How to authenticate users of ASP.Net Core website with JWT?

Question

I am wondering, if JWT should be attached to the header of my request manually, how can I use JWT to authenticate the users of my ASP.Net Core website?

In other words, how can I tell my browser to attach the token in the header when sending the request to my server? Let us say the user of my website got this token from one of my website's API.

Or is JWT usable only for WebAPI (where I can manually build the request)?

Answer 1

There are different ways to use JWT tokens. Since JWT is just a token format, it does imply the method used for authentication.

However, JWTs are mainly used for Bearer authentication scheme, which requires adding a custom header to each request. Single page applications (SPAs) that create requests in JavaScript on the client to access API endpoints can do that which is why Bearer+JWT is used a lot in SPAs. SPAs also benefit from the embedded JSON format since they can read expiration dates and other information (claims embedded in the token, ID token contents obtained via OpenID Connect etc.).

For "traditional" server-rendered views and links, using JWTs is hard since they'd have to be set as cookie or made part of the URL (practically impossible because of URL length restrictions). ASP.NET Core 2.0 does not contain any JWT-based cookie logic but it is possible to create a custom implementation using JWTs as cookies. See this GitHub project and related blog post for a sample implementation. Note that the only benefit of using JWTs in cookie authentication is that the server doesn't have to persist cookie information and share cookies across multiple instances.

To sum up the current state:

• Prefer default cookie authentication when you use server-side rendering and links to avoid creating custom cookie implementations.
• Prefer JWT bearer authentication if you have single page applications (SPAs) apps that build requests in javascript/typescript on the client.