How to use JWT JSON Web Tokens in C # AspNetCore sites?
I am trying to put together a website that uses JWT for login. My problem is that I don't understand how the website is supposed to use JWT.
The idea is to split my monolithic architecture into:
- IdentityServer for JWT authentication and issuance.
- An ApplicationServer API that has endpoints protected by JWT-based roles.
- External applications and websites that request JWTs from the IdentityServer and use them to access data on the ApplicationServer.
This will allow me to use one IdentityServer for many projects and possibly develop an interface for third-party developers, and allow me to focus on the details of the application's API.
I have an IdentityServer. It can accept username / password, validate and issue access token and refresh token. Super. The access token is short-lived and unsecured and is periodically updated. The goal is to keep this on the client side, either in the application webpage or in the webpage. The refresh current is more durable and is designed for safe storage. On the website, this will be stored on the server side and in the application stored in secure storage for the duration of the session.
I have a foreground website wrapper with some test actions. The user must be authenticated to access them, where authentication means having a valid access token.
- When the user first requests an action, they don't have a token.
- The front-end webserver should redirect them to the login page and ask for credentials (username and password).
- The web server forwards the IdentityServer credentials, which should return tokens and refresh the tokens on the web server if the credentials are valid.
- The web server will cache the refresh token and send the access token back to the web page.
- The client side web page will then cache the access token and send it with each subsequent page request.
- The web server will decode the access token, possibly update it if necessary, and send pages with the updated access token.
- The conversation (session) ends when a request comes in with an outdated access token and enough time has passed for the refresh token to expire and the user is redirected to the login page.
I am a bit lost on how to get the access token back to the webpage.
Also, I don't understand how a webpage can automatically attach a token to every request if there is one, or how a webpage can respond to a 401 call if it doesn't.
Is cookie the only way to connect data to an HTTP conversation and is it persisted on the client side during navigation?
Are the JWTs purely for SinglePageApps (SPA) where the page is initially loaded and then all subsequent data is processed by Ajax (where can I set the header without issue)?
Alternatively, can web pages be written so that they always populate the authorization header with an access token, if one exists?
I realize I might have thought I was tied up, any help would be appreciated.
source to share
You should read the Auth0 documentation for the Grant resource owner resource https://auth0.com/docs/api-auth/grant/password
I would keep the refresh token and access token on the client.
My approach would be.
The client knows he does not have an access token -> shows the login button. Login button -> redirect to authentication server with login page. It includes state / code and callback url. The client receives a callback from the user and handles it upon login. The client stores the access token and updates the token (if provided) in local storage. It then passes the request access token to the api that it wants to access. The API checks if the access token for it is valid, allows authorization, and completes the request. API doesn't know refresh tokens.
Hope it helps
source to share