Developing JWT (JSON web Token) based authentication
Hello,
You are going to see how we can implement custom authentication mechanism to our system.
Source code contains necessary projects (Web API, Console Application) in C# with MVC patern so supposing you have basic information on that areas.
Source code is here :
https://github.com/TheMaty/JSONWebToken-Custom-Authorization
I use Visual Studio 2019 in the study.
Solution structure;
- AuthorizationServer project is ASP.NET Web Application with Web API template (which is MVC).
It accepts any requests from client device with Client Id and Client Secret and generates Bearer token respectively. - BackEndServer project is ASP.NET Web Application with Web API template (which is MVC).
- It acceptes bearer token, validates it then execute order that comes in request body (mostly JSON format)
- BearerTokenRequestor project is a console application to simulate request send and recieve (Postman can already be used for that purpose)
- CryptoRandomDataGenerator project is a console application to create Client Secret value
PoC:
Suppose that
We need to build up a mobile application to create a record in the backend application which resides under secure network or we do not want to expose the application to the world.
Note: Mobile client is not in the source code since it is not ready at that moment. I may share it later.
It is good to consider building up our authentication model.
High Level Design
Flow is very simple;
Client device can only access to the Back End node with a valid JWT (Bearer Token) so in order to send request to the back application through back end node, Client device must have a valid bearer token;
- Mobile Client reaches to the Authorization Server with valid Client Id and Client Secret
Client Id is any key but must be stored in Audience table in database . I use GUID there(SQL Statement is in source code - please look at above for my github page - Audience_Table_Creation_Script.sql)
Client Secret is a crypto data (please find RandomNumberGenerator console application under solution) - Authorization Server connects Database for accessing Registered device list through Audience table
- Authorization server generates bearer token for certain duration ( you can set the expiration from Web.config file - AccessTokenExpirationInSeconds is a parameter in config - )
- Mobile Client sends request to Back End node with bearer token
- Back End node verify sent token via Audience table in the database
- Execute order if Bearer token is valid
- Response the result.
Special thanks to Andrei:
https://eidand.com/2015/03/28/authorization-system-with-owin-web-api-json-web-tokens/
His article and source code help and encourage me a lot to implement custom authentication.
This was originally posted here.
*This post is locked for comments