- Lab
-
Libraries: If you want this lab, consider one of these libraries.
Guided: Implementing JWT Authorization in ASP.NET Core 10
In this Code Lab, learners will secure an ASP.NET Core 10 application using JWT-based authorization. Through a hands-on guided experience, learners will configure token validation, retrieve and inspect identity claims, and enforce authorization policies to protect application endpoints and resources. This lab focuses on the app-side authorization mechanics that developers use every day in production.
Lab Info
Table of Contents
-
Challenge
Introduction
Lab Introduction
In this Code Lab, you will secure an ASP.NET Core 10 web application using JSON Web Token (JWT) authentication and authorization. The application begins as a partially built MVC application with public pages, protected pages, and API endpoints, but without authentication or access controls.
Throughout the lab, you will progressively configure JWT Bearer authentication, validate tokens, inspect identity claims, and apply authorization policies to protect application resources.
This lab focuses on the application-side security logic commonly used in production APIs and web applications. Rather than relying on an external identity provider, the lab uses pre-generated JWTs so you can focus entirely on how ASP.NET Core validates tokens and makes authorization decisions.
Project Structure
The application is organized into several key components:
Program.cs
This is the main configuration file for the application. It configures services such as authentication and authorization and defines the middleware pipeline. In this lab, you will modify this file to enable JWT Bearer authentication and authorization policies.
Controllers
Controllers handle incoming HTTP requests and determine what response is returned.
The lab includes the following controllers:
HomeControllerContains public pages that do not require authentication.DashboardControllerContains routes protected by [Authorize], meaning users must provide a valid JWT.AccountControllerDisplays claims extracted from validated JWTs so you can inspect the authenticated identity.AdminControllerContains resources restricted by policy-based authorization.LabApiControllerProvides public and protected API endpoints used to test authentication and authorization behavior.Views
Views render the UI for MVC routes. These help visualize whether access is allowed or denied and display JWT claims.
tokens.txtThis file contains pre-generated JWTs used to test the application:
- User token
- Admin token
- Expired token
These tokens simulate different authentication and authorization scenarios.
-
Challenge
Configure JWT Bearer Authentication
In this objective, you will configure ASP.NET Core to validate JWTs using Bearer authentication middleware.
JWT Bearer authentication allows the application to accept tokens in the following format:
Authorization: Bearer
When a token is received, ASP.NET Core validates:
- The token signature
- The issuer
- The audience
- The expiration time
These checks ensure the token was issued by a trusted source and has not been tampered with or expired.
You will configure this in Program.cs using
AddAuthentication()andAddJwtBearer().This establishes the foundation for all later authorization checks.
-
Challenge
Retrieve and Display Identity Claims
Once a JWT is successfully validated, ASP.NET Core extracts claims from the token and associates them with the current user.
Claims are pieces of identity information such as:
- User ID
- Name
- Role
- Department
Examples:
- sub
- name
- role
In this objective, you will inspect the authenticated user’s claims by viewing the Profile page.
The
AccountControllerandProfileview work together to display these claims.Understanding claims is important because authorization policies often rely on them to determine access.
-
Challenge
Protect Routes Using Authorize
In this objective, you will secure application routes using the [Authorize] attribute.
The [Authorize] attribute tells ASP.NET Core that a user must be authenticated before accessing a page or endpoint.
Without a valid JWT:
- Requests are rejected
- The application returns 401 Unauthorized
With a valid JWT:
- Access is granted
- The request proceeds normally
You will apply this to protected pages such as:
- Dashboard
- Profile
This demonstrates how ASP.NET Core distinguishes between public and authenticated resources.
-
Challenge
Implement Policy-Based Authorization
Authentication answers:
“Who is this user?”
Authorization answers:
“What is this user allowed to do?”
In this objective, you will create a custom authorization policy called:
AdminOnly
This policy requires the authenticated user to have the Admin role.
You will configure this policy in Program.cs and apply it to the AdminController.
When a user token with role User accesses the admin route:
- Authentication succeeds
- Authorization fails
- The application returns 403 Forbidden
When an admin token accesses the same route:
- Authentication succeeds
- Authorization succeeds
- Access is granted
This demonstrates role-based access control.
-
Challenge
Lab Conclusion
In this lab, you secured an ASP.NET Core 10 application using JWT authentication and authorization.
You configured JWT Bearer middleware to validate tokens and extract identity claims from authenticated users. You then used those claims to protect pages, routes, and API endpoints.
Specifically, you:
- Configured JWT token validation
- Retrieved and displayed user identity claims
- Protected resources using [Authorize]
- Created a custom authorization policy
- Tested authenticated and unauthorized access scenarios
You also observed the difference between authentication and authorization:
- Authentication verifies identity
- Authorization determines permissions
Finally, you tested how ASP.NET Core responds in real-world security scenarios using HTTP status codes:
- 200 OK
- 401 Unauthorized
- 403 Forbidden
These are core application security concepts used in modern APIs and production web applications.
About the author
Real skill practice before real-world application
Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.
Learn by doing
Engage hands-on with the tools and technologies you’re learning. You pick the skill, we provide the credentials and environment.
Follow your guide
All labs have detailed instructions and objectives, guiding you through the learning process and ensuring you understand every step.
Turn time into mastery
On average, you retain 75% more of your learning if you take time to practice. Hands-on labs set you up for success to make those skills stick.