Updated : Jan 10, 2022 in Articles

JWT Authentication using OAUTH


  1. What is JWT
  2. Creating the MVC Project using owin Authentication
  3. Integrating  the JWT Authentication


  • What is JWT?
    • JSON Web Token is a JSON-based open standard for creating access tokens that assert some number of claims.
    • A JSON Web Token (JWT) is a JSON object that is defined in RFC 7519 as a safe way to represent a set of information between two parties. 
    • The token is composed of a
      • Header
      • Payload,
      • Signature.
    • JWT string format

Creating the MVC application 

  • Create a new project with the template of ASP.Net MVC and Select ASP.Net Web API and change the Authentication to “Individual User Accounts”. By default authentication is set to “None”.
  • If Authentication is set to “None” we need to install the below packages from Nuget.
    • Install-Package Microsoft.AspNet.WebApi -Version 5.2.2
    • Install-Package Microsoft.AspNet.WebApi.Owin -Version 5.2.2
    • Install-Package Microsoft.Owin.Host.SystemWeb -Version 3.0.0
    • Install-Package Microsoft.Owin.Cors -Version 3.0.0
    • Install-Package Microsoft.Owin.Security.OAuth -Version 3.0.0
    • Add the owin start up file to your project
  • Now, to work on JWT authentication we need to install the
    • Install-Package System.IdentityModel.Tokens.Jwt 
    • The above package is responsible for validating, parsing and generating JWT tokens.
  • By default owin authentication uses DPAPI, to generate the access token, now we need to change the “access-token-format” to JWT. 
    •  Build a custom class named “CustomJwtFormat” will be responsible for generating JWT instead of default access token.
    • “CustomJwtFormat” is implemented by the ISecureDataFormat<AuthenticationTicket>
  • Now add a class in the project named as “CustomJwtFormat”
  • The constructor of this class accepts the “Issuer” of this JWT which will be our Authorization server, this can be string or URI, in our case we’ll fix it to URI with the value “http://localhost”
  • Inside “Protect” method we are doing the following:
    • Reading the secret key from the web.config file and Base64 decode it to byte array which will be used to create a HMAC265 signing key.
    • Preparing the raw data for the JSON Web Token which will be issued to the requester by providing the issuer, audience, user claims, issue date, expiry date, and the signing Key which will sign the JWT payload.
    • Signing key :-To protect the token from tampering.
  • Lastly we serialize the JSON Web Token to a string and return it to the requester.
  • Now go to the startup.auth.cs under the App_Start folder, add the following code in ConfigureAuth method. 
  • Now, got to “ApplicationOAuthProvider” , change the logic of “GrantResourceOwnerCredentials” method, by default credentials checks from local db, so we need to change the bit of logic that connects us to BO or Repositories.
  • We have completed the generating of JWT token using oauth. Now we have to validate the JWT token
  •  This is the most important step in configuring the Resource server to trust tokens issued by our Authorization server (http://localhost).
  • Now go to the startup.auth.cs, Add the following code in ConfigureAuth method(above the app.UseOAuthAuthorizationServer(OAuthOptions);)
  • By providing those values to JwtBearerAuthentication middleware, this Resource server will be able to consume only JWT tokens issued by the trusted Authorization server and issued for this audience only
  • Add the secret key in web.config file, which is randomly generated string with encryption of RNGCryptoServiceProvider.


  • Generate the secret key and add that in web.config file
  • Add the authorize attribute to your api controllers and test the api’s.
  • To generate the JWT token:-
  • Now add the jwt token to header for every request.

Latest posts by DuttaluruVijayakumar (see all)
Like Love Haha Wow Sad Angry

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x