Setting up JWT Authentication

Environment

• DNN Platform
• Evoq Content
• Evoq Engage

Prerequisites

You need a host/superuser account to be able to perform the steps outlined in this article. Hosts have full permissions to all sites in the DNN instance.  

Process

1. Install the DNN JWT Auth Handler.

   1. Go to Host > Settings (gear icon) > Extensions.
      
      

   2. In the Available Extensions tab, expand the Providers section and search for DNN JWT Auth Handler, then click Install.
      
      

      
      

      • The JWTAuth line is added inside the <messageHandlers/> tag in your web.config file, as shown below: 

        <authServices>
            <messageHandlers>
                <!-- other message handlers -->
                <add name="JWTAuth" type="Dnn.AuthServices.Jwt.Auth.JwtAuthMessageHandler, Dnn.AuthServices.Jwt" enabled="false" defaultInclude="false" forceSSL="true"/>
            </messageHandlers>
        </authServices>

2. (Optional) Enable JWT authentication for all Web API requests.

   1. Access the web.config file.

   2. Search for the newly-added JWTAuth line inside the <messageHandlers/> section.

   3. Change JWTAuth's enabled and defaultInclude attributes to true.

      <add name="JWTAuth" type="Dnn.AuthServices.Jwt.Auth.JwtAuthMessageHandler, Dnn.AuthServices.Jwt" enabled="true" defaultInclude="true" forceSSL="true" />

   
   

   Tip (Developers): To enable JWT authentication for your specific Web API, add the following attribute to the controller class:
   [DnnAuthorize(AuthTypes = "JWT")].
   

3. (Optional) Enable Cross-Origin Resource Sharing (CORS) to allow requests from remote JavaScript clients.

   CORS is only required if the access to the Web API is through a web browser. Native mobile or desktop apps do not require CORS.

   Warning: Enabling CORS allows external sites to access your site, making it vulnerable to XSS attacks.

   1. Access the web.config file.

   2. In your web.config file, add the following access control lines inside the <customHeaders/> section:

      <add name="Access-Control-Allow-Origin" value="*" /> 
      <add name="Access-Control-Allow-Headers" value="accept, accept-language, content-type, accept, authorization, moduleid, tabid, x-dnn-moniker" /> 
      <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, HEAD, OPTIONS" />

4. (Optional) Developers: Enable additional logging for advanced debugging, testing, or troubleshooting.

   1. Access the DotNetNuke.log4net.config file.

   2. In your DotNetNuke.log4net.config file, add the following logger lines after the </root> closing tag:

      <!-- The following is required to troubleshoot provider registration issues. -->
          <logger name="DotNetNuke.Web.Api.Auth">
              <level value="TRACE" />
          </logger>
      <!-- The following is required to troubleshoot failing Web API calls. -->
          <logger name="DotNetNuke.Dnn.AuthServices.Jwt">
              <level value="TRACE" />
          </logger>

Parent Topic

• JWT Authentication

Related Information

• JWT User Credentials
• Server Response with JWT
• JWT Access Token
• JWT Page Request
• JWT Authentication Handler
• Accessing web.config and Other Configuration Files
• IETF RFC 7519 (JSON Web Token)
• DNN Presentation: How Evoq Helps You Build Modern Web Applications
• Introduction to JSON Web Tokens

Back to top