Last post May 29, 2018 07:08 AM by Edward Z
May 24, 2018 11:19 AM|Stanley___|LINK
I have two app.
1) ASP.NET Core 2.0 MVC App with JWT authentication implemented.
2) ASP.NET Core 2.0 API app.
Now I want to secure the API app without using any 3rd party identiti provider. User logged in MVC app with their username and password, get jwt token, and then call API with this token. How the API understand this token without registering API with Indentity
May 24, 2018 01:25 PM|mgebhard|LINK
My best guess is you are trying to build a custom identity server using JWT and OAuth?
The first step is understanding the OAuth specs. I've read different parts of the spec several times over the last year or so. IMHO, this is the best way to learn spec.
You'll also want make sure you understand how JWTs work.
How the API understand this token without registering API with Indentity Provider?
Commonly, it is the API's responsibility for validating the JWT. JWTs are signed by public/private keys to detect if the payload changed. Once the client has the JWT, there is no need to visit the token service unless refreshing the token. There are other
approaches like storing the token in a DB and giving the client a key to the token. In this design the client must send the key to the token service and the service validates the token.
Frankly, there is no easy answer to this question.
Here is an older OWIN example that you can port to Core relatively easily.
May 24, 2018 02:39 PM|Stanley___|LINK
Heap thanks AgaveJoe, I will take time to read your answer here, and play with it myself to see if I can work out. I will come back add comments at weekend. Again thanks.
May 29, 2018 07:08 AM|Edward Z|LINK
Do you have any update about this issue?