AntonioSk
Reputation: 526
Getting 401 Unauthorized with a valid JWT token
I have built an API to register an user or log an user in. If the user login is sucessfull it returns a JWT token which is an hour valid. I have added [Authorize] at the top of the controller I want to get the data from but it keeps returning Unauthorized 401 in Postman even when I added the token to the request. I have tried all solutions people commented on other blogs but nothing worked for me. Could someone help me out or has the same issue?
Startup class:
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v1", new Microsoft.OpenApi.Models.OpenApiInfo { Title = "AuthApi", Version = "v1" });
});
services.AddControllers().AddNewtonsoftJson(options =>
options.SerializerSettings.ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Ignore
);
services.AddCors(c =>
{
c.AddPolicy("def", builder =>
{
builder.WithOrigins("http://localhost:4200").AllowAnyMethod().AllowAnyHeader().AllowCredentials();
});
});
// For Entity Framework
services.AddDbContext<ApplicationDbContext>(options => options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));
// For Identity
services.AddIdentity<ApplicationUser, IdentityRole>(o =>
{
// configure identity options
o.Password.RequireDigit = false;
o.Password.RequireLowercase = false;
o.Password.RequireUppercase = false;
o.Password.RequireNonAlphanumeric = false;
o.Password.RequiredLength = 6;
})
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders();
// Adding Authentication
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
// Adding Jwt Bearer
.AddJwtBearer(options =>
{
options.SaveToken = true;
options.RequireHttpsMetadata = false;
options.TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = true,
ValidateAudience = true,
ValidAudience = Configuration["JWT:ValidAudience"],
ValidIssuer = Configuration["JWT:ValidIssuer"],
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["JWT:Secret"]))
};
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseSwagger();
app.UseSwaggerUI(c =>
{
c.SwaggerEndpoint("swagger/v1/swagger.json", "LoginAPI v1");
c.RoutePrefix = string.Empty;
});
app.UseCors("def");
app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
Controller class I want to retrieve data from:
namespace auth.Controllers
{
[Authorize]
[ApiController]
[Route("[controller]")]
public class WeatherForecastController : ControllerBase
{
private static readonly string[] Summaries = new[]
{
"Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching"
};
private readonly ILogger<WeatherForecastController> _logger;
public WeatherForecastController(ILogger<WeatherForecastController> logger)
{
_logger = logger;
}
[HttpGet]
public IEnumerable<WeatherForecast> Get()
{
var rng = new Random();
return Enumerable.Range(1, 5).Select(index => new WeatherForecast
{
Date = DateTime.Now.AddDays(index),
TemperatureC = rng.Next(-20, 55),
Summary = Summaries[rng.Next(Summaries.Length)]
})
.ToArray();
}
}
}
My Authentication controller for logging an user in:
[HttpPost]
[Route("login")]
public async Task<IActionResult> Login([FromBody] LoginModel model)
{
// Finds and returns a user, if any, who has the specified user name.
var user = await userManager.FindByNameAsync(model.Username);
// Checks if username was valid to an user and
// returns a flag indicating whether the given password is valid for the specified user.
if (user != null && await userManager.CheckPasswordAsync(user, model.Password))
{
// Gets a list of role names the specified user belongs to.
var userRoles = await userManager.GetRolesAsync(user);
var authClaims = new List<Claim>
{
new Claim(ClaimTypes.Name, user.UserName),
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString())
};
// Loop through the user roles
// Add all userRoles as a claim to authClaims
foreach (var userRole in userRoles)
{
authClaims.Add(new Claim(ClaimTypes.Role, userRole));
}
// Generates a key to sign in
var authSigninKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["JWT:Secret"]));
// Create the token
var token = new JwtSecurityToken(
issuer: _configuration["JWT:ValidIssuer"],
audience: _configuration["JWT:Audience"],
expires: DateTime.Now.AddHours(3),
claims: authClaims,
signingCredentials: new SigningCredentials(authSigninKey, SecurityAlgorithms.HmacSha256)
);
return Ok(new
{
token = new JwtSecurityTokenHandler().WriteToken(token),
SecurityTokenNoExpirationException = token.ValidTo
});
}
return Unauthorized();
}
Output:
Appsettings.json:
Upvotes: 1
Views: 1316
Answers (1)
BNG016
Reputation: 310
Recap
In my case I was not using any Identity Server Yet I was providing the Host as a ValidIssuer.
It validated the Authority for the algo and keys which returned nothing, this caused the system to throw an unhandled exception.
Solved this By Removing options.Authority from JwtBearerOptions in AddJwtBearer(options => ...).
After that I faced the 401 ERROR, resolved it by removing options.Audience from JwtBearerOptions in AddJwtBearer(options => ...), Also added ValidateLifetime to TokenValidationParameters (which you can see below in part 1)
Code
PART (1) JWT Configuration
in .NET 6 :
builder.services.AddAuthentication(options =>
{
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.RequireHttpsMetadata = false;
options.SaveToken = true;
options.TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuerSigningKey = jwtSettings.ValidateIssuerSigningKey,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtSettings.IssuerSigningKey)),
ValidateIssuer = jwtSettings.ValidateIssuer,
ValidIssuer = jwtSettings.ValidIssuer,
ValidateAudience = jwtSettings.ValidateAudience,
ValidAudience = jwtSettings.ValidAudience,
RequireExpirationTime = jwtSettings.RequireExpirationTime,
ValidateLifetime = jwtSettings.RequireExpirationTime,
ClockSkew = TimeSpan.FromDays(1),
};
});
Extra
GET your JWT Settings from Appsettings using Either this Where
"JsonWebTokenKeys"
is the name of section in configuration :
var jwtSettings = new JwtSettings();
Configuration.Bind("JsonWebTokenKeys", jwtSettings);
builder.services.AddSingleton(jwtSettings);
//PART (1) => JWT Configuration goes here
//..
//..
OR this :
services.Configure<JwtSettings>(configuration.GetSection("JsonWebTokenKeys"));
using (ServiceProvider serviceProvider = services.BuildServiceProvider())
{
var jwtSettings = serviceProvider.GetRequiredService<IOptions<JwtSettings>>().Value;
//PART (1) => JWT Configuration goes here
//..
//..
}
Upvotes: 1
Related Questions
- ASP.NET core JWT authentication always throwing 401 unauthorized
- JWT token error 401 Unauthorized in .net core 3.1
- .NET Core JWTBearerAuth returning "Unauthorized"
- Authorize using JWT token still returning unauthorized
- JWT always return unauthorized 401 on .net core api
- Getting 401 Unauthorized with valid access token using identity server 4
- Asp.Net Web Api JWT Authorization With Identity Always Getting 401
- Token based authentication with Jwt fails to authorize
- Jwt token always return 401 .net core 3.1 web api
- Web API giving 401 on JWT