ASP.NET Core의 JWT 토큰 클레임

As I said there will be some minor changes, to support the Claims and Roles feature. These changes are not required in your type of scenario but are required for a better understanding of this article. So if your target is to find the actual implementation, you can skip the  AuthenticationService  class.

The  AuthenticationService  now will have an additional  UserRepository  from which the data about the  User  will be retrieved. And the  TokenService  will receive the  User  to generate the  securityToken .

public string Authenticate(UserCredentials userCredentials)
{
    userService.ValidateCredentials(userCredentials);
    User user = userRepository.GetUser(userCredentials.Username);
    var tokenService = new TokenService(user);
    string securityToken = tokenService.GetToken();

    return securityToken;
}

Authenticate  method was explained in the previous two articles and all the code can be found on my GitHub account, there will be a link to it at the end of this article.\
UserRepository  contains a predefined list of users, and the  GetUser  method returns only the  User  with the given username, this logic was on the  UserService .

User  now contains the  Roles  property and the  Claims  method which will build the claims with the  Username  and  Roles . For the sake of this article, we're supposing that the  Roles  will be all the time set, so we'll don't need to worry if this collection will be  null .

public class User
{
    public string Username { get; set; }
    public string Password { get; set; }
    public IEnumerable<string> Roles { get; set; }

    public IEnumerable<Claim> Claims()
    {
        var claims = new List<Claim> { new Claim(ClaimTypes.Name, Username) };
        claims.AddRange(Roles.Select(role => new Claim(ClaimTypes.Role, role)));

        return claims;
    }
}

TokenService  is receiving the  User  from the  AuthenticationService  and uses it to set the Subject (i.e. Payload) of the Token.\
Besides this change, there is only one change that has to be done, on the  GetTokenDescriptor  method, when the  SecurityTokenDescriptor  is created, the subject is initialized with a new  ClaimsIdentity  that gets the user claims.

private SecurityTokenDescriptor GetTokenDescriptor()
{
    var tokenDescriptor = new SecurityTokenDescriptor
    {
        Subject = new ClaimsIdentity(user.Claims()),
        ...
    };

    return tokenDescriptor;
}

Now that the Claims are set, the  UserController  will be the playground for the set claims and roles. In order to accept requests with the created Token, the Controller must have the same Scheme as the Token set on the  AuthorizeAttribute .

[Route("identity/[controller]")]
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
public class UserController : ControllerBase
{
    ...
}

In the  GetName  method, the value of  Name  claim is get for the given Token, which represents the username. The  User  already has predefined methods, like  FindFirstValue  in order to expose its property easily.

[HttpGet("name")]
public IActionResult GetName()
{
    string name = User.FindFirstValue(ClaimTypes.Name);
    return Ok(name);
}

In the response, only the username is returned from the Claim.

And the last method is using the  AuthorizedAttribute  with the  Roles  property to give access only to the users that have the set role, in this case, Admin.

[HttpGet("roles")]
[Authorize(Roles = "Admin")]
public IActionResult GetRoles()
{
    IEnumerable<Claim> roleClaims = User.FindAll(ClaimTypes.Role);
    IEnumerable<string> roles = roleClaims.Select(r => r.Value);
    return Ok(roles);
}

Let's test with john.doe user, that only have the User role.