven.co\/blog\/author\/michal\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"ASP.NET Web Api 2 JWT User Authentication | Zaven Blog","description":"Are you working on a web or mobile app and looking for the easiest solution for a safe user authorization? If so, you can use JWT Token. Check it out!","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zaven.co\/blog\/user-authentication-asp-net-web-api-jwt-tokens\/","og_locale":"en_US","og_type":"article","og_title":"ASP.NET Web Api 2 JWT User Authentication | Zaven Blog","og_description":"Are you working on a web or mobile app and looking for the easiest solution for a safe user authorization? If so, you can use JWT Token. Check it out!","og_url":"https:\/\/zaven.co\/blog\/user-authentication-asp-net-web-api-jwt-tokens\/","og_site_name":"Zaven Blog","article_published_time":"2016-09-22T14:19:10+00:00","article_modified_time":"2025-04-08T17:55:19+00:00","og_image":[{"width":4480,"height":3054,"url":"https:\/\/zaven.co\/blog\/wp-content\/uploads\/2016\/09\/Depositphotos_63185489_original.jpg","type":"image\/jpeg"}],"author":"Micha\u0142 Zawadzki","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Micha\u0142 Zawadzki","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/zaven.co\/blog\/user-authentication-asp-net-web-api-jwt-tokens\/","url":"https:\/\/zaven.co\/blog\/user-authentication-asp-net-web-api-jwt-tokens\/","name":"ASP.NET Web Api 2 JWT User Authentication | Zaven Blog","isPartOf":{"@id":"https:\/\/zaven.co\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/zaven.co\/blog\/user-authentication-asp-net-web-api-jwt-tokens\/#primaryimage"},"image":{"@id":"https:\/\/zaven.co\/blog\/user-authentication-asp-net-web-api-jwt-tokens\/#primaryimage"},"thumbnailUrl":"https:\/\/zaven.co\/blog\/wp-content\/uploads\/2016\/09\/Depositphotos_63185489_original.jpg","datePublished":"2016-09-22T14:19:10+00:00","dateModified":"2025-04-08T17:55:19+00:00","author":{"@id":"https:\/\/zaven.co\/blog\/#\/schema\/person\/7398fa7d171618b07d568aea38f1d17f"},"description":"Are you working on a web or mobile app and looking for the easiest solution for a safe user authorization? If so, you can use JWT Token. Check it out!","breadcrumb":{"@id":"https:\/\/zaven.co\/blog\/user-authentication-asp-net-web-api-jwt-tokens\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zaven.co\/blog\/user-authentication-asp-net-web-api-jwt-tokens\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zaven.co\/blog\/user-authentication-asp-net-web-api-jwt-tokens\/#primaryimage","url":"https:\/\/zaven.co\/blog\/wp-content\/uploads\/2016\/09\/Depositphotos_63185489_original.jpg","contentUrl":"https:\/\/zaven.co\/blog\/wp-content\/uploads\/2016\/09\/Depositphotos_63185489_original.jpg","width":4480,"height":3054,"caption":"User Authentication in ASP.NET WEB API 2 with RSA-encrypted JWT Tokens"},{"@type":"BreadcrumbList","@id":"https:\/\/zaven.co\/blog\/user-authentication-asp-net-web-api-jwt-tokens\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zaven.co\/blog\/"},{"@type":"ListItem","position":2,"name":"User Authentication in ASP.NET WEB API 2 with RSA-signed JWT Tokens (part 1)"}]},{"@type":"WebSite","@id":"https:\/\/zaven.co\/blog\/#website","url":"https:\/\/zaven.co\/blog\/","name":"Zaven Blog","description":"Software development blog. Generative AI, web &amp; mobile applications.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zaven.co\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/zaven.co\/blog\/#\/schema\/person\/7398fa7d171618b07d568aea38f1d17f","name":"Micha\u0142 Zawadzki","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zaven.co\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/ca67b3acf11d373f6677081d08548407?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/ca67b3acf11d373f6677081d08548407?s=96&d=mm&r=g","caption":"Micha\u0142 Zawadzki"},"description":"Micha\u0142 is at the Back-end site of our software team, specializing in .NET web apps. Apart from being an excellent table tennis player, he\u2019s very much into sci-fi literature and computer games.","sameAs":["https:\/\/pl.linkedin.com\/in\/micha\u0142-zawadzki-003428126"],"url":"https:\/\/zaven.co\/blog\/author\/michal\/"}]}},"_links":{"self":[{"href":"https:\/\/zaven.co\/blog\/wp-json\/wp\/v2\/posts\/533","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zaven.co\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zaven.co\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zaven.co\/blog\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/zaven.co\/blog\/wp-json\/wp\/v2\/comments?post=533"}],"version-history":[{"count":22,"href":"https:\/\/zaven.co\/blog\/wp-json\/wp\/v2\/posts\/533\/revisions"}],"predecessor-version":[{"id":69781,"href":"https:\/\/zaven.co\/blog\/wp-json\/wp\/v2\/posts\/533\/revisions\/69781"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zaven.co\/blog\/wp-json\/wp\/v2\/media\/578"}],"wp:attachment":[{"href":"https:\/\/zaven.co\/blog\/wp-json\/wp\/v2\/media?parent=533"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zaven.co\/blog\/wp-json\/wp\/v2\/categories?post=533"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zaven.co\/blog\/wp-json\/wp\/v2\/tags?post=533"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}