SECURING WEBAPI USING JSON WEB TOKEN (JWT) IN WEB API C#

ref site : http://www.decatechlabs.com/secure-webapi-using-jwt

Step 1 :

Step 2 :

Step 3 :

Step 4 :

Now replace all code with below code

using Microsoft.IdentityModel.Tokens;

using System;

using System.Collections.Generic;

using System.IdentityModel.Tokens;

using System.IdentityModel.Tokens.Jwt;

using System.IO;

using System.Linq;

using System.Net;

using System.Net.Http;

using System.Security.Cryptography.X509Certificates;

using System.Threading;

using System.Threading.Tasks;

using System.Web;

namespace WEBAPI_JWT_Authentication

{

    internal class TokenValidationHandler : DelegatingHandler

    {

        private static bool TryRetrieveToken(HttpRequestMessage request, out string token)

        {

            token = null;

            IEnumerable<string> authzHeaders;

            if (!request.Headers.TryGetValues("Authorization", out authzHeaders) || authzHeaders.Count() > 1)

            {

                return false;

            }

            var bearerToken = authzHeaders.ElementAt(0);

            token = bearerToken.StartsWith("Bearer ") ? bearerToken.Substring(7) : bearerToken;

            return true;

        }

        protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)

        {

            HttpStatusCode statusCode;

            string token;

                        //determine whether a jwt exists or not

            if (!TryRetrieveToken(request, out token))

            {

                statusCode = HttpStatusCode.Unauthorized;

                //allow requests with no token - whether a action method needs an authentication can be set with the claimsauthorization attribute

                return base.SendAsync(request, cancellationToken);

            }

            try

            {

                const string sec = "401b09eab3c013d4ca54922bb802bec8fd5318192b0a75f201d8b3727429090fb337591abd3e44453b954555b7a0812e1081c39b740293f765eae731f5a65ed1";

                var now = DateTime.UtcNow;

                var securityKey = new Microsoft.IdentityModel.Tokens.SymmetricSecurityKey(System.Text.Encoding.Default.GetBytes(sec));                

                SecurityToken securityToken;

                JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();

                TokenValidationParameters validationParameters = new TokenValidationParameters()

                {

                    ValidAudience = "http://localhost:50191",

                    ValidIssuer = "http://localhost:50191",

                    ValidateLifetime = true,

                    ValidateIssuerSigningKey = true,

                    LifetimeValidator = this.LifetimeValidator,                    

                    IssuerSigningKey = securityKey                

                };

                //extract and assign the user of the jwt

                Thread.CurrentPrincipal = handler.ValidateToken(token, validationParameters, out securityToken);

                HttpContext.Current.User = handler.ValidateToken(token, validationParameters, out securityToken);

                return base.SendAsync(request, cancellationToken);

            }

            catch (SecurityTokenValidationException e)

            {

                statusCode = HttpStatusCode.Unauthorized;

            }

            catch (Exception ex)

            {

                statusCode = HttpStatusCode.InternalServerError;

            }

            return Task<HttpResponseMessage>.Factory.StartNew(() => new HttpResponseMessage(statusCode){ });

        }

        public bool LifetimeValidator(DateTime? notBefore, DateTime? expires, SecurityToken securityToken, TokenValidationParameters validationParameters)

        {

            if (expires != null)

            {

                if (DateTime.UtcNow < expires) return true;

            }

            return false;

        }

        

    }

}

And now you have to add following name spaces

1 using System.Net.Http;
2 using System.Threading.Tasks;
3 using System.Net;
4 using System.Threading;

And Install System.IdentityModel.Tokens.Jwt from nuget

after install upper package add following name space

1 using Microsoft.IdentityModel.Tokens;
2 using System.IdentityModel.Tokens.Jwt;

Step 5 :

Now add Login Controller and write below code in it.

using System; using System.Collections.Generic; using System.IdentityModel.Tokens; using System.IdentityModel.Tokens.Jwt; using System.IO; using System.Net; using System.Net.Http; using System.Security.Claims; using System.Web; using System.Web.Http; using WEBAPI_JWT_Authentication.Models; namespace WEBAPI_JWT_Authentication.Controllers {     public class LoginController : ApiController     {         [HttpPost]         public IHttpActionResult Authenticate([FromBody] LoginRequest login)         {             var loginResponse = new LoginResponse { };             LoginRequest loginrequest = new LoginRequest { };             loginrequest.Username = login.Username.ToLower();             loginrequest.Password = login.Password;             IHttpActionResult response;             HttpResponseMessage responseMsg = new HttpResponseMessage();             bool isUsernamePasswordValid = false;                   if(login != null)             isUsernamePasswordValid=loginrequest.Password=="admin" ? true:false;             // if credentials are valid             if (isUsernamePasswordValid)             {                 string token = createToken(loginrequest.Username);                 //return the token                 return Ok<string>(token);             }             else             {                 // if credentials are not valid send unauthorized status code in response                 loginResponse.responseMsg.StatusCode = HttpStatusCode.Unauthorized;                 response = ResponseMessage(loginResponse.responseMsg);                 return response;             }         }         private string createToken(string username)         {             //Set issued at date             DateTime issuedAt = DateTime.UtcNow;             //set the time when it expires             DateTime expires = DateTime.UtcNow.AddDays(7);             //http://stackoverflow.com/questions/18223868/how-to-encrypt-jwt-security-token             var tokenHandler = new JwtSecurityTokenHandler();                        //create a identity and add claims to the user which we want to log in             ClaimsIdentity claimsIdentity = new ClaimsIdentity(new[]             {                 new Claim(ClaimTypes.Name, username)                             });             const string sec = "401b09eab3c013d4ca54922bb802bec8fd5318192b0a75f201d8b3727429090fb337591abd3e44453b954555b7a0812e1081c39b740293f765eae731f5a65ed1";             var now = DateTime.UtcNow;             var securityKey = new Microsoft.IdentityModel.Tokens.SymmetricSecurityKey(System.Text.Encoding.Default.GetBytes(sec));             var signingCredentials = new Microsoft.IdentityModel.Tokens.SigningCredentials(securityKey,Microsoft.IdentityModel.Tokens.SecurityAlgorithms.HmacSha256Signature);             //create the jwt             var token =                 (JwtSecurityToken)                     tokenHandler.CreateJwtSecurityToken(issuer:"http://localhost:50191",audience:"http://localhost:50191",                         subject: claimsIdentity, notBefore: issuedAt, expires: expires, signingCredentials: signingCredentials);             var tokenString = tokenHandler.WriteToken(token);             return tokenString;         }     } }

Step 6 :

Now Add following lines in WebApiConfig.cs 

config.MessageHandlers.Add(new TokenValidationHandler());



Step 7 :

Let’s decorate our Values Controller with Authorize attribute and Run the project press F5