Public bool CheckUser(string username, string password) Throw new HttpResponseException(HttpStatusCode.Unauthorized) Return JwtManager.GenerateToken(username) Public string Get(string username, string password) This is naive endpoint for demo, it should use Basic authentication Instead of using OWIN middleware, you can simply provide a JWT token endpoint by using a controller action: public class TokenController : ApiController But, if you want to add more information into JWT, it's up to you: it's very flexible. But this way, you have to re-build new local identity (principal) to add more information like roles, if you want to do role authorization, etc. In the demo I've created (github), to keep the JWT token lightweight, I only store username and expiration time. The simple concept is how to provide JWT token and how to validate the token when the request comes. Now, in order to use JWT authentication, you don't really need an OWIN middleware if you have a legacy Web Api system. Therefore, JWT must be transferred over HTTPs if you store any sensitive information in its claims. Technically, JWT uses a signature which is signed from headers and claims with security algorithm specified in the headers (example: HMACSHA256). If you use the website jwt.io with the token above, you can decode the token and see it like below:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |