Home > Software design >  JWT .NET Core implementation clarification required
JWT .NET Core implementation clarification required

Time:02-02

I have 3 very basic questions:

  1. What exactly happens in the WriteToken method in the JWT implementation in .NET Core?
  2. When user is passing the token, how does the .NET Core application know that it has to go to ValidateCurrentToken method in that specific class (we neither referenced the class name nor the method name in startup.cs or program.cs)?
  3. What if I have multiple implementations of same method (ValidateCurrentToken), what happens?

Just to better understand the implementation.

CodePudding user response:

What exactly happens in the WriteToken method in the JWT implementation in .NET Core?

The WriteToken method in JWT implementation in .NET Core is responsible for writing a JSON Web Token (JWT).

Example:

    public static string WriteToken(ClaimsIdentity identity, string securityKey)
    {
        var signingKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(securityKey));
        var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);

        var jwt = new JwtSecurityToken(
            issuer: "issuer",
            audience: "audience",
            claims: identity.Claims,
            expires: DateTime.UtcNow.AddHours(1),
            signingCredentials: signingCredentials
        );

        return new JwtSecurityTokenHandler().WriteToken(jwt);
    }
}

When user is passing the token, how does the .NET Core application know that it has to go to ValidateCurrentToken method in that specific class (we neither referenced the class name nor the method name in startup.cs or program.cs)?

The .NET Core application knows to go to the ValidateCurrentToken method in a specific class because of the configuration and setup of the middleware in the Startup.cs file. When you use JWT in .NET Core, you typically use a middleware component, such as the JwtBearer middleware, to handle the process of validating JWTs in incoming HTTP requests.

In the Startup.cs file, you configure the JwtBearer middleware using the UseJwtBearer method, specifying the options and events that it should use. One of the options you can specify is the TokenValidationParameters, which includes the configuration for validating the JWT, such as the signing key, algorithm, and issuer.

When the middleware receives an incoming request with a JWT in the authorization header, it performs the validation process according to the TokenValidationParameters. If the JWT is not valid, the middleware will return a 401 Unauthorized response. If the JWT is valid, the middleware will populate the HttpContext.User principal with the claims from the JWT and continue to process the request.

The actual validation logic, including the call to the "ValidateCurrentToken" method, is implemented within the JwtBearer middleware component and is not referenced directly in the Startup.cs or Program.cs files.

What if I have multiple implementations of same method (ValidateCurrentToken), what happens?

We couldn't do that, the JWT token authentication middleware contains the settings for the validate token, you must specific which validation token method you will use for the authentication middleware.

  • Related