{"id":560,"date":"2016-09-23T12:42:26","date_gmt":"2016-09-23T10:42:26","guid":{"rendered":"https:\/\/zaven.co\/blog\/?p=560"},"modified":"2025-04-08T19:55:19","modified_gmt":"2025-04-08T17:55:19","slug":"user-authentication-asp-net-web-api-2-rsa-jwt-tokens-part-3","status":"publish","type":"post","link":"https:\/\/zaven.co\/blog\/user-authentication-asp-net-web-api-2-rsa-jwt-tokens-part-3\/","title":{"rendered":"User Authentication in ASP.NET WEB API 2 with RSA-signed JWT Tokens (part 3)"},"content":{"rendered":"

By now we should understand the structure and process of how JWT Tokens<\/a> works. Today in our example of user authentication in ASP.NET API 2 we will deal with AuthService<\/strong>, which is responsible for creating, signing and verifying JWT tokens.<\/p>\n

In the previous part we covered MembershipProvider<\/code> (which downloads claims and validates the user) and RSAKeyProvider<\/code> (which provides the RSA key<\/a> to encrypt\/decrypt our JWT token).<\/p>\n

AuthService<\/h2>\n

AuthService<\/code>is the most important element of our application<\/strong>. It\u2019s responsible for creating JWT tokens as well as for signing and verifying an incoming ones<\/em>. It has two methods (GenerateJwtToken()<\/code> and ValidateToken()<\/code>) and it uses both MembershipProvider<\/code> (login validation, downloading claims) and RSAKeyProvider<\/code> (for providing the signing key).<\/p>\n

\nusing System;\nusing System.Collections.Generic;\nusing System.IdentityModel.Tokens.Jwt;\nusing System.Security.Claims;\nusing System.Security.Cryptography;\nusing System.Threading.Tasks;\nusing Zaven.Practices.Auth.JWT.Providers.Interfaces;\nusing Zaven.Practices.Auth.JWT.Services.Interfaces;\nusing Microsoft.IdentityModel.Tokens;\n\n...\npublic class AuthService : IAuthService\n    {\n\t...\n        private readonly IMembershipProvider _membershipProvider;\n        private readonly IRSAKeyProvider _rsaProvider;\n\n        public AuthService(IMembershipProvider membershipProvider, IRSAKeyProvider rsaProvider)\n        {\n            _membershipProvider = membershipProvider;\n            _rsaProvider = rsaProvider;\n        }\n\t\u2026\n}\n<\/code><\/pre>\n
Generating the JWT Token<\/h2>\n
Here is one of the two main AuthService<\/code> methods:<\/p>\n
\npublic async Task GenerateJwtTokenAsync(string username, string password)\n        {\n            if (!_membershipProvider.VerifyUserPassword(username, password))\n                return \"Wrong access\";\n\n            List claims = _membershipProvider.GetUserClaims(username);\n\n            string publicAndPrivateKey = await _rsaProvider.GetPrivateAndPublicKeyAsync();\n            if(publicAndPrivateKey == null)\n                return \"RSA key error\";\n\n            RSACryptoServiceProvider publicAndPrivate = new RSACryptoServiceProvider();            \n            publicAndPrivate.FromXmlString(publicAndPrivateKey);\n\n            JwtSecurityToken jwtToken = new JwtSecurityToken\n            (\n                issuer: \"http:\/\/issuer.com\",\n                audience: \"http:\/\/mysite.com\",\n                claims: claims,\n                signingCredentials: new SigningCredentials(new RsaSecurityKey(publicAndPrivate), SecurityAlgorithms.RsaSha256Signature),\n                expires: DateTime.Now.AddDays(30)\n            );\n\n            JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();\n            string tokenString = tokenHandler.WriteToken(jwtToken);\n\n            return tokenString;\n        }\n<\/code><\/pre>\n
VerifyUserPassword()<\/code> (part of MembershipProvider<\/code>) valides data provided by the user. If he doesn\u2019t exist, a feedback message gets send. If the user exists, his claims are downloaded to be placed in the token later.<\/p>\n
Next, we create the RSA key, which is delivered through RSAKeyProvider<\/code> by the GetPrivateAndPublicKey()<\/code> method. In this example, the key is being kept in a regular file. Note: in real-case scenarios keys should be kept in a safe place!<\/p>\n
The object of the initiated RSACryptoServiceProvider<\/code> class is a previously created key (publicAndPrivateKey<\/code>).<\/p>\n
\nRSACryptoServiceProvider publicAndPrivate = new RSACryptoServiceProvider();            \npublicAndPrivate.FromXmlString(publicAndPrivateKey);\n<\/code><\/pre>\n
When we have all data, we can create the JWT token (in JSON format) as an object of JwtSecurityToken<\/code> class with following properties:<\/p>\n