Skip to main content

Validating tokens (.NET)

This article contains an example on how to perform validation of JWT tokens in a custom API in .NET. This is just to be seen as a getting-started. Please read current official documentation for up-to-date security perspectives related to methods used.

warning

Don't build your own validation logic unless you absolutely have to and have deep knowledge of security and of the standards used.

For many situations, there will be a built-in way, or approach popular in your community, to handle validation of tokens. The example in this article uses the build-int functionality in .NET, and does not implement its own security validation.

A list of some libraries that can be used can be found on jwt.io/libraries. Refer to the documentation of the specific library selected for more details on JWT tokens, security considerations and how to validate the token.

1. Register and configure the JWT token validation

First, register the JWT token validation and configure the validation parameters.

This example uses functionality built-in to .NET. For which exact parameters to set for your situation, please find and read recommendations on this from trusted sources.

var builder = WebApplication.CreateBuilder(args)
builder.Services.AddAuthentication().AddJwtBearer(options =>
{
options.Audience = "mytenantid:mysystemintegrationname";
options.Authority = myTrustedIssuer;
var p = options.TokenValidationParameters;
p.ValidateAudience = true;
p.ValidateIssuer = true;
p.ValidateIssuerSigningKey = true;
... // set other validation options
// (several others are recommended to be set to have a secure validation, please
// read up on the token validation parameters and determine which settings your
// situation needs)
});
note

The audience name and trusted issuer in the above code is described in the article on Validating Access Tokens.

2. Register authorization policies

The example below register two authorization policies. These can then be reused by using the same policy name when setting up the endpoint.

builder.Services.AddAuthorizationBuilder()
.AddPolicy("MyAdminPolicyName", p =>
{
p.RequireAuthenticatedUser();
p.RequireClaim("mytenantid:mysystemintegrationname", "myadminpermissionname");
})
.AddPolicy("MyUserPolicyName", p =>
{
p.RequireAuthenticatedUser();
p.RequireClaim("mytenantid:mysystemintegrationname", "myuserpermissionname");
});

3. Add the UseAuthentication and UseAuthorization middlewares

Authentication and Authorization is not performed unless the middlewares for this are registered.

var app = builder.Build();

... // other middlewares which should be configured before the authentication/authorization

app.UseAuthentication();
app.UseAuthorization();

... // other middlewares which should be configured after the authentication/authorization

4. Configure your endpoint to use the registered policy

Finally, ensure your policy is executed by adding it on your endpoint (or your endpoint group).

app.MapGet("/my-endpoint", async (ClaimsPrincipal user) =>
{
// Your endpoint logic here. You can use the information in the user parameter to see information from the provided and validated token
}).RequireAuthorization("MyUserPolicyName");