Web API Securities JWT Token.

 What is JWT Token?

JWT stands for Jason Web Token.

Token-based security is commonly used in today’s security architecture. There are several token-based security techniques. JWT is one of the more popular techniques. JWT token is used to identify authorized users.

What is the JWT WEB TOKEN?

Open Standard: Means anywhere, anytime, and anyone can use JWT.

Secure data transfer between any two bodies, any two users, any two servers.

It is digitally signed: Information is verified and trusted.

There is no alteration of data.

Compact: because JWT can be sent via URL, post request & HTTP header.

Fast transmission makes JWT more usable.

Self Contained: because JWT itself holds user information.

It avoids querying the database more than once after a user is logged in and has been verified.

JWT is useful for:

Authentication

Secure data transfer

JWT Token Structure 

A JWT token contains a Header, a Payload, and a Signature. 

Header

Header contains the algorithms like RSA or HMACSHA256 and the information of the type of Token.

1. {  
2.    “alg” : ”” Algorithm like RSA or HMACSHA256  
3.    “Type” : ”” Type of JWT Token  
4. }  

Payload

Payload contains the information of rows, i.e., user credentials.

1. {  
2.    “loginname” : ”Gajendra”  
3.    “password”:”123#”  
4. }  

• It contains claims.
• Claims are user details or additional information

Signature

{ base64urlencoded (header) +”.”+ base64urlencoded (payload) +”.”+ secret }

• Combine base64 encoded Header , base64 encoded Payload with secret
• These provide more security.
• 
  
• A combination of all headers, payload and signatures converts into JWT TOKEN.

How Does JWT Work?

Step 1 :

 

Client logs in with his/her credentials.

Step 2:

Server generates a Jwt token at server side. 

 

Step 3 :                                                                                                                                                 

After token generation, the server returns a token in response.                                                       

Step 4:                                                                                                                               

Now, the client sends a copy of the token to validate the token. 

Step 5                                                                                                   

 

The server checks JWT token to see if it's valid or not.

Step 6 :                                                                                                                         

 After the token is validated, the server sends a status message to the client.

The server can trust the client because the JWT is signed, and there is no need to call the database to retrieve the information you already stored in the JWT.

To keep them secure, you should always store JWTs inside an httpOnly cookie. This is a special kind of cookie that’s only sent in HTTP requests to the server. It’s never accessible (both for reading or writing) from JavaScript running in the browser.

https://blog.logrocket.com/jwt-authentication-best-practices/

Steps to Implement JWT Authentication in Asp.net Core

• Understanding JWT Authentication Workflow.
• Create Asp.net Core Web API project
• Install NuGet Package (JwtBearer)
• Asp.net Core JWT appsetting.json configuration
• Asp.net Core Startup.cs - configure services add JwtBearer
• Create Models User, Tokens
• Create JWTManagerRepository to Authenticate users and generate JSON Web Token.
• Create UserController - Authenticate action method.

https://codepedia.info/jwt-authentication-in-aspnet-core-web-api-token