JWT Authorization ICON in .NET 10 Issue

Question

(Moved from: Community Center | Discuss the Q&A site | Site suggestion)

I'm implementing JWT authorization in .NET 10, but I noticed that the [Authorize] attribute and the lock icon are missing. Has anyone encountered this issue, or does anyone have a solution?

// JWT settings from configuration
 IConfigurationSection? jwtSettings = builder.Configuration.GetSection("JwtSettings");
 // Ensure all required JWT settings are present
 string? secretKey = jwtSettings["SecretKey"] ?? throw new InvalidOperationException("JWT SecretKey is missing.");
 string? issuer = jwtSettings["Issuer"] ?? throw new InvalidOperationException("JWT Issuer is missing.");
 string? audience = jwtSettings["Audience"] ?? throw new InvalidOperationException("JWT Audience is missing.");
 builder.Services.AddAuthentication(options =>
 {
 
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;

 options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
 })
 .AddJwtBearer(options =>
 {

 options.TokenValidationParameters = new TokenValidationParameters

 {

     ValidateIssuer = true,

     ValidateAudience = true,

     ValidateLifetime = true,

     ValidateIssuerSigningKey = true,

     ValidIssuer = issuer,

     ValidAudience = audience,

     IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(secretKey))

 };

 });
 builder.Services.AddSwaggerGen(c =>
 {

 c.SwaggerDoc("v1", new OpenApiInfo { Title = "My API", Version = "v1" });

 c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme

 {

     Description = "Enter 'Bearer {token}'",

     Name = "Authorization",

     In = ParameterLocation.Header,

     Type = SecuritySchemeType.ApiKey,

     Scheme = JwtBearerDefaults.AuthenticationScheme

 });

 c.AddSecurityRequirement(document => new OpenApiSecurityRequirement

 {

     [new OpenApiSecuritySchemeReference(JwtBearerDefaults.AuthenticationScheme, document)] = []

 });

 });
 builder.Services.AddAuthorization();
 var app = builder.Build();
 // Configure the HTTP request pipeline.
 if (app.Environment.IsDevelopment())
 {

 app.MapOpenApi();

 // Enable Swagger UI

 app.UseSwaggerUI(options =>

 {

     options.SwaggerEndpoint("/openapi/v1.json", "OX API v1");

     options.RoutePrefix = "swagger";

 });
 }
 app.UseGetIPAddress(); 
 app.UseHttpsRedirection();
 app.UseAuthentication(); 
 app.UseAuthorization();

Answer 1

It seems you are facing an issue with the [Authorize] attribute and the lock icon not appearing in your .NET 10 application while implementing JWT authorization. Here are a few steps you can take to troubleshoot and potentially resolve the issue:

1. Ensure Proper Configuration: Double-check your JWT settings in the configuration file to ensure that the SecretKey, Issuer, and Audience are correctly set and being read by your application.
2. Add Authorization Services: Make sure you have added the authorization services in your Startup.cs or Program.cs file using builder.Services.AddAuthorization(); which you have done correctly.
3. Check Swagger Configuration: In your Swagger configuration, ensure that the security definition and requirements are set up correctly. It looks like you are using AddSecurityDefinition and AddSecurityRequirement, which is good. Make sure the Scheme matches the one you have set in the authentication options.
4. Use the [Authorize] Attribute: Ensure that you are applying the [Authorize] attribute to your controllers or actions correctly. For example:

      [Authorize]
      public class MyController : ControllerBase
      {
          // Your actions here
      }
   

5. Check Middleware Order: The order of middleware in the pipeline is crucial. Ensure that app.UseAuthentication(); is called before app.UseAuthorization(); in your Configure method.
6. Development Environment: If you are in a development environment, ensure that Swagger UI is correctly set up to display the authorization options. You can check the Swagger UI to see if the Bearer token input field appears.

If you have checked all these points and the issue persists, consider looking into the console or logs for any errors that might give more insight into what is going wrong.

---

References:

• Configure JWT bearer authentication in ASP.NET Core
• Authorize with a specific scheme in ASP.NET Core

Answer 2

Thank you for sharing the details. Based on the screenshots and configurations , the issue where the authorized button is missing in swagger UI in.net 10 is not related to JWT authentication itself, but to swagger/open API security configuration changes and how swagger UI detects them.

Below is the root cause and supported resolution

root cause

in .NET 9/10 with Swashbuckle.AspNetCore 7.x+, Swagger UI Does not show the authorized icon unless all of the following are true:

• A valid security definition is registered.
• A matching security requirement references that definition correctly
• the security scheme type is  correct for JWT
• the open API security scheme reference is configured using Reference, not a custom constructor.
• APIs are actually marked with [Authorize] or a global authorization requirement.

In your current configuration:

• SecuritySchemeType.ApiKey is used (not recommended for JWT bearer)
• OpenApiSecuritySchemeReference is incorrectly constructed
• Swagger cannot link the definition-> requirement-> UI

As a result swagger UI hides the Authorize icon.

Supported Fix

Correct Swagger JWT Configuration for .NET 10

Replace your Swagger configuration with the following supported pattern:

builder.Services.AddSwaggerGen(c =>
{
	c.SwaggerDoc("v1" , new OpenApiInfo
	{
		Title = "My API",
		Version = "v1"
	});
	var securityScheme = new OpenAPiSecurityScheme
	{
		Name = "Authorization",
		Description = "Enter 'Bearer {token}'",
		In = ParameterLocaltion.Header,
		Type = SecuritySChemeType.Http,
		Scheme = 'bearer'
		BearerFormat = "JWT"
		Reference = new OpenApiReference
		{
			Type = ReferenceType.SecurityScheme,
			Id= "Bearer"
		}
	};
	c.AddSecurityDefinition("Bearer" , securityScheme);
	c.AddSecurityRequirement(new OpenApiSecurityRequirement
	{
		{	
			securityScheme,
			Array.Empty<string>()
		}
	});
});

Required Middleware Order(critical)

Ensure middleware is configured in this exact order:

app.UseSwagger();
app.UseSwaggerUI();

app.UseHttpRedirection();

app.UseAuthentication();
app.UseAuthorization();

Incorrect ordering can prevent Swagger from recognizing secured endpoints.

Ensure APIs are protected

Swagger only shows the lock icon if at least one endpoint requires authorization

Example:

[Authorize]
[HttpGet("secure")]
public IActionResult SecureEndpoint()
{
	return Ok("Authorized");
}

For minimal APIs:

app.MapGet("/secure", () => "Authorized")
	.RequiredAuthorization();

Package Versions (Verified)

Ensure you are using supported packages:

<PackageReference> Include="Swashbuckle.AspNetCore" Version="7.0.0" />
<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.0-preview.*" />

Please let us know if you require any further assistance we’re happy to help. If you found this information useful, kindly mark this as "Accept Answer".