{"id":539,"date":"2016-09-22T16:31:33","date_gmt":"2016-09-22T14:31:33","guid":{"rendered":"https:\/\/zaven.co\/blog\/?p=539"},"modified":"2025-04-08T19:55:19","modified_gmt":"2025-04-08T17:55:19","slug":"user-authentication-web-api-2-jwt-token","status":"publish","type":"post","link":"https:\/\/zaven.co\/blog\/user-authentication-web-api-2-jwt-token\/","title":{"rendered":"User Authentication in ASP.NET WEB API 2 with RSA-signed JWT Tokens (part 2)"},"content":{"rendered":"

In the second part on JWT Tokens we will implement a basic user authentication in a REST app based on ASP.NET WEB API 2.<\/p>\n

In the first part<\/a> we\u2019ve learnt about JWT structure and found out how Tokens are working. In the following examples we will use RSA for signing (an asymmetric coding algorithm) and Unity as a dependency injection container.<\/p>\n

JWT Token example<\/strong><\/h2>\n

To create, sign and validate tokens you can use an existing library provided by Microsoft: System.IdentityModel.Tokens.Jwt<\/code>. You can download it right through NuGet.\"<\/p>\n

\"User

The architecture of our app<\/p><\/div>\n

MembershipProvider<\/h2>\n

In the beginning we create a new class (MembershipProvider<\/code>), which is responsible for downloading claims and validating the user.<\/p>\n

\nusing System.Collections.Generic;\nusing System.Security.Claims;\nusing Zaven.Practices.Auth.JWT.Providers.Interfaces;\n...\npublic class MembershipProvider : IMembershipProvider\n    {\n        public List GetUserClaims(string username)\n        {\n            List claims = new List();\n            claims.Add(new Claim(ClaimTypes.Role, \"Admin\"));\n            claims.Add(new Claim(ClaimTypes.Email, \"admin93@gmail.com\"));\n            return claims; \n        }\n\n        public bool VerifyUserPassword(string username, string password)\n        {\n            if (username == \"admin93\" && password == \"password\")\n                return true;\n            return false;\n        }\n    }\n<\/code><\/pre>\n
RSAKeyProvider<\/h2>\n
RSAKeyProvider<\/code> is responsible for providing the RSA key to encrypt\/decrypt the<\/b> JWT Token<\/strong>. In our example the RSA key is downloaded from a file in our repository, but in a real case scenario it should be kept in a safe place somewhere else.<\/p>\n
using System;\nusing System.IO;\nusing System.Threading.Tasks;\nusing System.Security.Cryptography;\nusing Zaven.Practices.Auth.JWT.Providers.Interfaces;\n...\npublic class RSAKeyProvider : IRSAKeyProvider\n    {\n\n        private string rsaKeyPath;\n\n        public RSAKeyProvider()\n        {\n            rsaKeyPath = AppDomain.CurrentDomain.BaseDirectory + @\"RsaKeys\\RsaUserKey.txt\";\n        }\n\n        public async Task GetPrivateAndPublicKeyAsync()\n        {\n            string result = await ReadPrivateAndPublicKeyAsync();\n            if (string.IsNullOrEmpty(result))\n            {\n                string key = CreatePrivateAndPublicKey();\n                Boolean isInserted = await InsertPrivateAndPublicKeyAsync(key);\n                if (isInserted)\n                    result = key;\n            }\n            return result;\n        }\n\n        private string CreatePrivateAndPublicKey()\n        {\n            RSACryptoServiceProvider myRSA = new RSACryptoServiceProvider(2048);\n            RSAParameters publicKey = myRSA.ExportParameters(true);\n            string publicAndPrivateKey = myRSA.ToXmlString(true);\n            return publicAndPrivateKey;\n        }       \n\n        private async Task InsertPrivateAndPublicKeyAsync(string key)\n        {\n            Boolean result = false;\n            try\n            {\n                using (StreamWriter fileStream = new StreamWriter(rsaKeyPath))\n                {\n                    await fileStream.WriteLineAsync(key);\n                    result = true;\n                }\n            }\n            catch(Exception ex)\n            {\n                Debug.WriteLine(ex.Message);\n                result = false;\n            }\n            return result;            \n        }\n\n        private async Task ReadPrivateAndPublicKeyAsync()\n        {\n            String result = null;\n            try\n            {\n                using (StreamReader fileStream = new StreamReader(rsaKeyPath))\n                {\n                    result = await fileStream.ReadToEndAsync();\n                }\n            }\n            catch(Exception ex)\n            {\n                Debug.WriteLine(ex.Message);\n            }          \n            return result;\n        }\n}\n\n\n<\/code><\/pre>\n
The RSA key is generated in the CreatePrivateAndPublicKey()<\/code> method using the existing RSACryptoServiceProvider class. The ToXmlString(true)<\/code> method generates both public and private, while ToXmlString(false)<\/code> only the public one.<\/p>\n
In the next part<\/a> we\u2019ll move on to AuthService<\/code>. This is the most important element of the application because it\u2019s responsible for creating, signing and verifying the incoming JWT token<\/em>.<\/p>\n
Sources: <\/span><\/p>\n