Adding JWT Authentication & Authorization in ASP.NET Core

00:00

hello everybody I'm Nick and in this

00:01

video I'm going to show you how you can

00:03

add the Json web token authentication

00:04

and authorization support in your ASP

00:06

core application if you like that with

00:08

content and you want to see more make

00:09

sure you subscribe ring the sub

00:10

notification Bell and for more training

00:12

check out Nick chapsters.com okay so let

00:14

me show what I have here and actually I

00:16

want to point out that I'm not going to

00:17

be explaining what the Json web token is

00:19

or a jot because I already have a video

00:22

on that which you can check in the

00:23

description below but there's also tons

00:25

of other videos going really in depth

00:27

with the topic it is a generic topic

00:29

it's not specific to a Sprint core and I

00:31

want to focus on the implementation

00:32

itself and show you how you can use it

00:34

in a very nice way let me show what I

00:36

have here I have this movies API and

00:38

that's what we're going to be dealing

00:39

with directly in this video and I'm

00:42

going to run it to show you what this

00:44

API can do so API is running I'm going

00:47

to go to postman and we can list all the

00:49

movies in the system now unfortunately

00:51

we don't really have any so what I'm

00:53

going to do is I'm going to create a new

00:54

movie I'm going to create the famous

00:55

comedy Nick the Greek both the way back

00:57

in 2010 so that is now create it in the

01:00

system I can list it in that previous

01:02

endpoint as you can see or I can get it

01:04

using an ID now oh I made a bit of a

01:06

mistake it's actually released in 2023

01:09

and it's also an action movie not just a

01:11

comedy so I can update it and in the end

01:13

I can simply just delete it now this API

01:17

does not have any form of authentication

01:19

authorization I don't need to be someone

01:21

or validate that I am someone to be able

01:24

to call it so my controller looks just

01:25

like this I have an API controller

01:27

attribute around implementing the

01:29

controller base and that's how my

01:31

endpoints look now don't worry that I'm

01:33

using controllers I'm also going to

01:34

cover minimal apis in a second later in

01:37

the video so how do I add Json web token

01:39

support well it all starts with a nuget

01:41

package I'm going to go to nuget

01:42

packages and I'm going to add the

01:45

microsoft.aspoon.authentication dot dot

01:47

Bearer and yes I know it's pronounced

01:49

just for some reason it's a w but

01:52

whatever and configuration thankfully is

01:55

actually pretty simple it could be way

01:57

way worse so the first thing you need to

01:59

do is add actually say Services dot add

02:02

authentication authentication comes

02:04

before authorization and just to quickly

02:06

recap for the avoidance of any doubt

02:08

authentication is the process of

02:09

verifying that someone is who they say

02:12

they are while authorization in the

02:13

process of verifying that someone has

02:15

access to what they say they have access

02:18

to or just saying what they have access

02:19

to so a lot we have these nuget package

02:21

I can use the jot Bearer defaults and I

02:24

can use the default authentication

02:25

scheme here but another approach if you

02:28

want to just update all the defaults is

02:30

to do something like this you can set

02:32

the default indication scheme the

02:33

default challenge scheme and the default

02:35

scheme all at once and now with that

02:37

nuget package we also get this add dot

02:40

Bearer method which adds the support we

02:42

need so in here we're going to configure

02:44

what we want to validate for our jot and

02:46

just to quickly recap what a jot looks

02:48

like here I have a job generated from

02:50

one of my own service we're going to be

02:52

taking a look at that in a second and

02:53

first we have the header which contains

02:55

the type of the token and also the

02:56

algorithm used to generate the signature

02:59

then we have a bunch of standard claims

03:00

and custom ones so Json web token ID is

03:04

a standard one same with subject and all

03:06

of these ones over here and then we have

03:08

a few custom ones email user ID admin

03:11

and trusted member which I created and

03:13

then you have an issue and an audience

03:15

the issuer is who create the token and

03:17

audience is who is this token intended

03:19

for so think of I don't know Google

03:21

authentication creating a token for you

03:23

to use in Google Slides maybe you don't

03:26

have access to Google Docs with that

03:28

thing so that token can only be used in

03:30

Google Slides even though it was

03:31

generated by Google and it is a valid

03:33

token and then in the end both the

03:35

header and the payload are actually

03:37

Basics before URL encoded separate with

03:39

a DOT and then there has to generate the

03:42

signature hashing is not the only

03:44

mechanism by the way to do this you can

03:46

have public key cryptography as well and

03:48

other approaches but this is by far the

03:49

most common so a few things you want to

03:51

validate is the issuer the audience and

03:54

also that the token is not expired on

03:56

top of that we want to validate the

03:57

signature that it is a valid one we can

03:59

validate all lot by configuring the

04:01

token validation parameters value we can

04:03

create a new type over here and what I'm

04:05

going to do before I paste what goes

04:07

here is actually add some settings so

04:10

for the purposes of this video I'm going

04:11

to keep this here however you would not

04:14

store the key here you would store it

04:16

securely in a service specific design to

04:19

store tokens like Azure key Vault or WS

04:22

Secrets manager if you want to know how

04:24

you can do this with AWS secret manager

04:26

I actually have a video on that topic

04:27

but you should never have it in the

04:30

settings like this not only is it not

04:32

secure but if you want to rotate that

04:34

token as the application is running this

04:37

limits you significantly you have to

04:38

redeploy and then you have to keep track

04:40

of multiple Keys it becomes very tricky

04:42

but for this video I'm just gonna leave

04:43

it here just so you can wrap the code

04:45

from the description and use it for your

04:46

own purposes so now with these things

04:48

set I'm gonna just show you all the

04:50

parameters we have to specify here and

04:52

these are sort of the minimum ones you

04:53

need so we have the valid issuer which

04:57

will pass down for configuration valid

04:59

audience or as well then the issue your

05:01

signing key and that is a new symmetric

05:03

key in this case which we get from the

05:05

settings again like I said you really

05:07

want to load this from somewhere that is

05:08

designed to store and load these things

05:10

and then we say that we want to validate

05:12

the issuer the audience the lifetime of

05:15

the token so that it is in effect

05:17

because you can actually future issue

05:20

one but also that it is not expired so

05:22

all of these things have to be specified

05:24

as true and also that you have to

05:26

validate the issue or signing key

05:27

because that's ultimately what makes the

05:29

jot so powerful the fact that it is this

05:32

stateless construct that all you need to

05:34

do is validate the signature and then

05:36

the rest is valid and true because if

05:38

the signature is valid then the rest of

05:40

the thing must be because for the hash

05:42

to be valid the payload and the header

05:44

have to also be valid so this is

05:45

everything we need and then the next

05:47

thing we need is the ad authorization

05:50

call so I'm going to add it as it is

05:52

Bare Bones nothing in it and then I'm

05:54

going to go all the way down to the

05:55

middleware area and after the https

05:58

redirection and before all the map

06:00

controllers I'm going to say use

06:02

authentication and then app.use

06:05

authorization now remember that sequence

06:08

in middleware actually matters so

06:10

authentication happens first

06:11

authorization second then event

06:13

controllers meaning that everything

06:14

above it are not part of authentication

06:17

authorization so be very careful now

06:19

actually in terms of authentication that

06:21

is it obviously if I just leave my

06:23

controller as it is and I go and I run

06:26

it nothing really will happen I will

06:28

still be able to get all my movies in

06:30

the database now I have nothing of

06:31

course but nothing really blocks me from

06:33

getting them but if I now go in the

06:35

controller and I say that authorize the

06:37

users trying to access this controller

06:39

and I try to run it again then I'm going

06:41

to get a 401 unauthorized because

06:43

nothing can authenticate me authorize me

06:45

to see if I can actually use this API so

06:48

how do we pass a Json web token to

06:50

validate that we can actually access it

06:52

well first we create it and I have a

06:55

helper identity API here that knows how

06:57

to create a token it uses the same key

07:00

which again you don't want to store here

07:01

as a constant like Jesus just store it

07:04

somewhere securely and we're going to

07:05

create a token that lasts for eight

07:07

hours this is way too long usually for

07:10

Json web tokens they're way more

07:12

short-lived and then recreated and if

07:14

you want to see a video on refreshing

07:16

tokens leave a comment down below as

07:17

well but then this is the process I can

07:19

follow to generate a Json web token with

07:21

all of my custom claims over here you

07:24

can just grab this and use it for your

07:25

own purposes now in reality you will be

07:27

using something like identity server or

07:30

OCTA or author zero or some service

07:32

dedicated to creating these types of

07:34

things in specific flows but because

07:36

what these Services automatically

07:37

generate is a Json web token we're just

07:39

gonna focus on the implementation side

07:41

of things we're not going to focus on

07:42

the creation side of things so we're

07:44

just going to use this helper service

07:45

I'm just going to run it and go back to

07:48

postman and I'm just going to say that

07:50

hey this is me this is my user id create

07:54

a token and now I have a token to use it

07:56

so I'm going to stop this API and run

07:58

the movies API remember we cannot access

08:01

this because we're not authenticated but

08:03

to say that hey it's Nick can I please

08:05

access this all I'm going to do is go to

08:08

the headers and specify the

08:09

authorization header but it's not just

08:12

pasting the token you actually have to

08:14

say Bearer space and then the token it's

08:17

just the way of passing down a bearer

08:19

token and now if I have that I can go

08:21

ahead and I can get the item so I am

08:23

authenticated and in this case

08:24

authorized as well because we don't

08:25

really check for anything if the

08:27

signature was different if in the end I

08:29

have a zero not an O then I'm going to

08:31

get an unauthorized because the

08:33

signature is invalid if this thing was

08:36

expired then I would get unauthorized as

08:38

well but in this case I have a good

08:39

token so nothing really breaks

08:41

everything just works now let's talk

08:43

about the very important thing what if I

08:44

want my create update and delete to be

08:47

authenticate then authorized but my get

08:49

doesn't really matter I want everyone to

08:51

be able to access it you have two

08:52

approaches here you can either say allow

08:54

Anonymous here and this allow Anonymous

08:56

attribute will override the overarching

08:59

in controller-based Behavior or we can

09:01

just take the authorize from the

09:03

controller and we can paste it on each

09:05

individual thing we want authorize you

09:07

can ultimately choose which one you want

09:09

to use in general having it on a pair

09:12

action basis is actually more used

09:15

mainly because it allows you to specify

09:17

different things on the action itself

09:19

and this is actually where authorization

09:21

comes in or the process of validating

09:23

that someone can do what they claim to

09:25

do for example I want everyone who's

09:27

authenticated to create and update a

09:29

movie but I want only admins or

09:32

administrators to delete a movie how do

09:34

I do that well it's a few ways but the

09:36

simplest one is by using a claim so in

09:39

that Json web talk and if you remember

09:41

what I said in a custom claim is that an

09:44

admin is false now usually when someone

09:46

is not something you wouldn't have it in

09:49

the token you will just not have the

09:51

claim at all the absence of a claim

09:52

means that that user is not something

09:54

but if I just run this API again and I

09:57

regenerate this token and I say that yes

09:59

this is actually an admin then I have a

10:02

token of someone who is an admin and can

10:05

delete on top of create and update now

10:07

how do we Implement that well what we're

10:09

going to do is create an identity holder

10:12

over here and I'm just going to create a

10:13

new class called identity data or

10:16

identity constants or whatever you

10:18

really want to name it now first I'm

10:19

going to add the constant that is the

10:21

claim in my Json web token and also I'm

10:24

going to add a name to a policy in this

10:27

case that is the admin user policy now

10:29

these things are different the claim is

10:31

a Json web token concern the policy is

10:34

an application concern I can Define my

10:36

own policies based on claims or other

10:38

things to create a policy all I'm going

10:40

to do is go all the way up here to add

10:42

authorization and I'm going to say

10:44

authorization options and say options

10:47

dot add policy and I can create my own

10:49

policy using a name so I'm going to say

10:51

identity data equals admin user policy

10:54

name and then what do I want I want a

10:56

policy using this policy Builder that

10:58

requires a claim and the claim I want is

11:01

in identity data dot admin user claim

11:04

name and the value I want for this

11:05

policy is true so now I have my policy

11:08

registered it's not used anywhere by

11:10

default we just have it now in the

11:12

system and we can go ahead and just copy

11:13

this and we can say that you know what

11:15

create an update doesn't really need

11:17

anything I'll go all the way to delete

11:18

over here and say that actually I want

11:20

this policy to be identity data dot

11:23

admin user policy to delete and move in

11:25

the system so I'm going to run this and

11:27

I'm going to use the previous token I

11:29

have that has admin as follows so if I

11:32

try to create a movie using that all

11:34

token the non-admin token then I can and

11:36

I get my movie but if I go to delete

11:39

over here to delete that movie without

11:41

being an admin what I'm going to get is

11:43

403 or Biden not for one unauthorized

11:46

forbidden you're forbidden to make this

11:48

action and that is because I just don't

11:51

match the profile that the policy

11:53

requires me to have which is having the

11:55

claim as true now if I go and I use this

11:58

new token over here which is an admin

12:00

then I can go here replace this send and

12:03

now it is deleted and it no longer

12:05

exists in the system and that is it now

12:07

you can go even deeper and have multiple

12:09

policies and mix and match on different

12:11

things in customer sessions but this is

12:13

the most basic way of making a policy

12:15

however Some people prefer to validate

12:18

based on a single claim without using a

12:21

policy and one of the preferred ways is

12:23

to actually create a custom attribute

12:24

which validates claims what I'm going to

12:27

do is create a new attribute called

12:29

requires claim attribute over here and

12:32

I'm going to have that be an attribute

12:34

used on classes or methods and it's

12:37

going to extend application and

12:39

Implement I authorization filter if you

12:42

needed an async version of this there's

12:44

I async authorization filter we don't

12:47

need async in this case so I'm just

12:48

gonna use this and all you get is an on

12:51

authorization method now this is not

12:53

usable with minimal apis because of how

12:55

the filtering works there however for

12:58

controllers this does work if you want

13:00

to have the equivalent of this in

13:01

minimal ABS you have to use a minimal

13:03

apis endpoint filter and now here all we

13:06

need to pass down is a claims name and

13:08

the claims value that we expect and then

13:10

all we need to say in all authorization

13:11

is hey if this user doesn't have this

13:14

claim with this value then say forbid or

13:17

unauthorized depending on how the flow

13:19

works in your application the reason why

13:21

I say that is because in this example

13:23

over here what we're going to say is

13:25

actually authorize first and then

13:28

requires claim second and all we need

13:31

here is actually the identity data dot

13:34

admin user claim name and the value

13:36

needs to be true and if we do that I'm

13:39

going to put a breakpoint in the

13:40

attribute and then go ahead and debug

13:42

the application and again the same way

13:44

as before I'm going to revert to the all

13:48

token in fact first I'm going to

13:50

generate a movie so the movie is created

13:52

take that ID and then try to delete that

13:54

movie with the valid token and let's see

13:57

what happens oh request comes in here we

13:59

have the context we have everything and

14:01

then the claim name is admin and the

14:02

value we expect is true is that true

14:04

well let's see claims principle over

14:06

here and then we have all the claims and

14:08

one of them is admin true so it will be

14:11

validated so it will have it it will

14:13

step out of it and the action will in

14:16

fact happen okay if we use the old token

14:19

and we try to do the exact same thing

14:20

then we come in here but the user claim

14:22

as you can see in the claims is actually

14:25

false so it's gonna fall in here say

14:27

forbidden and then return 403 Forbidden

14:29

because we are authenticated but not

14:31

authorized that's another way you can

14:33

get clever and have a handy approach in

14:35

claim-based authorization and you can

14:37

take this in any direction you want

14:38

really now if you were to be using

14:40

minimal apis all of those things are

14:42

actually still valid the difference

14:43

would be that yes you can for example

14:46

say map post and let's have a movies

14:49

endpoint over here and return results

14:51

dot OK for example now you can pass down

14:54

and authorized attribute over here and

14:57

all of that will still work or requires

14:59

claim like that is just valid C sharp

15:01

however in minimal apis we actually

15:04

prefer the extension method approach so

15:06

we're going to say require authorization

15:07

and you can create your own extension

15:09

for the claims and everything but you

15:11

can pass down like a policy over here

15:13

you can see all the parameters you can

15:15

pass down multiple policy names as well

15:17

but in this case if I just say identity

15:19

data dot admin user policy name this

15:22

will be the same thing as having the

15:24

attribute with the policy name now the

15:26

last thing you might be interested is

15:27

actually Swagger support because if I

15:30

just go ahead and I run this API as it

15:32

stands I can go in Swagger and even

15:33

though I can see all my endpoints I

15:36

can't see a way to actually authenticate

15:38

with the token so how do I do that well

15:40

it's actually quite simple all I'm going

15:42

to do is create a new directory called

15:43

Swagger and I'm going to bring two files

15:45

in here the first one is called

15:47

configure Swagger option so we're gonna

15:48

contain all the swag related options in

15:51

here and this will need to implement the

15:52

iconfigure options and then have the

15:54

Swagger gen options file in here

15:56

implemented and we have the configure

15:57

method in here and I'm not going to buy

15:59

you with typing all of this but

16:01

ultimately what you need is a security

16:03

definition and we say that this is a

16:05

better token specify that is located in

16:06

the header authorization HTTP jot better

16:09

everything is here same with the ad

16:11

security requirement and really that is

16:13

it from that front and then once you

16:15

have that you actually need to register

16:17

it in the program.cs so all the way up

16:20

here we're gonna go here and register

16:22

the iconfigure options interface with

16:24

its implementation and once that's in

16:26

place all I'm going to do is just run it

16:27

and now if we go back to Swagger as you

16:29

can see I have this authorized button

16:31

which I can click and provide the Json

16:33

web token so I'm gonna go all the way

16:35

back here copy just the token you don't

16:37

need anything else and just paste it

16:38

here authorize and if I go to create a

16:41

movie for example and say tried out

16:43

paste it and then execute no problem it

16:46

all worked it was created if I wasn't if

16:49

I just say padlock and log out and I try

16:51

to do this again I'm going to get a 401

16:53

hey you cannot do this so now we also

16:56

have Swagger support this is it for all

16:58

the basics you can take it in any

16:59

direction you want from this point on I

17:01

do go way more in depth in my rest API

17:03

calls on every single one of those

17:05

Avenues however you are now in the right

17:07

track and you can take it everywhere you

17:09

want from that point well that's all I

17:10

have for you for this video thank you

17:11

very much for watching special thanks to

17:13

my patreons for making videos possible

17:14

if you want to support usually going to

17:16

find the link description down below

17:17

leave a like if you like this video

17:18

subscribe more content like this in the

17:20

Bell as well and I'll see you the next

17:21

video keep coding