Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *


  1. hi. great blog! keep it up. In continuation of this topic, I would like to see the implementation of the jwt-token on the Blazor wasm client. What do you think?

  2. Hi, and thanks for this great post.

    I have a problem with RefreshTokens, because this is always null where i use from await _userManager.FindByEmailAsync(tokenRequest.Email);

    Missing some EFCore configuration?

    1. Hi, Thanks for writing.
      FindByEmailAsync, if returns null, I guess there might be no user present with the corresponding email. Please cross-check with your database, if such a user/ email exists. Let me know.

      Thanks and regards.

  3. Hi, Thanks for the clear post, I found them (all) very useful.
    I’ve a question: suppose I need to split up to an authentication api and a resource api, what should I do at the resource api to validate the JWT? Where is the logic part to check the JWT validity?

    Thanks and regards!

    1. Hello Patrick! Hope you are doing good.

      Identity Server can be good choice for your requirement. However, if you want 2 APIs, you just need to make sure that the API Secret Key and the Issuer Params are the same. You would want to validate the JWT in your Resource API, just add the TokenValidationParameters method in the startup class as we normally would do. ‘services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer’ This is responsible for validation.

      Thanks and Regards.

  4. Check out the code in the infrastructure project’s Auth folder to explore the classes responsible for generating and validating JWT and refresh tokens in more detail.

  5. That was such a great one brother , I was just stepping into .net core from .net and this is what I was looking for either , a clean coded architecture too.Much appreciated.

  6. hi. great blog. Let me ask when to delete data in the RefreshToken table, because the data will be very large over time.

  7. Hi, i like this blog and it helped me very much to secure my API with JWT.
    My Question is: What kind of requests must a client do, to be connected all the time the user are logged in?
    In my unterstanding, the client has to ‘request-token’ always before it can request the ‘secured data stuff’.
    Because the JWT is perhaps expired between the requests.
    Is that right?
    It’s my first Web API, so how can i solve this easy in individual clients (mobile app, Web App, …)

  8. The user account gets created Evenif user name is already used but if you use new email or if you use existing email with new user name it shous error but the account si created in the database

    Roles gets created in the new colum in the database insted of overwring the existing one.If you assign admin and chnage back to modertor the user has still got admin access

    I don’t know how refresh token is work my session is ending after 1 minute even after implementing refresh token

  9. This is a really helpful article! Thank you so much.
    Could you add a screenshot for the dbo.RefreshToken table?
    Based on my understanding the table should contain all the properties of RefreshToken class as columns, but does it have UserId column as well?