Jwt Token with Cookie Authentication in Asp.Net Core

When we want to secure a Asp.Net Core web application without the use of Asp.Net Identity then we can use cookie based authentication. But problem is if our website include web api then only using cookie authentication we cannot secure the web api. To secure a web api we can use use Jwt token based authentication. In this blog post I will try to show how can we use Jwt token based authentication for web api and cookie based authentication for user login and  authentication via web browser. We will use Asp.Net Core 2.0 for this process with visual studio 2017.

At first lets we create a sample asp.net core 2.0 mvc application. Fire up visual studio and create a new project, select ASP.NET Core Web Application Names it as JwtWithCookieAuth.

Next select ASP.NET core 2.0 and template as Web Application(model-View-Controller) and for authentication select No Authentication

If you open the Solution Explorer the you will find project content similar to

Run the application then you will get a nice looking web app

Sometimes we need to expose data from web application and also need to accept data from outside source. Special for mobile app or desktop app. For this we need RESTfull api. So we will create a web api for that.

Add new controller under controller folder and name it ValueController.

Replace the content of ValueController using below code

This code will return a list of string value content. Run the application again and using Postman send a get request to the url http://localhost:xxxx/api/value (xxxx is the port number) and you will see the result

Now we have a web application with nice looking UI also have an api for data communication with external source. But this application is not secure. Anyone can browse the website also anyone can access data by consuming the api. To make this application secure we will add authentication machanism.

Add new controller name AccountController and inside Models folder reate a model name LoginViewModel then replace the content with below code

We will not use any database to make this work simple. We will use hard coded username password check for login.

Under View folder add new folder name Account then inside this folder add new view file named Login.cshtml. With eEmpty model and no layout page.

Replace the content of the view using below code

Now open _Layout.cshtml and under then add below content for logout menu item.

If you run the project again and visit http://localhost:xxxx/account/login then you can login using user@gmail.com as email and “password” as password. Also using top right corner Logout button you can logout from the application. But you may notice there is no authentication enforcement of login for user. User can visit any page without login, also using postman we can get the value without any authentication. At this point we will configure the application using cookie authentication without asp.net identity. The reason that we will not use asp.net identity because we will implement user and role management using our own mechanism. We will only use cookie based authentication enforcement.

Now modify the Account controller code like below

You may need to add three using statement

Make below change to Login.cshtml page

Now open Startup.cs file and make ConfigureServices method like below.

And change the Configure method. Add app.UseAuthentication();  before app.UseStaticFiles();

You may need to add two using statement.

Open HomeController and ValueController and add the attribute [Authorize]

This will required the using statement

Run the application again. This time you will notice if you are not logged in aready system will automatically redirect you to login page. So without login you will not be able to visit any content off the application, also cannot read data from ValueController using Postman.

So at this point the application is secure, but only for browser base client. For the RESTfull api we cannot use cookie based authentication. We need to apply token based authentication. Now we will configure the application to secure the api using Jwt token based authentication.

Add new api Controller named TokenController and replace its content with below code

At this point you need to use below using statement

Open Startup.cs file again and modify the ConfigureServices method with

You need to add below using statement

Open up ValueController and modify authorize attribute to explicitly tell the application to use Jwt token authorization for this controller

You may need to add using statement

Now from postman send a post request to the url http://localhost:xxxx/api/token/create with authentication data Email and Password. This will return the token which we need to authenticate then RESTfull api.

Now using this token we will authenticate Value controller. Add Authorization header with the contentment like

This time you will get the expected output. And no one will be able to get data from the ValueController without the valid token. So this api will be secure for communication.

I have tried to keep the application as simple as possible. This is the basic configuration process. You can find the source code of the sample project here JwtWithCookieAuth

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *