0

I have an ASPNET Core API handling Identity Framework, but I also have another web application using ASPNET MVC and I wish to handle sessions / identity using the same API I already have managing Identities.

How do I manage JWT in my Controllers that I want to markup with [Authorize] or that require a Role that may be retreived using Claims?

I've tried to find examples related to this but I only get content about the API using a mixup of MVC Core on the same API using Views.

I would like to give my users the refresh token button(handled perhaps an AJAX?) and the span-length of X minutes for example before they require to refresh to get a new token

Improve this question
3
  • I wouldn't add a button that allows them to refresh it; sounds insecure and that should be transparent to the user anyway. You need to issue and use the refresh token to get an access token and refresh tokens are generally long-lived. And in the event it expires; you should fall back to what ever grant type used to obtain the initial token. Commented Jan 13, 2021 at 19:39
  • But how do i handle this JWT at all in my [Authorize] how do I know I signed someone into that API if the content is not from that API, I want to add auth to my MVC Content using my API Commented Jan 13, 2021 at 20:13
  • You need to add configurations to the api so it can check the validity of the tokens. Authorize will then just work. In your Startup class you'll have something similar to: services.AddAuthentication(...).AddJwtBearer(...).... Commented Jan 13, 2021 at 20:41

1 Answer 1

Reset to default
1

You have put the authentication on api, so you don't have to consider identity in MVC. I suggest that api only consider authentication and protected resources, MVC only considers interaction with users.

Configure jwt in api, and use [Authorize] to protect authorized resources in api. Save the authenticated token in a cookie or session.

enter image description here

About refresh token, you can extend the expire time with ajax. enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

appreciate the whole paint I would not be able to understand without those, this works thanks a lot I will provide the code after I finish, btw just a question, is this secure and a good practice?
Yes, they are relatively secure, because token is encrypted with a key. In addition, the expiration time can also be encrypted.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.