Search code examples
.net-coreasp.net-apicontroller

Core 2.0 API Auth with JWT returns unauthorized


I'm trying to add Token Authentication with JWT to my .Net Core 2.0 app. I have a simple controller that returns a list of users for testing.

[Authorize]
[Route("api/[controller]")]
public class UsersController : Controller
{
    ...

    [HttpGet]
    [Route("api/Users/GetUsers")]
    public IEnumerable<ApplicationUser> GetUsers()
    {
        return _userManager.Users;
    }


}

I have an API Controller for Token security. It has a login method which returns a Token string result.

    [HttpPost(nameof(Login))]
    public async Task<IActionResult> Login([FromBody] LoginResource resource)
    {
        if (resource == null)
            return BadRequest("Login resource must be asssigned");

        var user = await _userManager.FindByEmailAsync(resource.Email);

        if (user == null || (!(await _signInManager.PasswordSignInAsync(user, resource.Password, false, false)).Succeeded))
            return BadRequest("Invalid credentials");

        string result = GenerateToken(user.UserName, resource.Email);

        // Token is created, we can sign out
        await _signInManager.SignOutAsync();

        return Ok(result);
    }

    private string GenerateToken(string username, string email)
    {
        var claims = new Claim[]
        {
            new Claim(ClaimTypes.Name, username),
            new Claim(ClaimTypes.Email, email),
            new Claim(JwtRegisteredClaimNames.Nbf, new DateTimeOffset(DateTime.Now).ToUnixTimeSeconds().ToString()),
            new Claim(JwtRegisteredClaimNames.Exp, new DateTimeOffset(DateTime.Now.AddDays(1)).ToUnixTimeSeconds().ToString()),
        };

        var token = new JwtSecurityToken(
            new JwtHeader(new SigningCredentials(
                new SymmetricSecurityKey(Encoding.UTF8.GetBytes("the secret that needs to be at least 16 characeters long for HmacSha256")),
                                         SecurityAlgorithms.HmacSha256)),
            new JwtPayload(claims));

        return new JwtSecurityTokenHandler().WriteToken(token);
    }

I have a small console app just for testing the API. When I attempt to Get the Users using the jwt. I receive an immediate "unauthorized". If I remove the "[Authorize]" from the users Controller... success. It appears that my header Authorization is not recognized, but not sure why.

    private static async Task<String> GetUsers(String jwt)
    {
        var url = "https://localhost:44300/";
        var apiUrl = $"/api/Users/";

        using (var client = new HttpClient() { BaseAddress = new Uri(url) })
        {
            client.BaseAddress = new Uri(url);
            client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
            client.DefaultRequestHeaders.Add("Authorization", $"Bearer {jwt}");

            using (var response = await client.GetAsync(apiUrl))
            {
                if (response.StatusCode == System.Net.HttpStatusCode.OK)
                    return await response.Content.ReadAsStringAsync();

                else return null;
            }
        }
    }

I'm basing my attempts on the article here ... some of which might be slightly out of date.

Update - Excerpt of Startup.cs

        services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = "Jwt";
            options.DefaultChallengeScheme = "Jwt";
        }).AddJwtBearer("Jwt", options =>
        {
            options.TokenValidationParameters = new TokenValidationParameters
            {
                ValidateAudience = false,
                //ValidAudience = "the audience you want to validate",
                ValidateIssuer = false,
                //ValidIssuer = "the isser you want to validate",

                ValidateIssuerSigningKey = true,
                IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("the secret that needs to be at least 16 characeters long for HmacSha256")),

                ValidateLifetime = true, //validate the expiration and not before values in the token

                ClockSkew = TimeSpan.FromMinutes(5) //5 minute tolerance for the expiration date
            };
        });

Configure...

    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseBrowserLink();
            app.UseDeveloperExceptionPage();
            app.UseDatabaseErrorPage();
        }
        else
        {
            app.UseExceptionHandler("/Home/Error");
        }

        app.UseStaticFiles();

        app.UseAuthentication();

        app.UseMvc(routes =>
        {
            routes.MapRoute(
                name: "default",
                template: "{controller=Home}/{action=Index}/{id?}");
        });

        //app.UseJwtBearerAuthentication(
        //    new Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerOptions
        //    );


    }

Solution:

This line was escaping the token therefore causing it to be invalid when passed in the next request:

var result = await response.Content.ReadAsStringAsync();

Replaced with:

var result = await response.Content.ReadAsAsync<string>();

Note: To use this ext method I had to "install-package Microsoft.AspNet.WebApi.Client"


Solution

  • I used JWT authentication in my one of project. I would like to show my implementation, maybe this will help you. But probably you forget to add UseAuthentication(); into configure method in startup class.

    startup.cs

        public void Configure(IApplicationBuilder app)
        {
            app.UseAuthentication();
            app.UseMvc();
        }
    
        public void ConfigureServices(IServiceCollection services)
        {
            var appSettings = Configuration.GetSection("AppSettings");
    
            services.AddAuthentication(options =>
                                       {
                                           options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                                           options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
                                       }
                                      )
                    .AddJwtBearer(options =>
                    {
                        options.TokenValidationParameters = new TokenValidationParameters
                        {
                            ValidateAudience = true,
                            ValidAudience = appSettings["JwtAudience"],
                            ValidateIssuer = true,
                            ValidIssuer = appSettings["JwtIssuer"],
                            ValidateLifetime = true,
                            ValidateIssuerSigningKey = true,
                            IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(appSettings["JwtSigningKey"]))
                        };
                    });
        }
    

    generateToken method

        private string GenerateToken(string email)
        {
            SecurityKey securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_appSettings.Value.JwtSigningKey));
    
            var token = new JwtSecurityToken(
                                             issuer: _appSettings.Value.JwtIssuer,
                                             audience: _appSettings.Value.JwtAudience,
                                             claims: new[]
                                             {
                                                 new Claim(JwtRegisteredClaimNames.UniqueName, email),
                                                 new Claim(JwtRegisteredClaimNames.Email, email),
                                                 new Claim(JwtRegisteredClaimNames.NameId, Guid.NewGuid().ToString())
                                             },
                                             expires: DateTime.Now.AddMinutes(_appSettings.Value.JwtExpireMinute),
                                             signingCredentials: new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256)
                                            );
    
            return new JwtSecurityTokenHandler().WriteToken(token);
        }