Section 4 of 6

JWT Bearer Authentication

🎯 What You'll Learn

  • What is JWT
  • Setting up JWT authentication
  • Generating JWT tokens
  • Validating JWT tokens
  • Using JWT in APIs

What is JWT?

JWT (JSON Web Token) is a compact, self-contained token for securely transmitting information between parties. It's commonly used for API authentication.

JWT Structure: header.payload.signature

Setting Up JWT Authentication

1. Install Package

Install NuGet Package Bash 
dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer

2. Configure JWT

appsettings.json JSON 
{
  "Jwt": {
    "Key": "your-secret-key-min-32-characters",
    "Issuer": "InvenTrack",
    "Audience": "InvenTrackUsers"
  }
}

3. Add JWT Authentication

Program.cs C# 
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>
    {
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidateAudience = true,
            ValidateLifetime = true,
            ValidateIssuerSigningKey = true,
            ValidIssuer = builder.Configuration["Jwt:Issuer"],
            ValidAudience = builder.Configuration["Jwt:Audience"],
            IssuerSigningKey = new SymmetricSecurityKey(
                Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"]!))
        };
    });

Generating JWT Tokens

Login Endpoint C# 
[HttpPost("login")]
public async Task<IActionResult> Login(LoginRequest request)
{
    // Validate credentials
    var user = await ValidateUser(request.Email, request.Password);
    if (user == null)
        return Unauthorized();

    // Create claims
    var claims = new[]
    {
        new Claim(ClaimTypes.Name, user.Email),
        new Claim(ClaimTypes.Email, user.Email),
        new Claim(JwtRegisteredClaimNames.Sub, user.Id.ToString()),
        new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString())
    };

    // Create token
    var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["Jwt:Key"]!));
    var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);

    var token = new JwtSecurityToken(
        issuer: _configuration["Jwt:Issuer"],
        audience: _configuration["Jwt:Audience"],
        claims: claims,
        expires: DateTime.UtcNow.AddHours(24),
        signingCredentials: creds
    );

    return Ok(new
    {
        token = new JwtSecurityTokenHandler().WriteToken(token),
        expiration = token.ValidTo
    });
}

Using JWT in API Calls

HTTP Request Header HTTP 
GET /api/products
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Protect API Endpoint C# 
[Authorize]
[ApiController]
[Route("api/[controller]")]
public class ProductsController : ControllerBase
{
    [HttpGet]
    public IActionResult GetProducts()
    {
        var userId = User.FindFirst(ClaimTypes.NameIdentifier)?.Value;
        return Ok(products);
    }
}

Key Takeaways

  • JWT: Self-contained token for APIs
  • Structure: header.payload.signature
  • AddJwtBearer(): Configure JWT authentication
  • JwtSecurityToken: Generate tokens
  • Authorization header: Bearer {token}
  • Best for: APIs, SPAs, mobile apps