In this article, I will discuss the creation of a compelling web application utilizing .NET 7.0, all while orchestrating the implementation of the powerful JWT Authentication. I am fully aware of your familiarity with most of these topics, but I aimed to highlight elements that drew my attention throughout the article.
What is JSON Web Token (JWT)?
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
Although JWTs can be encrypted to also provide secrecy between parties, we will focus on signed tokens. Signed tokens can verify the integrity of the claims contained within it, while encrypted tokens hide those claims from other parties. When tokens are signed using public/private key pairs, the signature also certifies that only the party holding the private key is the one that signed it.
When should you use JSON Web Tokens?
Here are some scenarios where JSON Web Tokens are useful:
Authorization: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains.
Information Exchange: JSON Web Tokens are a good way of securely transmitting information between parties. Because JWTs can be signed—for example, using public/private key pairs—you can be sure the senders are who they say they are. Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn’t been tampered with.
Why should we use JSON Web Tokens?
Let’s talk about the benefits of JSON Web Tokens (JWT) when compared to Simple Web Tokens (SWT) and Security Assertion Markup Language Tokens (SAML).
As JSON is less verbose than XML, when it is encoded its size is also smaller, making JWT more compact than SAML. This makes JWT a good choice to be passed in HTML and HTTP environments.
Security-wise, SWT can only be symmetrically signed by a shared secret using the HMAC algorithm. However, JWT and SAML tokens can use a public/private key pair in the form of an X.509 certificate for signing. Signing XML with XML Digital Signature without introducing obscure security holes is very difficult when compared to the simplicity of signing JSON.
JSON parsers are common in most programming languages because they map directly to objects. Conversely, XML doesn’t have a natural document-to-object mapping. This makes it easier to work with JWT than SAML assertions. Regarding usage, JWT is used at Internet scale. This highlights the ease of client-side processing of the JSON Web token on multiple platforms, especially mobile.
Within the realm of .NET Core, the tenets of JWT authentication gain prominence as a shield for APIs, empowering users and clients to seamlessly authenticate and attain authorized entry to safeguarded resources. Here’s an overview of JWT authentication in .NET Core:
- Token Generation: JWT tokens are created and signed by the server. The token includes claims (key-value pairs) that provide information about the user, their roles, permissions, and more. The token is typically signed with a secret key or a private key if using asymmetric cryptography.
- Token Structure: These parts are base64 encoded and concatenated with periods. The header typically contains the token type (“typ”: “JWT”) and the signing algorithm used (“alg”: “HS256” for HMAC SHA-256). The payload contains the claims that define user attributes and access rights. A JWT token consists of three parts:
- payload (claims), and
- Token Usage: The token is sent to the client after successful authentication. The client includes the token in the Authorization header of subsequent requests as a Bearer token (“Authorization: Bearer “). The server validates the token’s signature and checks its claims to authorize the user’s access to specific resources.
- Token Validation: The server validates the token using the same secret key or public key used for signing. The server checks the token’s signature, expiration (exp claim), and issuer (iss claim) among other claims. Clock skew may be used to account for differences between server and token creation times.
- Middleware and Libraries: ASP.NET Core provides middleware (Microsoft.AspNetCore.Authentication.JwtBearer) to handle JWT authentication. You configure the middleware with the necessary settings and validations.
- Benefits of JWT: Stateless: No need to store tokens on the server side, making it scalable. Self-contained: All the necessary information is included in the token itself. Widely supported: JWT is a standardized format used across different platforms.
- Security Considerations: Store secrets securely and protect against token leakage. Use HTTPS to encrypt communication. Limit the amount of sensitive information stored in the token. Here’s a high-level example of how JWT authentication is configured in ASP.NET Core:
Within the realm of the API, I am poised to infuse my Authorization Model, injecting a robust layer of control. Notably, for this article, I have introduced a straightforward User Entity. It’s worth acknowledging that in a genuine project, the AspNetUser Authentication entities would naturally come to the fore.