Skip to main content

Custom - Token Based Authentication in Web API

Authentication is a vital process in system programming. Authentication means verifying the user who is accessing the system. Today we are using modern devices that have different types of Apps or software and sometimes we directly access the website from browser. To access this application, we probably need to pass our credentials and these systems verify it. If you are valid user then it will allow accessing the system otherwise not.
We have available different types of authentication in .Net programming like Windows Authentication, Forms Authentication, Claim Based Authentication, Token Based Authentication etc. Today we will discuss about Token Based Authentication in detail.
Token Based Authentication is not very different from other authentication mechanism but yes, it is more secure, more reliable and makes your system loosely coupled. It will be a better choice to create REST API using token-based authentication, if your API reached to broad range of devices like mobiles, tablets and traditional desktops.
In token-based authentication, you pass your credentials [user name and password], which go to authentication server. Server verifies your credentials and if it is a valid user then it will return a signed token to client system, which has expiration time. Client can store this token to locally using any mechanism like local storage, session storage etc and if client makes any other call to server for data then it does not need to pass its credentials every time. Client can directly pass token to server, which will be validated by server and if token is valid then you will able to access your data.

Using the code

In this demonstration, we will use Web API as a service and Angular JS as a client. So, let me create dummy database “Test” and two tables “Users” and “Employee” respectively. Users table will store the user related information like name, username and password. Employee table is basically for dummy data. You can use following SQL scripts to generate this database and tables.

SQL
CREATE DATABASE TEST 
GO 
 
USE TEST 
GO 
 
CREATE TABLE Users(Id INT IDENTITY(1,1PRIMARY KEYName varchar(255NOT NULLUserName varchar(50), Password varchar(50)) 
INSERT INTO [TEST].[dbo].[Users](NameUserNamePasswordVALUES('Sachin''sachin''sachin123'); 
 
CREATE TABLE Employees(Id INT IDENTITY(1,1PRIMARY KEYName varchar(255NOT NULLAddress varchar(500))  
INSERT INTO Employees (NameAddressVALUES('John Right''England'INSERT INTO Employees (NameAddressVALUES('Chris Roy''France'INSERT INTO Employees (NameAddressVALUES('Anand Mahajan''Canada'INSERT INTO Employees (NameAddressVALUES('Prince Singh''India')

Move to next and create a service that will implement token-based authentication. So, going to create a Web API project and for client application we will use Angular JS from where we will pass user credentials.
To create Web API project, first open Visual Studio 2015 and go to File menu and select New and then Project. It will open a New Project windows, select Web from Installed Template and then from right pane, choose “Asp.Net Web Application”. Provide the name like “EmployeeService” and click to OK.
Next windows will provide you options to choose web application template. Here you need to choose Web API with No Authentication and click to OK. Therefore, your application is ready to run.
Before moving next, to implement token-based authentication, we have to add following packages as a references from NuGet Package Manager. So, just right click on references in solution and select Manage NuGet Packages. It will open a NuGet Package Manager windows, you can search these packages one by one from search box in Browse tab. Once these packages are able to find out in NuGet click to Install. After Installtion, these packages will be available in references.
  1. Microsoft.Owin
  2. Microsoft.Owin.Host.SystemWeb
  3. Microsoft.Owin.Security.OAuth
  4. Microsoft.Owin.Security
  5. Microsoft.AspNet.Identity.Owin
In this demonstration, we will not use Global.asax file. So, first, delete the Global.asax from solution and add new class “Startup.cs” at the same location of Global.asax file and add following code.

C#
using EmployeeService.Provider; 
using Microsoft.Owin; 
using Microsoft.Owin.Security.OAuth; 
using Owin; 
using System; 
using System.Collections.Generic; 
using System.Linq; 
using System.Web; 
using System.Web.Http; 
 
[assembly: OwinStartup(typeof(EmployeeService.Startup))] 
namespace EmployeeService 
{     
    public class Startup 
    { 
        public void ConfigureAuth(IAppBuilder app) 
        { 
            
            var OAuthOptions = new OAuthAuthorizationServerOptions 
            { 
                AllowInsecureHttp = true, 
                TokenEndpointPath = new PathString("/token"), 
                AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(20), 
                Provider = new SimpleAuthorizationServerProvider() 
            }; 
 
            app.UseOAuthBearerTokens(OAuthOptions); 
            app.UseOAuthAuthorizationServer(OAuthOptions); 
            app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions()); 
 
            HttpConfiguration config = new HttpConfiguration(); 
            WebApiConfig.Register(config); 
        } 
 
        public void Configuration(IAppBuilder app) 
        { 
            ConfigureAuth(app); 
            GlobalConfiguration.Configure(WebApiConfig.Register); 
        } 
    } 
} 
 
In the above code, you can see, we are using OWIN [Open Web Interface for .Net] that is an interface between your web server and web application. So, it works as a middle ware in applications, which process your incoming request and validate it. Here we are using SimpleAuthorizationServerProvider, which is nothing but a class which validate user based on their credentials. You can find this class code at the last.
Now it’s time to create a model where we can perform database operation like fetching the user information based on credentials and employees data. We can use here different ways to get data like Repository pattern with Unit of work or Dapper. But we want to make this example simple and keep the main focus on Token Based Authentication only. So, right click on solution and Click to Add and then New Item and choose Ado.Net Entity Model.


    This link code helpful for me
    Ref: https://code.msdn.microsoft.com/Token-Based-Authentication-6db2acc9



     using Microsoft.Owin.Security;
    using Microsoft.Owin.Security.OAuth;
    using System.Collections.Generic;
    using System.Linq;
    using System.Security.Claims;
    using System.Threading.Tasks;
    using System.Web.Http.Cors;

     namespace EmployeeService.Provider
    {
        [EnableCors(origins: "*", headers: "*", methods: "*")]
        public class SimpleAuthorizationServerProvider : OAuthAuthorizationServerProvider
        {
            public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
            {
                context.Validated(); // 
            }

             public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
            {
                var identity = new ClaimsIdentity(context.Options.AuthenticationType);
                context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });

                 using (var db = new TESTEntities())
                {
                    if (db != null)
                    {
                        var empl = db.Employees.ToList();
                        var user = db.Users.ToList();
                        if (user != null)
                        {
                            if (!string.IsNullOrEmpty(user.Where(u => u.UserName == context.UserName && u.Password == context.Password).FirstOrDefault().Name))
                            {
                                identity.AddClaim(new Claim("Age", "16"));

                                 var props = new AuthenticationProperties(new Dictionary<string, string>
                                {
                                    {
                                        "userdisplayname", context.UserName
                                    },
                                    {
                                         "role", "admin"
                                    }
                                 });

                                 var ticket = new AuthenticationTicket(identity, props);
                                context.Validated(ticket);                           
                            }
                            else
                            {
                                context.SetError("invalid_grant", "Provided username and password is incorrect");
                                context.Rejected();
                            }
                        }
                    }
                    else
                    {
                        context.SetError("invalid_grant", "Provided username and password is incorrect");
                        context.Rejected();
                    }
                    return;
                }
            }
        }
    }

     using System.Collections.Generic;
    using System.Linq;
    using System.Web.Http;

     namespace EmployeeService.Controllers
    {
        public class EmployeeController : ApiController
        {
            [HttpGet]
            [Authorize]        
            public List<Employee> GetEmployees()
            {
                using (var db = new TESTEntities())
                {
                    var employees = db.Employees.ToList();
                    return employees;
                }
            }
        }
    }

    using EmployeeService.Provider;
    using Microsoft.Owin;
    using Microsoft.Owin.Security.OAuth;
    using Owin;
    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Web;
    using System.Web.Http;

     [assembly: OwinStartup(typeof(EmployeeService.Startup))]
    namespace EmployeeService
    {    
        public class Startup
        {
            public void ConfigureAuth(IAppBuilder app)
            {
               
                var OAuthOptions = new OAuthAuthorizationServerOptions
                {
                    AllowInsecureHttp = true,
                    TokenEndpointPath = new PathString("/token"),
                    AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(20),
                    Provider = new SimpleAuthorizationServerProvider()
                };

                 app.UseOAuthBearerTokens(OAuthOptions);
                app.UseOAuthAuthorizationServer(OAuthOptions);
                app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());

                 HttpConfiguration config = new HttpConfiguration();
                WebApiConfig.Register(config);
            }

             public void Configuration(IAppBuilder app)
            {
                ConfigureAuth(app);
                GlobalConfiguration.Configure(WebApiConfig.Register);
            }
        }
    }


    Labels:

    Comments

    Post a Comment

    Popular posts from this blog

    Tip/Trick: Fix Common SEO Problems Using the URL Rewrite Extension

    Search engine optimization (SEO) is important for any publically facing web-site.  A large % of traffic to sites now comes directly from search engines, and improving your site’s search relevancy will lead to more users visiting your site from search engine queries.  This can directly or indirectly increase the money you make through your site. This blog post covers how you can use the free Microsoft  URL Rewrite Extension  to fix a bunch of common SEO problems that your site might have.  It takes less than 15 minutes (and no code changes) to apply 4 simple  URL Rewrite  rules to your site, and in doing so cause search engines to drive more visitors and traffic to your site.  The techniques below work equally well with both ASP.NET Web Forms and ASP.NET MVC based sites.  They also works with all versions of ASP.NET (and even work with non-ASP.NET content). [In addition to blogging, I am also now using Twitter for quick updates and to sh...
    Post a Comment
    Read more

    ASP.NET MVC - Set custom IIdentity or IPrincipal

    Here's how I do it. I decided to use IPrincipal instead of IIdentity because it means I don't have to implement both IIdentity and IPrincipal. Create the interface interface ICustomPrincipal : IPrincipal { int UserId { get ; set ; } string FirstName { get ; set ; } string LastName { get ; set ; } } CustomPrincipal public class CustomPrincipal : ICustomPrincipal { public IIdentity Identity { get ; private set ; } public bool IsInRole ( string role ) { return false ; } public CustomPrincipal ( string email ) { this . Identity = new GenericIdentity ( email ); } public int UserId { get ; set ; } public string FirstName { get ; set ; } public string LastName { get ; set ; } } CustomPrincipalSerializeModel - for serializing custom information into userdata field in FormsAuthenticationTicket object. public class CustomPrincipalSerializeMode...
    8 comments
    Read more

    linq orderby multiple columns dynamically

    So, it's been a while, but I thought I take moment and do my annual blog post ;). I've been playing around with  ASP.NET MVC  and the Linq stuff for  NHibernate  recently. I was in need of an OrderBy extension method that could take a SQL-Like OrderBy string and sort a IQueryable<> or IEnumerable<> collection. I wrote up an implementation that worked, but I just wasn't satisfied with its internals (quite a bit of reflection to get the correct type to construct a LambdaExpression, etc) At any rate, I couldn't leave well enough alone, and, after a bit of Googling, I ran across this  StackOverflow  answer about Dynamic LINQ OrderBy . The extension method wasn't exactly what I was looking for, but that ApplyOrder method is slick, and solved the portion of my implementation that was bothering me. So, I though I would post up my version in case anybody finds it useful. It handles the following inputs: list.OrderBy( "SomeProperty" ); list.Ord...
    2 comments
    Read more