authenticationjwtasp.net-core-identityasp.net-core-8
Authorize not working in API with ASP.NET Core Identity and JWT Token
I need emergency nelp ... I'm using ASP.NET Core 8.0 and this is my Program.cs:
builder.Services.AddControllers();
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();
builder.Services.AddDbContext<Context>
(optn => optn.UseSqlServer(builder.Configuration.GetConnectionString("SqlServer")));
builder.Services.AddIdentity<UserIdentityCustom,IdentityRole>(opt =>
{
opt.User.RequireUniqueEmail = true; //eror
opt.Lockout.DefaultLockoutTimeSpan = new TimeSpan(100, 1, 1, 1);
opt.SignIn.RequireConfirmedPhoneNumber = false;
opt.SignIn.RequireConfirmedEmail = false;
})
.AddEntityFrameworkStores<Context>()
.AddDefaultTokenProviders();
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(option =>
{
option.SaveToken = true;
option.TokenValidationParameters = new TokenValidationParameters
{
RequireExpirationTime = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey
(Encoding.UTF8.GetBytes(builder.Configuration["JWT:IssuerSigningKey"]))
};
});
var app = builder.Build();
app.UseSwagger();
app.UseSwaggerUI();
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseAuthentication();
app.UseAuthorization();
app.MapControllers();
app.Run();
This is my controller and action method (have [Authorize]):
[ApiController]
[Route("[controller]")]
public class UploadController : ControllerBase
{
[Authorize]
[HttpPost("[action]")]
public IActionResult Uploadtest()
{
return Ok("Uploaded !");
}
}
The JWT token will be created by this action method:
public async Task<IActionResult> Login([FromBody] UsersLoginModel model)
{
if (ModelState.IsValid)
{
ResultIdentity = True; //ResultIdentity = Check By UserMannager
if (ResultIdentity.Succeeded == true)
{
var key = _config["JWT:IssuerSigningKey"];
var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key));
var tokenObject = new JwtSecurityToken(
claims: new List<Claim>() {new Claim("id", model.Username)},
expires: DateTime.Now.AddMinutes(10),
signingCredentials: new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256));
var ResultJwt = new JwtSecurityTokenHandler().WriteToken(tokenObject);
if (ResultJwt == null)
return Unauthorized();
return Ok(ResultJwt);
}
}
return Unauthorized();
}
The response is always an error HTTP 404 or HTTP 302 (I tested in TalentApiTester - Swagger - Postman...)
What is the problem? I tried for 5 hours...
This is my test :
Solution
I add "Issuer","Audience" in Jwt, have a try to modify the code like below:
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(option =>
{
option.SaveToken = true;
option.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidIssuer = builder.Configuration["Jwt:Issuer"],
ValidAudience = builder.Configuration["Jwt:Audience"],
RequireExpirationTime = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey
(Encoding.UTF8.GetBytes(builder.Configuration["JWT:IssuerSigningKey"]))
};
});
Then modify like below :
public async Task<IActionResult> Login([FromBody] UsersLoginModel model) {
if (ModelState.IsValid)
{
ResultIdentity = True; //ResultIdentity = Check By UserMannager
if (ResultIdentity.Succeeded == true)
{
var issuer = _config["Jwt:Issuer"];
var audience = _config["Jwt:Audience"];
var key = _config["JWT:IssuerSigningKey"];
var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key));
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new[]
{ new Claim("id", model.Username)
}),
Expires= DateTime.Now.AddMinutes(10),
Issuer = issuer,
Audience = audience,
SigningCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256)
};
var tokenObject = new JwtSecurityTokenHandler().CreateToken(tokenDescriptor);
var ResultJwt = new JwtSecurityTokenHandler().WriteToken(tokenObject);
if (ResultJwt == null) return Unauthorized();
return Ok(ResultJwt);
}
}
return Unauthorized();
}
result:
- What If Session Expires While User Is Still On The Website
- Remix run: Authentication succeeds on validation failures
- WMS service basic authentication
- How to manage user claims?
- How to get the popup menu to select user certificate in Tomcat 10 server?
- Enable password and unix_socket authentication for MariaDB root user?
- How to consume from an eventsource API requiring auth headers?
- How to display an Error message when logging in fails in Reactjs
- Notify navbar of authenticated status when logged in (Angular)
- Proper way to store a token retrieved client-side in nextjs 13 "App Router" version?
- Signout and login not working in auth.js in Next14 with middleware and server actions
- Laravel: Auth::user()->id trying to get a property of a non-object
- 404 page not found when running firebase deploy
- .NET 8 Blazor Server - role authorization with Windows Authentication
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- Symfony2: How to change Entity Manager just before doing login_check
- JWT signature verification failing
- SMAppService register() - How to detect launch at startup/login vs regular launch?
- AppwriteException: User (role: guest) missing scope (account), not able to get account after creating a session
- authMiddleware doesn't exist after installing clerk
- Stop request in CookieAuthenticationEvents.OnValidatePrincipal after response body has been written to
- Blazor Hosted WebAssembly with Keycloak and Basic Authentication Issue
- How to change the app name for Firebase authentication (what the user sees)
- How do I restrict Apache/SVN access to specific users (LDAP/file-based authentication)?
- Unexpected authorization behaviour in a Blazor Web App with .NET 8
- MongoDB: Understand createUser and db admin
- Update react context without refreshing page on state update
- What is the standard/modern way to use CAC/PIV card authentication in Java/Tomcat web applications?
- Keycloak retrieve custom attributes to KeycloakPrincipal
- Secure Google Cloud Functions http trigger with auth