ASP.NET Core Self-created token authentication example
A simple example of how to protect an ASP.NET Core Web API project using simple self-created JWT bearer tokens for local username/password checking. Working against dotnet core 1.0.1 as of 04/12/2016 - see the rc1, beta8 and beta7 branches if you're using older framework versions.
DO NOT USE AS-IS IN PRODUCTION
This example is to show the principles required to acheive local token authentication, and the following things should be changed before production usage:
- The random-generated private keys in Startup.cs should be changed and factored out to some sort of secure storage and shared amongst all app servers serving your site. Using the data protection API to ensure the keys are rotated and secured would be perfect, but I've not worked out how to do that yet (please submit a pull request if you get that working!).
- The error handling is very simple - and may leak application info to the end users as it returns the exception message.
- The username and password checking using an "if" statement should be replaced with checking against some sort of repository, and identities generated from that.
- Consider whether the token refresh strategy (the TokenController Get action) is appropriate for your application - this StackOverflow question and answer may help you decide what is best for your application
You can find more information about the principles in my StackOverflow answer here. This strategy is based on this StackOverflow answer to the same question by @mdekrey, updated for ASP.NET Core 1.0.1 and rationalised to be a slightly simpler, complete example.