├── .gitignore
├── .vscode
    ├── launch.json
    └── tasks.json
├── HomeController.cs
├── LICENSE
├── Program.cs
├── README.md
├── Startup.cs
├── TokenController.cs
├── Views
    └── Home
    │   └── Index.cshtml
└── WebApiJwtExample.csproj


/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | 
  4 | # User-specific files
  5 | *.suo
  6 | *.user
  7 | *.userosscache
  8 | *.sln.docstates
  9 | 
 10 | # User-specific files (MonoDevelop/Xamarin Studio)
 11 | *.userprefs
 12 | 
 13 | # Build results
 14 | [Dd]ebug/
 15 | [Dd]ebugPublic/
 16 | [Rr]elease/
 17 | [Rr]eleases/
 18 | x64/
 19 | x86/
 20 | build/
 21 | bld/
 22 | [Bb]in/
 23 | [Oo]bj/
 24 | 
 25 | # Visual Studio 2015 cache/options directory
 26 | .vs/
 27 | # Uncomment if you have tasks that create the project's static files in wwwroot
 28 | #wwwroot/
 29 | 
 30 | # MSTest test Results
 31 | [Tt]est[Rr]esult*/
 32 | [Bb]uild[Ll]og.*
 33 | 
 34 | # NUNIT
 35 | *.VisualState.xml
 36 | TestResult.xml
 37 | 
 38 | # Build Results of an ATL Project
 39 | [Dd]ebugPS/
 40 | [Rr]eleasePS/
 41 | dlldata.c
 42 | 
 43 | # DNX
 44 | project.lock.json
 45 | artifacts/
 46 | 
 47 | *_i.c
 48 | *_p.c
 49 | *_i.h
 50 | *.ilk
 51 | *.meta
 52 | *.obj
 53 | *.pch
 54 | *.pdb
 55 | *.pgc
 56 | *.pgd
 57 | *.rsp
 58 | *.sbr
 59 | *.tlb
 60 | *.tli
 61 | *.tlh
 62 | *.tmp
 63 | *.tmp_proj
 64 | *.log
 65 | *.vspscc
 66 | *.vssscc
 67 | .builds
 68 | *.pidb
 69 | *.svclog
 70 | *.scc
 71 | 
 72 | # Chutzpah Test files
 73 | _Chutzpah*
 74 | 
 75 | # Visual C++ cache files
 76 | ipch/
 77 | *.aps
 78 | *.ncb
 79 | *.opendb
 80 | *.opensdf
 81 | *.sdf
 82 | *.cachefile
 83 | 
 84 | # Visual Studio profiler
 85 | *.psess
 86 | *.vsp
 87 | *.vspx
 88 | *.sap
 89 | 
 90 | # TFS 2012 Local Workspace
 91 | $tf/
 92 | 
 93 | # Guidance Automation Toolkit
 94 | *.gpState
 95 | 
 96 | # ReSharper is a .NET coding add-in
 97 | _ReSharper*/
 98 | *.[Rr]e[Ss]harper
 99 | *.DotSettings.user
100 | 
101 | # JustCode is a .NET coding add-in
102 | .JustCode
103 | 
104 | # TeamCity is a build add-in
105 | _TeamCity*
106 | 
107 | # DotCover is a Code Coverage Tool
108 | *.dotCover
109 | 
110 | # NCrunch
111 | _NCrunch_*
112 | .*crunch*.local.xml
113 | nCrunchTemp_*
114 | 
115 | # MightyMoose
116 | *.mm.*
117 | AutoTest.Net/
118 | 
119 | # Web workbench (sass)
120 | .sass-cache/
121 | 
122 | # Installshield output folder
123 | [Ee]xpress/
124 | 
125 | # DocProject is a documentation generator add-in
126 | DocProject/buildhelp/
127 | DocProject/Help/*.HxT
128 | DocProject/Help/*.HxC
129 | DocProject/Help/*.hhc
130 | DocProject/Help/*.hhk
131 | DocProject/Help/*.hhp
132 | DocProject/Help/Html2
133 | DocProject/Help/html
134 | 
135 | # Click-Once directory
136 | publish/
137 | 
138 | # Publish Web Output
139 | *.[Pp]ublish.xml
140 | *.azurePubxml
141 | # TODO: Comment the next line if you want to checkin your web deploy settings
142 | # but database connection strings (with potential passwords) will be unencrypted
143 | *.pubxml
144 | *.publishproj
145 | 
146 | # NuGet Packages
147 | *.nupkg
148 | # The packages folder can be ignored because of Package Restore
149 | **/packages/*
150 | # except build/, which is used as an MSBuild target.
151 | !**/packages/build/
152 | # Uncomment if necessary however generally it will be regenerated when needed
153 | #!**/packages/repositories.config
154 | 
155 | # Microsoft Azure Build Output
156 | csx/
157 | *.build.csdef
158 | 
159 | # Microsoft Azure Emulator
160 | ecf/
161 | rcf/
162 | 
163 | # Microsoft Azure ApplicationInsights config file
164 | ApplicationInsights.config
165 | 
166 | # Windows Store app package directory
167 | AppPackages/
168 | BundleArtifacts/
169 | 
170 | # Visual Studio cache files
171 | # files ending in .cache can be ignored
172 | *.[Cc]ache
173 | # but keep track of directories ending in .cache
174 | !*.[Cc]ache/
175 | 
176 | # Others
177 | ClientBin/
178 | ~$*
179 | *~
180 | *.dbmdl
181 | *.dbproj.schemaview
182 | *.pfx
183 | *.publishsettings
184 | node_modules/
185 | orleans.codegen.cs
186 | 
187 | # RIA/Silverlight projects
188 | Generated_Code/
189 | 
190 | # Backup & report files from converting an old project file
191 | # to a newer Visual Studio version. Backup files are not needed,
192 | # because we have git ;-)
193 | _UpgradeReport_Files/
194 | Backup*/
195 | UpgradeLog*.XML
196 | UpgradeLog*.htm
197 | 
198 | # SQL Server files
199 | *.mdf
200 | *.ldf
201 | 
202 | # Business Intelligence projects
203 | *.rdl.data
204 | *.bim.layout
205 | *.bim_*.settings
206 | 
207 | # Microsoft Fakes
208 | FakesAssemblies/
209 | 
210 | # GhostDoc plugin setting file
211 | *.GhostDoc.xml
212 | 
213 | # Node.js Tools for Visual Studio
214 | .ntvs_analysis.dat
215 | 
216 | # Visual Studio 6 build log
217 | *.plg
218 | 
219 | # Visual Studio 6 workspace options file
220 | *.opt
221 | 
222 | # Visual Studio LightSwitch build output
223 | **/*.HTMLClient/GeneratedArtifacts
224 | **/*.DesktopClient/GeneratedArtifacts
225 | **/*.DesktopClient/ModelManifest.xml
226 | **/*.Server/GeneratedArtifacts
227 | **/*.Server/ModelManifest.xml
228 | _Pvt_Extensions
229 | 
230 | # Paket dependency manager
231 | .paket/paket.exe
232 | 
233 | # FAKE - F# Make
234 | .fake/
235 | 


--------------------------------------------------------------------------------
/.vscode/launch.json:
--------------------------------------------------------------------------------
 1 | {
 2 |    // Use IntelliSense to find out which attributes exist for C# debugging
 3 |    // Use hover for the description of the existing attributes
 4 |    // For further information visit https://github.com/OmniSharp/omnisharp-vscode/blob/master/debugger-launchjson.md
 5 |    "version": "0.2.0",
 6 |    "configurations": [
 7 |         {
 8 |             "name": ".NET Core Launch (web)",
 9 |             "type": "coreclr",
10 |             "request": "launch",
11 |             "preLaunchTask": "build",
12 |             // If you have changed target frameworks, make sure to update the program path.
13 |             "program": "${workspaceRoot}/bin/Debug/netcoreapp2.0/WebApiJwtExample.dll",
14 |             "args": [],
15 |             "cwd": "${workspaceRoot}",
16 |             "stopAtEntry": false,
17 |             "internalConsoleOptions": "openOnSessionStart",
18 |             "launchBrowser": {
19 |                 "enabled": true,
20 |                 "args": "${auto-detect-url}",
21 |                 "windows": {
22 |                     "command": "cmd.exe",
23 |                     "args": "/C start ${auto-detect-url}"
24 |                 },
25 |                 "osx": {
26 |                     "command": "open"
27 |                 },
28 |                 "linux": {
29 |                     "command": "xdg-open"
30 |                 }
31 |             },
32 |             "env": {
33 |                 "ASPNETCORE_ENVIRONMENT": "Development"
34 |             },
35 |             "sourceFileMap": {
36 |                 "/Views": "${workspaceRoot}/Views"
37 |             }
38 |         },
39 |         {
40 |             "name": ".NET Core Attach",
41 |             "type": "coreclr",
42 |             "request": "attach",
43 |             "processId": "${command:pickProcess}"
44 |         }
45 |     ]
46 | }


--------------------------------------------------------------------------------
/.vscode/tasks.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "version": "0.1.0",
 3 |     "command": "dotnet",
 4 |     "isShellCommand": true,
 5 |     "args": [],
 6 |     "tasks": [
 7 |         {
 8 |             "taskName": "build",
 9 |             "args": [
10 |                 "${workspaceRoot}/WebApiJwtExample.csproj"
11 |             ],
12 |             "isBuildCommand": true,
13 |             "problemMatcher": "$msCompile"
14 |         }
15 |     ]
16 | }


--------------------------------------------------------------------------------
/HomeController.cs:
--------------------------------------------------------------------------------
 1 | using Microsoft.AspNetCore.Authorization;
 2 | using Microsoft.AspNetCore.Mvc;
 3 | 
 4 | namespace WebApiJwtExample
 5 | {
 6 |     public class HomeController : Controller
 7 |     {
 8 |         public IActionResult Index()
 9 |         {
10 |             return View();
11 |         }
12 | 
13 |         [Authorize]
14 |         public IActionResult GetUserDetails(){
15 |             return new ObjectResult(new {
16 |                 Username = User.Identity.Name
17 |             });                
18 |         }
19 |     }
20 | }


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2017 Rui Figueiredo
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/Program.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Collections.Generic;
 3 | using System.IO;
 4 | using System.Linq;
 5 | using System.Threading.Tasks;
 6 | using Microsoft.AspNetCore;
 7 | using Microsoft.AspNetCore.Hosting;
 8 | using Microsoft.Extensions.Configuration;
 9 | using Microsoft.Extensions.Logging;
10 | 
11 | namespace WebApiJwtExample
12 | {
13 |     public class Program
14 |     {
15 |         public static void Main(string[] args)
16 |         {
17 |             BuildWebHost(args).Run();
18 |         }
19 | 
20 |         public static IWebHost BuildWebHost(string[] args) =>
21 |             WebHost.CreateDefaultBuilder(args)
22 |                 .UseStartup<Startup>()
23 |                 .Build();
24 |     }
25 | }
26 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # WebApiJwtExample
2 | Example of a Web Api built using ASP.NET Core secured with JWT tokens
3 | 
4 | To find out more about using JSON Web Tokens in ASP.NET Core read the [blog post for which this repo is the sample project](http://www.blinkingcaret.com/2017/09/06/secure-web-api-in-asp-net-core/).
5 | 


--------------------------------------------------------------------------------
/Startup.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Collections.Generic;
 3 | using System.Linq;
 4 | using System.Text;
 5 | using System.Threading.Tasks;
 6 | using Microsoft.AspNetCore.Builder;
 7 | using Microsoft.AspNetCore.Hosting;
 8 | using Microsoft.AspNetCore.Http;
 9 | using Microsoft.Extensions.DependencyInjection;
10 | using Microsoft.IdentityModel.Tokens;
11 | 
12 | namespace WebApiJwtExample
13 | {
14 |     public class Startup
15 |     {
16 |         public void ConfigureServices(IServiceCollection services)
17 |         {
18 |             services.AddMvc();
19 |             services.AddAuthentication(options =>
20 |             {
21 |                 options.DefaultAuthenticateScheme = "Jwt";  
22 |                 options.DefaultChallengeScheme = "Jwt";              
23 |             }).AddJwtBearer("Jwt", options =>
24 |             {
25 |                 options.TokenValidationParameters = new TokenValidationParameters
26 |                 {
27 |                     ValidateAudience = false,
28 |                     //ValidAudience = "the audience you want to validate",
29 |                     ValidateIssuer = false,
30 |                     //ValidIssuer = "the isser you want to validate",
31 |                     
32 |                     ValidateIssuerSigningKey = true,
33 |                     IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("the secret that needs to be at least 16 characeters long for HmacSha256")), 
34 |                     
35 |                     ValidateLifetime = true, //validate the expiration and not before values in the token
36 | 
37 |                     ClockSkew = TimeSpan.FromMinutes(5) //5 minute tolerance for the expiration date
38 |                 };
39 |             });
40 |         }
41 | 
42 |         public void Configure(IApplicationBuilder app, IHostingEnvironment env)
43 |         {
44 |             if (env.IsDevelopment())
45 |             {
46 |                 app.UseDeveloperExceptionPage();
47 |             }
48 | 
49 |             app.UseAuthentication();
50 | 
51 |             app.UseMvcWithDefaultRoute();
52 | 
53 |             app.Run(async (context) =>
54 |             {
55 |                 context.Response.StatusCode = 404;
56 |                 await context.Response.WriteAsync("Page not found");
57 |             });
58 |         }
59 |     }
60 | }
61 | 


--------------------------------------------------------------------------------
/TokenController.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.IdentityModel.Tokens.Jwt;
 3 | using System.Security.Claims;
 4 | using System.Text;
 5 | using Microsoft.AspNetCore.Mvc;
 6 | using Microsoft.IdentityModel.Tokens;
 7 | 
 8 | namespace WebApiJwtExample
 9 | {
10 |     [Route("/token")]
11 |     public class TokenController : Controller
12 |     {        
13 |         [HttpPost]
14 |         public IActionResult Create(string username, string password)
15 |         {
16 |             if (IsValidUserAndPasswordCombination(username, password))
17 |                 return new ObjectResult(GenerateToken(username));
18 |             return BadRequest();
19 |         }
20 | 
21 |         private bool IsValidUserAndPasswordCombination(string username, string password)
22 |         {
23 |             return !string.IsNullOrEmpty(username) && username == password;
24 |         }
25 | 
26 |         private string GenerateToken(string username)
27 |         {
28 |             var claims = new Claim[]
29 |             {
30 |                 new Claim(ClaimTypes.Name, username),
31 |                 new Claim(JwtRegisteredClaimNames.Nbf, new DateTimeOffset(DateTime.Now).ToUnixTimeSeconds().ToString()),
32 |                 new Claim(JwtRegisteredClaimNames.Exp, new DateTimeOffset(DateTime.Now.AddDays(1)).ToUnixTimeSeconds().ToString()),
33 |             };
34 | 
35 |             var token = new JwtSecurityToken(
36 |                 new JwtHeader(new SigningCredentials(
37 |                     new SymmetricSecurityKey(Encoding.UTF8.GetBytes("the secret that needs to be at least 16 characeters long for HmacSha256")), 
38 |                                              SecurityAlgorithms.HmacSha256)),
39 |                 new JwtPayload(claims));
40 | 
41 |             return new JwtSecurityTokenHandler().WriteToken(token);
42 |         }
43 |     }
44 | }


--------------------------------------------------------------------------------
/Views/Home/Index.cshtml:
--------------------------------------------------------------------------------
  1 | <!DOCTYPE html>
  2 | <html>
  3 |   <head>
  4 |     <meta charset="UTF-8">
  5 |     <title>Web Api JWT Example</title>
  6 |     <script  src="https://code.jquery.com/jquery-3.2.1.min.js"
  7 |       integrity="sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4="
  8 |       crossorigin="anonymous"></script>
  9 |       <style>
 10 |           div {
 11 |               margin-top: 50px;
 12 |           }
 13 |       </style>
 14 |   </head>
 15 |   <body>
 16 |       <h1>Example of using JWT to secure a Web Api using ASP.NET Core 2.0</h1>
 17 |       <div style="margin: 50px auto; width:600px;">
 18 |           <div id="btLoginContainer">
 19 |             <input type="text" name="username" id="username" placeholder="Username"/>
 20 |             <input type="password" name="password" id="password" placeholder="Password"/>
 21 |             <button id="btLogin">Login</button><br>   
 22 |             <label>(Use the same password as the username to sign in)</label>                     
 23 |           </div>
 24 |           <div id="btLogoutContainer">
 25 |               <button id="btLogout">Logout</button>
 26 |           </div>
 27 |           <div>
 28 |             <label>Action that requires the user to be authenticated: </label><button id="btGetUserDetails">Get User Details</button>
 29 |           </div>          
 30 | 
 31 |       </div>
 32 |       <div style="margin: 50px; background: lightgray" id="responseContainer">
 33 |           
 34 |       </div>
 35 |       
 36 |       <script>
 37 |           function handleError(xhr, textStatus, errorThrown){              
 38 |               if (xhr.status == 401)
 39 |                 $('#responseContainer').html("Unauthorized request"); 
 40 |               else{
 41 |                 var message = "<p>Status code: " + xhr.status + "</p>";
 42 |                 message += "<pre>" + xhr.responseText + "</pre>";
 43 |                 $('#responseContainer').html(message);
 44 |               }
 45 |           }
 46 | 
 47 |           function isUserLoggedIn(){
 48 |               return localStorage.getItem("token") !== null;
 49 |           }        
 50 | 
 51 |           function getSavedToken() {
 52 |               return localStorage.getItem("token");
 53 |           }
 54 | 
 55 |           $.ajaxSetup({
 56 |               beforeSend: function(xhr) {
 57 |                   if (isUserLoggedIn()) {
 58 |                       xhr.setRequestHeader('Authorization', 'Bearer ' + getSavedToken());                      
 59 |                   }
 60 |               }
 61 |           });
 62 | 
 63 |           $(function(){
 64 |               $('#btLogin').click(function() {
 65 |                   $.post("/token", $.param({username: $('#username').val(), password: $('#password').val()})).done(function(token){
 66 |                       localStorage.setItem("token", token);
 67 |                       $('#btLoginContainer').hide();
 68 |                       $('#btLogoutContainer').show();
 69 |                       var message = "<p>Token received and saved in local storage under the key 'token'</p>";
 70 |                       message += "<p>Token Value: </p><p style='word-wrap:break-word'>" + token + "</p>";
 71 |                       $('#responseContainer').html(message);                                            
 72 |                   }).fail(handleError);
 73 |               });
 74 | 
 75 |               $('#btLogout').click(function(){
 76 |                   localStorage.removeItem("token");     
 77 |                   $('#btLogoutContainer').hide();
 78 |                   $('#btLoginContainer').show();
 79 |                   $('#responseContainer').html("<p>Token deleted from local storage</p>");                  
 80 |               });
 81 | 
 82 | 
 83 |               $('#btGetUserDetails').click(function(){
 84 |                   $.get("/home/getuserdetails").done(function(userDetails){ 
 85 |                       $('#responseContainer').html("<pre>" + JSON.stringify(userDetails) + "</pre>");                        
 86 |                   }).fail(handleError);
 87 |               });
 88 | 
 89 | 
 90 |               if (isUserLoggedIn()){ 
 91 |                   $('#btLoginContainer').hide();
 92 |                   $('#btLogoutContainer').show();
 93 |               }else {
 94 |                   $('#btLoginContainer').show();
 95 |                   $('#btLogoutContainer').hide();                  
 96 |               }
 97 |           });
 98 |       </script>
 99 |   </body>
100 | </html>
101 | 


--------------------------------------------------------------------------------
/WebApiJwtExample.csproj:
--------------------------------------------------------------------------------
 1 | <Project Sdk="Microsoft.NET.Sdk.Web">
 2 |   <PropertyGroup>
 3 |     <TargetFramework>netcoreapp2.0</TargetFramework>
 4 |   </PropertyGroup>
 5 |   <ItemGroup>
 6 |     <Folder Include="wwwroot\" />
 7 |   </ItemGroup>
 8 |   <ItemGroup>
 9 |     <PackageReference Include="Microsoft.AspNetCore.All" Version="2.0.0" />
10 |     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="2.0.0" />
11 |     <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="5.1.4" />
12 |   </ItemGroup>
13 | </Project>


--------------------------------------------------------------------------------