Before we start to delve into the code, I want to present a short overview of the end-to-end authentication and authorization flow the user will have with the web application we are building.

Here is a sequence diagram that shows the entire flow:

I've added a new controller whose responsibility is to deal with all the user account operations, such as registration, login, and so on. The AccountController uses the UserManager and SignInManager classes from the ASP.NET Core identity infrastructure. These classes encapsulate all the sensitive user management operations and create the necessary separation between our code and the IdentityDbContext.
The flow is separated into three parts:

1. Registration: The user registers to the application with a username (an email address, in our case) and password. The system validates the details, ensures that the username is not taken, and saves the information in a secured manner.
2. Login: The user signs in to the system with the username and password. The system then validates the details and returns a JWT that includes the user claims.
3. Authorizing request: With each request, the user agent (the browser, for example) sends the token in the authorization header. The system decodes and validates the token, then sets the user in the identity infrastructure. The system uses the User claims to run the authorization code, and if authorized, the request is fulfilled.

With the flow in place, we can start to implement the pieces the flow is made of.