Featured resource
2026 Tech Forecast
2026 Tech Forecast

1,500+ tech insiders, business leaders, and Pluralsight Authors share their predictions on what’s shifting fastest and how to stay ahead.

Download the forecast
  • Lab
    • Libraries: If you want this lab, consider one of these libraries.
Labs

Guided: Implementing JWT Authorization in ASP.NET Core 10

In this Code Lab, learners will secure an ASP.NET Core 10 application using JWT-based authorization. Through a hands-on guided experience, learners will configure token validation, retrieve and inspect identity claims, and enforce authorization policies to protect application endpoints and resources. This lab focuses on the app-side authorization mechanics that developers use every day in production.

Lab platform
Lab Info
Level
Advanced
Last updated
Jul 10, 2026
Duration
1h 0m

Contact sales

By clicking submit, you agree to our Privacy Policy and Terms of Use, and consent to receive marketing emails from Pluralsight.
Table of Contents
  1. Challenge

    Introduction

    Lab Introduction

    In this Code Lab, you will secure an ASP.NET Core 10 web application using JSON Web Token (JWT) authentication and authorization. The application begins as a partially built MVC application with public pages, protected pages, and API endpoints, but without authentication or access controls.

    Throughout the lab, you will progressively configure JWT Bearer authentication, validate tokens, inspect identity claims, and apply authorization policies to protect application resources.

    This lab focuses on the application-side security logic commonly used in production APIs and web applications. Rather than relying on an external identity provider, the lab uses pre-generated JWTs so you can focus entirely on how ASP.NET Core validates tokens and makes authorization decisions.

    Project Structure

    The application is organized into several key components:

    Program.cs

    This is the main configuration file for the application. It configures services such as authentication and authorization and defines the middleware pipeline. In this lab, you will modify this file to enable JWT Bearer authentication and authorization policies.

    Controllers

    Controllers handle incoming HTTP requests and determine what response is returned.

    The lab includes the following controllers:

    HomeController Contains public pages that do not require authentication.

    DashboardController Contains routes protected by [Authorize], meaning users must provide a valid JWT.

    AccountController Displays claims extracted from validated JWTs so you can inspect the authenticated identity.

    AdminController Contains resources restricted by policy-based authorization.

    LabApiController Provides public and protected API endpoints used to test authentication and authorization behavior.

    Views

    Views render the UI for MVC routes. These help visualize whether access is allowed or denied and display JWT claims.

    tokens.txt

    This file contains pre-generated JWTs used to test the application:

    • User token
    • Admin token
    • Expired token

    These tokens simulate different authentication and authorization scenarios.

  2. Challenge

    Configure JWT Bearer Authentication

    In this objective, you will configure ASP.NET Core to validate JWTs using Bearer authentication middleware.

    JWT Bearer authentication allows the application to accept tokens in the following format:

    Authorization: Bearer

    When a token is received, ASP.NET Core validates:

    • The token signature
    • The issuer
    • The audience
    • The expiration time

    These checks ensure the token was issued by a trusted source and has not been tampered with or expired.

    You will configure this in Program.cs using AddAuthentication() and AddJwtBearer().

    This establishes the foundation for all later authorization checks.

  3. Challenge

    Retrieve and Display Identity Claims

    Once a JWT is successfully validated, ASP.NET Core extracts claims from the token and associates them with the current user.

    Claims are pieces of identity information such as:

    • User ID
    • Name
    • Email
    • Role
    • Department

    Examples:

    • sub
    • name
    • email
    • role

    In this objective, you will inspect the authenticated user’s claims by viewing the Profile page.

    The AccountController and Profile view work together to display these claims.

    Understanding claims is important because authorization policies often rely on them to determine access.

  4. Challenge

    Protect Routes Using Authorize

    In this objective, you will secure application routes using the [Authorize] attribute.

    The [Authorize] attribute tells ASP.NET Core that a user must be authenticated before accessing a page or endpoint.

    Without a valid JWT:

    • Requests are rejected
    • The application returns 401 Unauthorized

    With a valid JWT:

    • Access is granted
    • The request proceeds normally

    You will apply this to protected pages such as:

    • Dashboard
    • Profile

    This demonstrates how ASP.NET Core distinguishes between public and authenticated resources.

  5. Challenge

    Implement Policy-Based Authorization

    Authentication answers:

    “Who is this user?”

    Authorization answers:

    “What is this user allowed to do?”

    In this objective, you will create a custom authorization policy called:

    AdminOnly

    This policy requires the authenticated user to have the Admin role.

    You will configure this policy in Program.cs and apply it to the AdminController.

    When a user token with role User accesses the admin route:

    • Authentication succeeds
    • Authorization fails
    • The application returns 403 Forbidden

    When an admin token accesses the same route:

    • Authentication succeeds
    • Authorization succeeds
    • Access is granted

    This demonstrates role-based access control.

  6. Challenge

    Lab Conclusion

    In this lab, you secured an ASP.NET Core 10 application using JWT authentication and authorization.

    You configured JWT Bearer middleware to validate tokens and extract identity claims from authenticated users. You then used those claims to protect pages, routes, and API endpoints.

    Specifically, you:

    • Configured JWT token validation
    • Retrieved and displayed user identity claims
    • Protected resources using [Authorize]
    • Created a custom authorization policy
    • Tested authenticated and unauthorized access scenarios

    You also observed the difference between authentication and authorization:

    • Authentication verifies identity
    • Authorization determines permissions

    Finally, you tested how ASP.NET Core responds in real-world security scenarios using HTTP status codes:

    • 200 OK
    • 401 Unauthorized
    • 403 Forbidden

    These are core application security concepts used in modern APIs and production web applications.

About the author

Shimon Brathwaite is a seven-year cybersecurity professional with extensive experience in Incident Response, Vulnerability Management, Identity and Access Management and Consulting.

Real skill practice before real-world application

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Learn by doing

Engage hands-on with the tools and technologies you’re learning. You pick the skill, we provide the credentials and environment.

Follow your guide

All labs have detailed instructions and objectives, guiding you through the learning process and ensuring you understand every step.

Turn time into mastery

On average, you retain 75% more of your learning if you take time to practice. Hands-on labs set you up for success to make those skills stick.

Get started with Pluralsight