Integrating with .NET API
This guide explains how to implement JWT authentication in your .NET API using AuthAction’s JWKS (JSON Web Key Set) endpoint. You’ll learn how to secure your API endpoints using JWT tokens issued by AuthAction.
Example Repository: For a complete working example, check out our example repository.
Prerequisites
Section titled “Prerequisites”Before you begin, ensure you have:
- .NET 8.0 SDK or later: Download from dotnet.microsoft.com
- AuthAction Account: You’ll need your AuthAction tenant domain and API identifier
Configuration
Section titled “Configuration”1. Install Required Packages
Section titled “1. Install Required Packages”Add the following NuGet packages to your project:
dotnet add package Microsoft.AspNetCore.Authentication.JwtBearerdotnet add package Microsoft.IdentityModel.Protocols.OpenIdConnect2. Configure AuthAction Settings
Section titled “2. Configure AuthAction Settings”Add the following configuration to your appsettings.json:
{ "Auth": { "Authority": "https://your-authaction-tenant-domain/", "Audience": "your-authaction-api-identifier" }}Replace:
your-authaction-tenant-domainwith your AuthAction tenant domainyour-authaction-api-identifierwith your API identifier
3. Configure JWT Authentication
Section titled “3. Configure JWT Authentication”In your Program.cs, add the following configuration:
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddJwtBearer(options => { options.Authority = builder.Configuration["Auth:Authority"]; options.Audience = builder.Configuration["Auth:Audience"]; options.TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = true, ValidateAudience = true, ValidateLifetime = true, ValidateIssuerSigningKey = true }; });
builder.Services.AddAuthorization();
// ... other service configurations ...
app.UseAuthentication();app.UseAuthorization();1. Protect Your Endpoints
Section titled “1. Protect Your Endpoints”Add the [Authorize] attribute to your controllers or actions that require authentication:
[ApiController][Route("[controller]")]public class WeatherForecastController : ControllerBase{ [Authorize] [HttpGet] public IEnumerable<WeatherForecast> Get() { // Your protected endpoint logic }}2. Testing the API
Section titled “2. Testing the API”To test your protected endpoints, you’ll need to:
-
Obtain an Access Token
Use the client credentials flow to get a token:
Terminal window curl --request POST \--url https://your-authaction-tenant-domain/oauth2/m2m/token \--header 'content-type: application/json' \--data '{"client_id": "your-authaction-m2m-app-clientid","client_secret": "your-authaction-m2m-app-client-secret","audience": "your-authaction-api-identifier","grant_type": "client_credentials"}' -
Call Protected Endpoints
Use the token to access protected endpoints:
Terminal window curl --request GET \--url http://localhost:5287/protected \--header 'Authorization: Bearer YOUR_ACCESS_TOKEN'
Security Features
Section titled “Security Features”The implementation includes:
- JWT token validation using AuthAction’s JWKS endpoint
- RS256 algorithm for token signing
- Automatic token validation and expiration checking
- Secure configuration management
- HTTPS support in production
Common Issues
Section titled “Common Issues”Invalid Token Errors
Section titled “Invalid Token Errors”- Ensure your token is signed with RS256 algorithm
- Verify the token contains correct issuer and audience claims
- Check that
AuthorityandAudienceare correctly set in configuration
Public Key Fetching Errors
Section titled “Public Key Fetching Errors”- Verify your application can reach AuthAction’s JWKS endpoint
- The JWKS URI should be:
https://your-authaction-tenant-domain/.well-known/jwks.json
Unauthorized Access
Section titled “Unauthorized Access”If requests to protected endpoints fail, check:
- The JWT token is included in the
Authorizationheader - The token is valid and not expired
- The token’s audience matches your API identifier
- The token’s issuer matches your AuthAction domain