DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workkloads.

Secure your stack and shape the future! Help dev teams across the globe navigate their software supply chain security challenges.

Releasing software shouldn't be stressful or risky. Learn how to leverage progressive delivery techniques to ensure safer deployments.

Avoid machine learning mistakes and boost model performance! Discover key ML patterns, anti-patterns, data strategies, and more.

Related

  • GDPR Compliance With .NET: Securing Data the Right Way
  • How to Enhance the Performance of .NET Core Applications for Large Responses
  • Developing Minimal APIs Quickly With Open Source ASP.NET Core
  • Revolutionizing Content Management

Trending

  • Medallion Architecture: Why You Need It and How To Implement It With ClickHouse
  • Top Book Picks for Site Reliability Engineers
  • Event-Driven Architectures: Designing Scalable and Resilient Cloud Solutions
  • A Developer's Guide to Mastering Agentic AI: From Theory to Practice
  1. DZone
  2. Coding
  3. Frameworks
  4. In-Memory Logins in ASP.NET Core with JWT

In-Memory Logins in ASP.NET Core with JWT

See a simple implementation of in-memory logins with JWTs.

By 
Jawad Hasan Shani user avatar
Jawad Hasan Shani
DZone Core CORE ·
Jan. 10, 21 · Tutorial
Likes (3)
Comment
Save
Tweet
Share
11.1K Views

Join the DZone community and get the full member experience.

Join For Free

Introduction

Some line of business (LOB) applications or internal systems have a predefined set of users and corresponding login information. In situations like those, using a database mechanism to store user information is an overhead. Combine this overhead with Microsoft’s heavy-duty implementation of the Identity framework with persisting concerns in the Entity framework, and you have a recipe for a headache. Those frameworks might be useful in certain situations, but here we have a limited scope and, in situations like this, we can, instead, take a lighter approach towards this functionality.

In this post, we will look at a way to implement authentication functionality in an ASP.NET Core Web application. We will go through all the steps and how things are put together to achieve the desired result. The source code is available in this GitHub repository.

Requirements/Considerations

We’ll need: 

  • Some form of a user-store/service where we can store our user’s credentials.
  • A sign-in mechanism, which will also respond with JSON Web Tokens (JWTs).
  • JWT wiring in ASP.NET Core and handling.

I’ve created a .NET Core Web API project using a Visual Studio project template and this comes with a default controller:

The following picture shows data returned by WeatherForecastController:

Protecting the API With JWTs

First, we will need a Nuget package to include JWTs in our ASP.NET Core pipeline:

Next, I’ve updated the startup.cs file to wire-up a JWT:


With these changes in place, I created another method in WeatherForecastController and protected it with the [Authorize] attribute: 

If we try to call this end-point, it will result in a 401 Unauthorized error as shown below:

So, this confirms that our end-point is now protected from unauthorized access.

Let’s continue and see how we can allow certain users access to protected endpoints.

User Entity and UserService Interface

Let's define a User entity and interface for a service called UserService:

Here is our User class. As you can see, it is very basic:

Next, we created an interface named IUserService as shown below:


UserService Implementation

Let’s implement the IUserService interface. As we can recall from the introduction, we need some sort of user-store to store credentials. This service will act as a data-store for our application's users as well:

You can see that I defined a dictionary with _users to store credentials (notice the use of a tuple in the _users dictionary) and I am populating this dictionary via the constructor. Next, let's see how the ValidateCredentials method is implemented:

I think the code is very simple to follow. We are just finding the user in the dictionary, checking the password, and, if everything is ok, returning the result.

Next, we will register UserService with an IoC container in the startup.cs file.

ASP.NET Core UserService Registration

Please see the image below where I am populating UserName with passwords in a dictionary, passing it to UserService, and then registering UserService as singleton:

So, now wherever in our code we need to access the UserService, it will be available via Dependency Injection.

Login, Claims, and Response

So, we have a user-store, a way to validate credentials, and, now, we need a way to allow users to get JWTs by providing their user name and password. Once this token is received, users or client applications can include it as an Authorization Header to access protected endpoints.

This code is mostly infrastructure code, and there are a lot of examples online that utilize a similar mechanism for JWTs. So, we will start by creating a new controller called AuthController:

We are injecting UserService via dependency injection, and we have only one SingIn endpoint, which accepts a SignInModel via HTTP POST.

I have added a few classes to the project. These classes are used as a data-bag to move data around, and we will see how those are being used in a moment:

Let’s see the code for the SignIn method:

Here, we are validating credentials, creating a couple of claims, creating an instance of UserAuth (see class above), and returning it to the caller.

Before we check out the code for TokenUtils.BuildUserAuthObject(), let's see the output of this method. I used Postman to make an HTTP POST to the signin endpoint with UserName and Password:

This call returns bearerToken along with some other data. Now we can use this bearerToken to access restricted endpoints. We just need to add it as an Authorization header in the HTTP request: 

As you can see, this time, data was returned from the protected endpoint. So a bearer token is returned when we make a call with a valid username and password, and then we use that bearer token with other HTTP requests to access protected data.

Token Generation

Now, let’s see how the bearer token is being generated. It is very boiler-plate code, and if something is not clear, feel free to ask in the comments:

Hashing Passwords

Our implementation is finished, but it can be improved. We are currently storing the password in memory and in plain-text. However, if we want, we can store the password hash instead.

I added the Bcrypt.Net-Next nuget package to the solution:


Now in the UserService constructor, use its HashPassword method as shown below:

We also need to update the verify mechanism for the password as shown below:

With these changes in place, we have a hashed password in memory, and it's more secure.

Summary

We saw how we can implement in-memory logins for simple applications. Even small, this is a very secure mechanism utilizing JWTs and BCrypt nuget packages. You can further extend it by connecting it with database persistence or adding more capabilities to the in-memory store, e.g. Registering New Users can be done easily.

You can download the source code from this git repository. If you have some comments or questions, feel free to ask. Till next time, happy coding.

ASP.NET ASP.NET Core JWT (JSON Web Token)

Published at DZone with permission of Jawad Hasan Shani. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • GDPR Compliance With .NET: Securing Data the Right Way
  • How to Enhance the Performance of .NET Core Applications for Large Responses
  • Developing Minimal APIs Quickly With Open Source ASP.NET Core
  • Revolutionizing Content Management

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!