how to implement JWT token using .net core 8 web api

Question

how to implement JWT token using .net core 8 web api

coder rock 436

I am new to jwt token generation and as well as .NET core 8 web Api, so now i am building nurse recruitment portal backend implementation from scratch so below I have written code for jwt token generation and i want to check its correct way of implement from scratch. Can you suggest for build backend application according industry standards

appsetting.json

User's image

I have created Data folder name and inside created dbcontext file like this Data/ApplicationDbContext.cs

User's image

User's image Below is my jwt token generation code if user is exist then returning token of this location Controller/Usercontroller.cs

using coreapidotnet8.Models;

using coreapidotnet8.Services.Users;

using Microsoft.AspNetCore.Mvc;

using Microsoft.IdentityModel.Tokens;

using System.IdentityModel.Tokens.Jwt;

using System.Security.Claims;

using System.Text;

namespace coreapidotnet8.Controllers

{

[ApiController]

[Route("[controller]")]

public class UserController : ControllerBase

{

    private readonly IUserRepository _userRepository;

    public UserController(IUserRepository userRepository)

    {

        _userRepository = userRepository;

    }

    [HttpGet("GetallLoginDetails")]

    public async Task<ActionResult<List<LoginDetails>>> GetallLoginDetails()

    {

        //return await _context.LoginDetails.ToListAsync();

        var logins = await _userRepository.GetAllLoginDetailsAsync();

        return Ok(logins);

    }

    [HttpGet("GetLoginDetailsById")]

    public async Task<ActionResult<LoginDetails>> GetLoginDetailsById(string? Username, string? Password)

    {

        //return await _context.LoginDetails.ToListAsync();  GetLoginDetailsById

        var logins = await _userRepository.GetLoginDetailsById(Username, Password);

        if (logins == null || logins.Count == 0)

            return BadRequest("User is not valid");

            var token = GenerateJwtToken();

        return Ok(token);

    }



    private string GenerateJwtToken()

    {

        var tokenHandler = new JwtSecurityTokenHandler();

        var key = Encoding.ASCII.GetBytes("xxxxxxxassaaaaaaasdddxxxxxxxxxxxxxxxx");

        var tokenDescriptor = new SecurityTokenDescriptor

        {

            Subject = new ClaimsIdentity(new[] { new Claim("id", "testuser"), new Claim(ClaimTypes.Role, "Admin") }),

            Issuer = "https://localhost:7054",

            Audience = "https://localhost:7054",

            Expires = DateTime.UtcNow.AddDays(7),

            SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)

        };

        var token = tokenHandler.CreateToken(tokenDescriptor);

        return tokenHandler.WriteToken(token);

    }

    [HttpPost("authenticate")]

    public async Task<IActionResult> Authenticate()

    {

        //Here you could pass user to generatejwttoeknmethod to generate the token based on the user

        var token = GenerateJwtToken();

        if (token == null)

            return BadRequest(new { message = "Username or password is incorrect" });

        return Ok(token);

    }

    public async Task<IActionResult> Register()

    {

        return Ok();

    }

}

}

AgaveJoe 30,036 Reputation points

2025-04-13T11:34:30.8233333+00:00

The demo code you've provided is a very basic outline. There is not enough information to evaluate whether you are on the right path or not.

What kinds of clients will be accessing your Web API? For example, are they web applications, mobile apps, desktop applications, other services, or a combination of these?

Where are your Web API and client applications located relative to each other? Are they all within the same network (on-premise)? Are you building a cloud-based application? Is it a multi-tiered architecture, and if so, are the tiers logical or physically separate?
coder rock 436 Reputation points

2025-04-14T09:41:11.4766667+00:00

come to your first point already informed you that I am new to .NET core 8 web Api, I have taken above code by googled so that what I posted the code going to correct way from scratch if you provide code that will be helpful. my code is working returning token but i am trying to build application according to industry standard.

actually, I am building nurse recruitment portal that is based on web application using angular technology front

application will host in same network.

Are you building a cloud-based application? what i am doing with my existing project we are deploying manual code into AWS folder copy and paste(after build of web api project then copying dll file and pasting into AWS folder manually same for Angular also). I dont have much aware of Cloud.

In my carrier i have worked with repository pattern and factory pattern (these architects use in asp.net MVC application). Thats why asking for asp.net core what should I have to used? multi-tiered architecture? I don't know about multi-tiered architecture, but I have used folder structure like below.

Accepted answer

1 additional answer

Your answer

AgaveJoe 30,036 Reputation points

2025-04-13T11:34:30.8233333+00:00

The demo code you've provided is a very basic outline. There is not enough information to evaluate whether you are on the right path or not.

What kinds of clients will be accessing your Web API? For example, are they web applications, mobile apps, desktop applications, other services, or a combination of these?

Where are your Web API and client applications located relative to each other? Are they all within the same network (on-premise)? Are you building a cloud-based application? Is it a multi-tiered architecture, and if so, are the tiers logical or physically separate?
coder rock 436 Reputation points

2025-04-14T09:41:11.4766667+00:00

come to your first point already informed you that I am new to .NET core 8 web Api, I have taken above code by googled so that what I posted the code going to correct way from scratch if you provide code that will be helpful. my code is working returning token but i am trying to build application according to industry standard.

actually, I am building nurse recruitment portal that is based on web application using angular technology front

application will host in same network.

Are you building a cloud-based application? what i am doing with my existing project we are deploying manual code into AWS folder copy and paste(after build of web api project then copying dll file and pasting into AWS folder manually same for Angular also). I dont have much aware of Cloud.

In my carrier i have worked with repository pattern and factory pattern (these architects use in asp.net MVC application). Thats why asking for asp.net core what should I have to used? multi-tiered architecture? I don't know about multi-tiered architecture, but I have used folder structure like below.

Answer 1

Please try the followings:

(1) Create Web API project with Authentication type: None.

enter image description here

(2) Install NuGet package Microsoft.AspNetCore.Authentication.JwtBearer.

enter image description here

(3) Register JWT authentication scheme in Program.cs.

using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.IdentityModel.Tokens;
using System.Text;

namespace WebApi
{
    public class Program
    {
        public static void Main(string[] args)
        {
            var builder = WebApplication.CreateBuilder(args);

            // Register JWT authentication scheme
            builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(options =>
                {
                    options.TokenValidationParameters = new TokenValidationParameters
                    {
                        ValidateIssuer = true,
                        ValidateAudience = true,
                        ValidateLifetime = true,
                        ValidateIssuerSigningKey = true,
                        ValidIssuer = builder.Configuration["Jwt:Issuer"],
                        ValidAudience = builder.Configuration["Jwt:Issuer"],
                        IssuerSigningKey = new SymmetricSecurityKey(
                            Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"]!))
                    };
                });

            // other code (omitted)
        }
    }
}

(4) Add Key and Issuer to appsettings.json

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*",
  "Jwt": {
    "Key": "veryVerySecretKeyWhichMustBeLongerThan32",
    "Issuer": "https://localhost:44362"
  }
}

(5) Add API which verifies username and password sent from user and returns JWT.

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens.Jwt;
using System.Text;

namespace WebApi.Controllers
{
    [Route("api/[controller]")]
    [ApiController]
    public class TokenController : ControllerBase
    {
        private readonly IConfiguration _config;

        public TokenController(IConfiguration config)
        {
            _config = config;
        }

        [AllowAnonymous]
        [HttpPost]
        public IActionResult CreateToken([FromBody] LoginModel login)
        {
            string? id = login.Username;
            string? pw = login.Password;
            IActionResult response = Unauthorized();

            if (!string.IsNullOrEmpty(id) && !string.IsNullOrEmpty(pw))
            {
                if (VerifyUser(id, pw))
                {
                    var tokenString = BuildToken();
                    response = Ok(new { token = tokenString });
                }
            }

            return response;
        }

        private bool VerifyUser(string id, string pw)
        {
            // verify id and password sent from user (code omitted)            
            // simply return true in this sample
            return true;
        }

        private string BuildToken()
        {
            var key = new SymmetricSecurityKey(
                Encoding.UTF8.GetBytes(_config["Jwt:Key"]!));

            var creds = new SigningCredentials(
                key, SecurityAlgorithms.HmacSha256);

            var token = new JwtSecurityToken(
                issuer: _config["Jwt:Issuer"],
                audience: _config["Jwt:Issuer"],
                claims: null,
                notBefore: null,
                expires: DateTime.Now.AddMinutes(30),
                signingCredentials: creds);

            return new JwtSecurityTokenHandler().WriteToken(token);
        }

        public class LoginModel
        {
            public string? Username { get; set; }
            public string? Password { get; set; }
        }
    }
}

coder rock 436 Reputation points

2025-04-14T09:49:34.9733333+00:00

my code is working and generating token if username and password is correct. Can you suggest why i have to use your code and also suggest which architech pattern i should used? In above comment mentioned points clearly. As you told I am build from sctrach this web Api code 8 application.
SurferOnWww 4,391 Reputation points

2025-04-14T10:21:55.32+00:00

What is your issue?

You questioned;

how to implement JWT token using .net core 8 web api

To respond above I gave you my answer.

If you want to go on your way without listening opinion form others you are not supposed to ask question here.
coder rock 436 Reputation points

2025-04-14T11:13:15.9033333+00:00

just i am asking its correct what i have build? what i have share folder structure into the root according to industry standard?
SurferOnWww 4,391 Reputation points

2025-04-14T14:45:19.6966667+00:00

If you think what you are doing is correct, it is correct for you in your world. Nobody knows your world. Therefore, you are not supposed to ask question here as long as you stick with your world.
coder rock 436 Reputation points

2025-04-14T14:58:47.2366667+00:00

yes bro you are correct, but experience person will give more suggestion as above comment answer talking about multi-tiered architecture but event, I am listening first time.
SurferOnWww 4,391 Reputation points

2025-04-15T00:53:38.3433333+00:00

but experience person will give more suggestion

Why don't you compare your code with my code? You will be able to find the differences such as store of key and issuer, use of JwtSecurityToken class, coding style and others. The differences will definitely give you "suggestion."

Answer 2

Bruce (SqlWork.com) 75,051

other than key management (keys in source code is high risk), your code is valid if the JWT issuer and validator are the same site. if at some point two sites are involved (say single sign on), then you have a security risk with using symmetric key for the JWT. you should switch to asymmetric keys.

the most difficult part is securing the signing keys. you probably need some secrets store.

Share via

how to implement JWT token using .net core 8 web api

1 additional answer

Your answer