Coding Stephan

JWT: Part 3 – Sign your own

This is part of my JSON Web Token series. This time to show you how to create your own JWTs in dotnet core. Small note, creating your own token server isn’t something I would recommend! If you need your own token (identity/login/openid connect) server, have a look at Identity Server and the Identity server with Identity quickstart.

It is however handy to know how the creation of JWTs works, just for your understanding.

Create a JWT

Each JWT consist of some data in the form of claims about the application and/or the user. You can add all the claims about the user you think you might need. Getting these values from some source is something you need to figure out yourself. Think database, userstore, eg.

using System.Security.Claims;
// .....

var identity = new ClaimsIdentity(new Claim[] {
                    new Claim(ClaimTypes.Name, "user-id-of-user"),
                    new Claim(ClaimTypes.Email, "")

Signing credentials

To create a JWT you’ll need some sort of SigningCredentials, Microsoft defined a few so lets try it out. Check out the JWT Introduction for all the ways of signing a token.

using Microsoft.IdentityModel.Tokens;
// For using certificate authentication
using System.Security.Cryptography.X509Certificates;
// ....

// We will start with the SymmetricSigningCredentials, so that is a shared key.
// This is nice for proof of concept, but you shouldn't use it in production!
var key = Encoding.ASCII.GetBytes("Very long secret, replace with your own! And never store in the code!");
var symmetricSigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature);

// Next the preferred way, signing credentials from a RSA Certificate.
// First load the certificate from somewhere secure. User certificate store or something.
var certificate = new X509Certificate2(); // Replace this line to load it from somewhere secure!
var x509SigningCredentials = new X509SigningCredentials(certificate);

Creating the actual token

We now have the two required ingredients to create a token. The user identity we want to sign and signing credentials. Lets create a token, you’re of course free to choose your own credentials.

using Microsoft.IdentityModel.Tokens;
using System;
using System.IdentityModel.Tokens.Jwt;
// ...

var identity = new ClaimsIdentity();
var x509SigningCredentials = new X509SigningCredentials(certificate); 

var tokenHandler = new JwtSecurityTokenHandler();
var tokenDescriptor = new SecurityTokenDescriptor
    Subject = identity,
    Expires = DateTime.UtcNow.AddSeconds(3600), // 1 hour
    SigningCredentials = x509SigningCredentials
var unsignedToken = tokenHandler.CreateToken(tokenDescriptor);
var token = tokenHandler.WriteToken(unsignedToken);

Your first tokens

Congratulations you just created your first JSON Web Token! In real life applications you should first decide which claims you’re probably going to need on the side where you will be accepting them. Start with as less as possible to keep your token small. You can always add needed claims as you see fit.