locked
JWT authentication and authorization for .net core mvc application RRS feed

  • Question

  • User1501362304 posted

    Hi,

    I want to create JWT from Web API core application (issuer) and want that .Net Core MVC application consuming this token should be able to implement Login's Remember me functionality.
    So can anyone please tell me that how this token should be managed at MVC application level so that
    1. At login screen when Remember me is selected then it should work as Remember me functionality is supposed to work.
    2. At every http reqquest (Normal or Ajax) it should get passed automatically in header as it is supposed to be.

    Also, this JWT can be consumed by MVC application and other mobile apps (android and iOS) as Audience, so Core WEB API should be able to validate all those audiences but not others so please tell me how this can be configured while creating token in .Net Core WEB API

    Thanks

    Saturday, September 5, 2020 12:39 PM

All replies

  • User475983607 posted

    This question is asked several times a week that a basic Google search will find; https://forums.asp.net/t/2170449.aspx?how+to+use+bearer+auth+token+in+asp+net+core+application

    vkagrawal

    1. At login screen when Remember me is selected then it should work as Remember me functionality is supposed to work.

    Depends in the application.  Typically, a browser based application uses the standard authentication cookie to cache authentication; https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-3.1

    Securing Web API with a token is a different concept.  The client needs to cache the token.  We have no idea how your code is supposed to work. 

    vkagrawal

    2. At every http reqquest (Normal or Ajax) it should get passed automatically in header as it is supposed to be.

    Same as above.  I assume a "Normal" request is a request to an MVC Action.  Typically, cookie authentication is used.  Assuming the AJAX request goes to Web API and you plan to share Web API then your JavaScript application should cache the token.  The design is up to you.  For example, local storage.

    Saturday, September 5, 2020 1:01 PM
  • User-2054057000 posted

    1. At login screen when Remember me is selected then it should work as Remember me functionality is supposed to work.

    You can simply save the token in a cookie and then use it again and again. 
    When the token expires then in that case you will have to make a refresh token request. You can easily make your custom logic for it. 

    Refer - Client Project to making API request by using JWT Token in HTTP request

    Sunday, September 6, 2020 4:56 AM
  • User1501362304 posted

    Hi @yogyogi,

    Thanks for the link. But in general I am trying to do the following and hope you or someone can lead to right direction.

    1. Have a .Net Core WEB API
    2. Have a .Net Core MVC Web APP.

    Here in Web API project I want to implement IdentityServer and generate JWT so that it can be consumed by multiple applications be it .Net Core MVC app or any mobile app and validation happens at single app, WEB API in this case. Now I want to know that

    1. Will all authentication/authorization will happen at WEB API end?
    2. Should MVC app work in anonymous mode as all authentication/authorization would happen at Web API?
    3. Is there a way to implement authentication/authorization at MVC app as well using JWT which Web API returned, is it good practice to do so or we should leave this on Web API in this case?
    4. How to show/hide relevant information based on user's roles/claims in Views (Not at the controller level) e.g. hiding Delete User button if user does not contain "Can Delete" claim?
    5. Will I have to decode JWT stored locally (cookie/local storage) in order to implement feature in point 4 above or we are able to get context.User.Identity reference even when we are using JWT returned from Web API and not generated on MVC application itself through Asp.Net Identity?

    Please let me know how this can be achieved.

    Monday, September 14, 2020 5:44 PM
  • User475983607 posted

    Here in Web API project I want to implement IdentityServer and generate JWT so that it can be consumed by multiple applications be it .Net Core MVC app or any mobile app and validation happens at single app, WEB API in this case. Now I want to know that

    You really need to take the time to read the IdentityServer4 documentation and go through the quick start guide as it explains all 5 points.

    vkagrawal

    Will all authentication/authorization will happen at WEB API end?

    Authorization typically happens on Web API.  The client send a bearer token to the web api service  The web api validates the token and either authorizes the request or denies access to the secured resource.  However, you can craft a custom Web API service that returns JWTs.  There is no reason to do so if you plan to use Identity Server. 

    vkagrawal

    Should MVC app work in anonymous mode as all authentication/authorization would happen at Web API?

    Identity server authenticates the user or application depending in the OAuth/OIDC flow(s) you decide to implement.

    vkagrawal

    Is there a way to implement authentication/authorization at MVC app as well using JWT which Web API returned, is it good practice to do so or we should leave this on Web API in this case?

    Tyipically, Identity server authenticates the user not MVC or API.  MVC and API secure code using authorization once the user has authenticated through Identity server.

    vkagrawal

    How to show/hide relevant information based on user's roles/claims in Views (Not at the controller level) e.g. hiding Delete User button if user does not contain "Can Delete" claim?

    Basic authorization question; https://docs.microsoft.com/en-us/aspnet/core/security/authorization/claims?view=aspnetcore-3.1

    vkagrawal

    Will I have to decode JWT stored locally (cookie/local storage) in order to implement feature in point 4 above or we are able to get context.User.Identity reference even when we are using JWT returned from Web API and not generated on MVC application itself through Asp.Net Identity?

    No.  The identity server API and ASP.NET Core APIs do this for you.  Please set aside time to read the docs rather than guessing how this stuff works.

    Monday, September 14, 2020 6:07 PM
  • User1501362304 posted

    You really need to take the time to read the IdentityServer4 documentation and go through the quick start guide as it explains all 5 points.

    I have checked their doc and seems that I need to use grant_type=password at mvc application side so that user does not redirect to Identity Server UI to login.

    Will go through rest of the document and see how it goes with my application.

    Thanks

    Tuesday, September 15, 2020 5:19 PM
  • User475983607 posted

    I have checked their doc and seems that I need to use grant_type=password at mvc application side so that user does not redirect to Identity Server UI to login.

    An MVC application will use an interactive flow like the implicit grant or hybrid.   The password grant is around for legacy applications and not recommended for new apps.

    https://docs.identityserver.io/en/dev/quickstarts/2_resource_owner_passwords.html

    The spec generally recommends against using the resource owner password grant besides legacy applications that cannot host a browser. Generally speaking you are typically far better off using one of the interactive OpenID Connect flows when you want to authenticate a user and request access tokens.

    You really should go through the Quick Start guide.

    Tuesday, September 15, 2020 5:36 PM
  • User-474980206 posted

    you have 3 logical tiers

    webapi using jwt tokens (webapi core)
    webapp using cookie & maybe jwt tokens (asp.net core) 
    authentication that supports cookies and jwt tokens (identity server core)

    the authentication can be standalone or merged with the website or the webapi site. 

    Tuesday, September 15, 2020 6:47 PM
  • User1501362304 posted

    webapi using jwt tokens (webapi core)
    webapp using cookie & maybe jwt tokens (asp.net core) 
    authentication that supports cookies and jwt tokens (identity server core)

    Hi Bruce, I want to actually save jwt generated from identity server or web api core) in cookie and authenticate at web app level using custom login form. Is there any working sample of this or I would need to check through the identityserver4 docs, as much as I could check the docs I did not find solution for what I've just mentioned above.

    Thanks  

    Sunday, September 27, 2020 3:30 PM
  • User475983607 posted

    Hi Bruce, I want to actually save jwt generated from identity server or web api core) in cookie and authenticate at web app level using custom login form. Is there any working sample of this or I would need to check through the identityserver4 docs, as much as I could check the docs I did not find solution for what I've just mentioned above.

    The first quick start example covers this scenario.  The token is written to the to console output.   It seems you are not taking the time to go through the quick starts.https://identityserver4.readthedocs.io/en/latest/quickstarts/1_client_credentials.html

    You can also craft an API that generates and authenticates JWTs.  This information can be found with a simple google search.  I've provided sample cod eon this forum several times.  https://forums.asp.net/t/2170449.aspx

    Sunday, September 27, 2020 4:00 PM
  • User1501362304 posted

    The first quick start example covers this scenario.  The token is written to the to console output.   It seems you are not taking the time to go through the quick starts.https://identityserver4.readthedocs.io/en/latest/quickstarts/1_client_credentials.html

    mgebhard, you don't need to take pain if this is hurting you to answer on so common question. .Net framework and .Net Core keep changing and things become obsolete so often. One takes time to read and understand one thing by then new thing comes up with no proper documentation and examples are always basic and with default implementation of Identity tables which one may not be interested to use in his own scenario. Poor documentation, poor and common examples limiting choice to use identity tables, obsoleting things so often are pain for most developers which Microsoft should understand. 

    Whatever might have been documented in above link, may not fit in my scenario that's why I am asking here but you keep saying to read that through out the thread. I will find my way, thanks!

    Sunday, September 27, 2020 4:11 PM
  • User475983607 posted

    mgebhard, you don't need to take pain if this is hurting you to answer on so common question. .Net framework and .Net Core keep changing and things become obsolete so often. One takes time to read and understand one thing by then new thing comes up with no proper documentation and examples are always basic and with default implementation of Identity tables which one may not be interested to use in his own scenario. Poor documentation, poor and common examples limiting choice to use identity tables, obsoleting things so often are pain for most developers which Microsoft should understand.

    I'm not sure how how this rant is relevant to the current question or even accurate.  The underlying subject is OAuth/OIDC which is a well-known protocol.  OAuth/OIDC works the same in .NET as it does in .NET Core.  The key is understanding OAuth/OIDC fundamentals.    The linked documentation explains OAuth/OIDC using framework APIs and IdentityServer4 APIs.  There is one section that shows how to add Identity most examples use an in-memory user data store.  

    Whatever might have been documented in above link, may not fit in my scenario that's why I am asking here but you keep saying to read that through out the thread. I will find my way, thanks!

    You have not provided code that illustrates how the documentation does not fit your scenario.  Frankly, the time between your posts indicates you did not take the time to understand the Web API JWT code linked in my previous thread.  Sad really...

    Share your code if you want or need specific assistance.  Explain the expected results and the actual results.  Explain how the code does not meet your expectations.  From there, the community can help fill the holes in your understanding.  Otherwise, it seems like you are not making an effort to learn the fundamentals.

    Sunday, September 27, 2020 5:28 PM