UserManager

It's because you're using NullValueHandling = NullValueHandling.Ignore. You're telling the serializer to ignore null values. If you remove it from both the JsonProperty attribute for SAPLogisticId and the JsonSerializerSettings it will work as expected.

You can mock classes with Moq. You just need to create a new Mock with valid constructor parameters. In your case:

To find id of already loggedin user you can use this criteria

Check that the DefaultConnection points to the correct database in appsettings.json AND appsettings.Developer.json if that file exists.

I'm also assuming userManager.CreateAsync works correctly and is just part of AspNetCore.Identity.

My next advice would be to not split your models / data access layer across two projects like this. Instead create a Shared Project and reference your other projects from that.

In Visual Studio, this can be done by right clicking the project, selecting add, choose Project Reference and check the projects to reference.

In here you can manage your entire data access layer (DAL), and reference it in any other projects without need to worry about maintaining it in two locations that might be conflicting.

You can't update the database with your users migration if the database migration records do not match up. You'll need to add the users from the existing location, assuming you're using code first due to the AspNetUser table.

TL;DR Add your data access layer (models, dbContext, migrations etc.) to a C# Shared Project and reference this in your MVC and Web API projects to keep consistency and reduce future work on maintenance.

You have to use Swagger authorization
Add this to your startup.cs

There are a number of ways to do this, I personally assign audit info inside the DbContext.SaveChanges() method, but that's a global approach that's out of scope for this post.

At a fundamental level you need to assign the user before you call SaveChanges() so the following code might work in your case:

However, that always returns me response code 401 without any additional information or exception.

That is because you set ValidateIssuer and ValidateAudience true but there is no Issuer and Audience in the generated token.

One way is that you can set Issuer and Audience in code:

JWTs are self-contained, by-value tokens and it is very hard to revoke them, once issued and delivered to the recipient. Because of that, you should use as short expiration time for your tokens as possible - minutes or hours at maximum. You should avoid giving your tokens expiration times in days or months.

Remember that the exp claim, containing the expiration time, is not the only time-based claim that can be used for verification. The nbf claim contains a “not-before” time. The token should be rejected if the current time is before the time in the nbf claim. Another time-based claim is iat - issued at. You can use this claim to reject tokens which you deem too old to be used with your resource server.

When working with time-based claims remember that server times can differ slightly between different machines. You should consider allowing a clock skew when checking the time-based values. This should be values of a few seconds, and we don’t recommend using more than 30 seconds for this purpose, as this would rather indicate problems with the server, rather than a common clock skew.

Regarding security, jWT security largely depends on how the token is implemented and used. Just because the JWT contains a cryptographic signature, it does not automatically mean that it is secure, or you should blindly trust the token.

You can pay attention to the security standards and security levels of cryptography:

JSON Web Token Best Current Practices and RFC 7518 JSON Web Algorithms (JWA)

Certain characters must be escaped in url, and your verification token contains such characters, however you put it as is into your url here: