JWT Authentication in Web API using System.IdentityModel.Tokens.Jwt

Question

I am trying to implement JWT token based authentication in Web API using System.IdentityModel.Tokens.Jwt and Identity.

I am following this

Web.config

<appSettings>
    <add key="issuer" value="http://localhost/" />
    <add key="secret" value="IxrAjDoa2FqElO7IhrSrUJELhUckePEPVpaePlS_Xaw" />
</appSettings>

Though I was able to successfully able to implement and run the application with authentication, I am not sure what these settings are for. What ever I given in issuer, still the application works as expected. Can someone please provide some insights on issuer and secret?

I am using postman to test the token and the API

Answer 1

From the same site that you followed the tutorial (Create a RESTful API with authentication using Web API and Jwt) he says about the properties:

Issuer - a unique identifier for the entity that issued the token (not to be confused with Entity Framework’s entities) Secret - a secret key used to secure the token and prevent tampering

But to try and explain this a little more precise: The issuer is basically the server or site or whatever that issues the token to the client. And the secret is something that the server (or whatever) knows about. The secret can be used to create a signature that can verify that messages hasn't been altered on the way. More on that on jwt.io JWT Secret :

To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

Hope this helps!