JWT Authentication APIs in C#

This project implements two REST APIs in C# using ASP.NET Core (.NET 8) for learning about JWT authentication and inter-service communication. API 1 is a protected service that requires a valid JWT token, while API 2 consumes API 1 by generating a JWT token and returning the protected data.

Objective

• Demonstrate how to configure JWT authentication in an API
• Show how one API can consume another using JWT tokens
• Teach basic concepts of inter-API communication with C#

Project Structure

API 1 (Protected Service)

• Endpoint: GET /protected
• Function: Returns a JSON message ({"Message": "Access granted! Protected data here."}) if a valid JWT token is provided in the Authorization: Bearer <token> header
• Technologies:
  • ASP.NET Core with Microsoft.AspNetCore.Authentication.JwtBearer for token validation
  • System.IdentityModel.Tokens.Jwt for JWT handling

API 2 (Consumer)

• Endpoint: GET /consume
• Function: Generates a JWT token, makes a request to API 1, and returns the received data or an error
• Technologies:
  • System.IdentityModel.Tokens.Jwt for token generation
  • HttpClient for communication with API 1

Prerequisites

• .NET SDK (version 8 or higher)
• Tools for API testing (e.g., curl, Postman, or browser)
• NuGet packages:
  • API 1: Microsoft.AspNetCore.Authentication.JwtBearer, System.IdentityModel.Tokens.Jwt
  • API 2: System.IdentityModel.Tokens.Jwt

Setup

1. Create projects:

   dotnet new webapi -n Api1
   cd Api1
   dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer
   dotnet add package System.IdentityModel.Tokens.Jwt
   cd ..
   dotnet new webapi -n Api2
   cd Api2
   dotnet add package System.IdentityModel.Tokens.Jwt

2. Configure API 1:

   • Replace Api1/Program.cs with the provided code (contains JWT authentication configuration)
   • Use secret key: minha_chave_secreta_super_segura_1234567890 (minimum 32 characters for HS256)

3. Configure API 2:

   • Replace Api2/Program.cs with the provided code (contains JWT generation and API 1 call)
   • Use the same secret key as API 1

How to Run

1. Start API 1:

   cd Api1
   dotnet run --urls=http://localhost:5000

2. Start API 2:

   cd Api2
   dotnet run --urls=http://localhost:5001

3. Test API 2:

   curl http://localhost:5001/consume

   • Expected output:

     {"DataFromApi1":{"Message":"Access granted! Protected data here."}}

4. Test API 1 directly (optional):

   • curl http://localhost:5000/protected (without token) → 401 Unauthorized error
   • Use Postman with a token generated by API 2 to test

Project Code

API 1 (Program.cs)

• Configures JWT authentication with symmetric key validation (HS256)
• Protects the /protected endpoint with [Authorize]
• Uses 256-bit or larger secret key

API 2 (Program.cs)

• Generates a JWT with user_id claim and 15-minute expiration
• Uses HttpClient to call API 1 with the token in the Authorization header
• Returns API 1 data or error

Concepts Learned

• JWT (JSON Web Token):

  • Token generation with claims and expiration
  • Token validation with symmetric keys
  • Using Authorization: Bearer <token> header

• ASP.NET Core:

  • Authentication configuration with JwtBearer
  • Creating REST APIs with minimal APIs
  • Dependency injection (IHttpClientFactory)

• Inter-API Communication:

  • Sending HTTP requests with HttpClient
  • Handling responses (success and error)

Troubleshooting

• "key size must be greater than 256 bits" error:

  • Use a secret key with at least 32 characters (e.g., minha_chave_secreta_super_segura_1234567890)
  • Confirm both APIs use the same key

• 401 error on /protected:

  • Check if the token is in the correct format (Bearer <token>)
  • Test with Postman for debugging

• API not responding:

  • Confirm ports 5000 (API 1) and 5001 (API 2) are available
  • Verify projects are running correctly (dotnet run)