A secure implementation of JSON Web Tokens (JWT) in C#

I updated this article on May 3rd with a better way to deal with refresh tokens and to accomodate for an update of the JWT package.

This week I was improving the backend of an app of our company. It used basic authentication to authenticate users against the database. Because we were implementing multifactor authentication, it needed to be improved. At the same time the server response wasn’t that fast.

I figured JSON Web Tokens would solve that problem, while simultaneously solve a minor security concern with basic authentication. While all traffic is done over SSL, the password is still sent over the network, risking a MITM-attack. Then I searched for a way to implement this securely, and while I found some helpful guides, they didn’t satisfy everything.

For the people who don’t know, JSON Web Tokens are being used as tokens to securely transfer data between 2 parties. This data is actually not encrypted, so don’t put sensitive information in your JWT! This token is signed by the server, so others can’t mutate this data.

There is one major caveat: if this token somehow ended up in the hands of an attacker, this attacker has access to everything the user has. The token can only be invalidated by changing the secret, which will invalidate all tokens. That’s not something we…