1

I'm using custom JWT in my .NET Core project with jose-jwt. (All other auth methods I tried were confusing as hell.) I have everything implemented, but I'm not sure how I can verify the token on each request. Most of the functions in my API will require this auth, so I'd like to register it globally and specify the functions that don't require it (essentially like [AllowAnonymous]). I'd like a 401 to be returned if auth fails.

I don't need code completely written for me, but I'm not sure how to write this and insert it into the pipeline. How can I accomplish this? Am I even going about this the right way?

vaindil
  • 7,536
  • 21
  • 68
  • 127

2 Answers2

2

Validating a JWT is like validating a basic auth request.

Look at https://github.com/blowdart/idunno.Authentication for a middleware implementation.

Kalten
  • 4,092
  • 23
  • 32
  • Is there a problem with this method? He's completely against this in that readme. – vaindil Aug 08 '16 at 22:08
  • 1
    The problem is Basic. In Basic, the token contains the unencrypted password. The JWT token doesn't contains the password but is signed (with symmetric/asymmetric key). You need to edit BasicAuthenticationHandler file to read and validate the JWT. – Kalten Aug 08 '16 at 22:23
  • Oh, okay, I see now. Thank you, I appreciate it! – vaindil Aug 08 '16 at 22:46
  • I'm having a horrible time trying to adapt this for JWT. :/ – vaindil Aug 11 '16 at 03:47
  • 1
    Don't adapt, we give you JWT middleware built in :) Use the JWT Middleware and set the AutomaticAuthenticate and AutomaticChallenge properties, then force authentication on every request as shown in Adem's answer. That will make it run on every request, and populate the current user. – blowdart Aug 12 '16 at 20:46
2

First, you need to use JwtBearerAuthentication middleware in Configure method.

 app.UseJwtBearerAuthentication(new JwtBearerOptions
 {
      Authority = ...,
      Audience = ...
 });

For globally authorize see MVC Core How to force / set global authorization for all actions?

services.AddMvc(config =>
{
    var policy = new AuthorizationPolicyBuilder()
                     .RequireAuthenticatedUser()
                     .Build();
    config.Filters.Add(new AuthorizeFilter(policy));
});
Community
  • 1
  • 1
adem caglin
  • 22,700
  • 10
  • 58
  • 78