Simple Authentication and Authorisation in ASP.NET Core Web API

Photo by rawpixel on Unsplash
  • Visual Studio Code (my favourite code editor)
  • SQL Server (it was run inside a Docker container because the sample app was built in macOS)
  • EntityFramework Core (a good ORM that came with ASP.NET Core)

How the Simple Authentication and Authorisation Works

With authentication and authorisation implemented, my sample ASP.NET Core Web API app only accepts HTTP request with valid JSON web token (JWT). A database table is used to store the list of approved users.

  1. A client app sends an HTTP request to the sample app which resides in a server to authenticate the user.
  2. The sample app uses the data received to check if there is a matching entry in the database. If there is a matching user in the database, the app will send a message with an OK result and a JSON web token (JWT) back to the client app. The JWT also includes various claims which can be used to determine the user permission to certain endpoints.
  3. After receiving the JWT, the client app will include this token in the header of each subsequent HTTP request to the sample app.

Steps to Implement Authentication

Doesn’t it look easy? It is indeed not difficult to implement the above-mentioned mechanism in a Web API app. The steps I have taken to create this sample app is shown below.

Step 1: Add User table in database

First, we need a database to store the information of permitted users. Here I used EntityFramework Core to add a table called User in my SQL Server database with a couple of simple steps:

  1. Create a domain class User with some properties such as UserName , Password, and Token.
  2. Use the bash commands dotnet ef migrations add [migration name]and dotnet ef database updateto create the table in the database. After the database is created using the migrations, I then seeded the Users table with some entries.

Step 2: Get Secret key and prepare authentication at StartUp class

A secret key is used to encrypt the JWT. It can be stored inside our appsettings.json file. We need to retrieve this value in our application. To achieve this, I made use of the Configuration class. First I created a IdentitySettings domain model with a single propertySecret:

public class IdentitySettings
{
public string Secret { get; set; }
}
"IdentitySettings":{
"Secret":"THIS IS A SECRET KEY"
},
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
...
app.UseAuthentication();
...
}

Step 3: Implementing AuthService

I created a new interface IAuthService and implement it with AuthService:

Step 4: Listen to authentication request in UsersController

Since this sample app follows an MVC architecture pattern, a controller was used to ensure the request was received and directed to appropriate services. In my case, a UserController was used to listen to this request and AuthService was used to get the job done.

[Authorize]
[Route("/api/users")]
public class UsersController : Controller
{
...
[AllowAnonymous]
[HttpPost("auth")]
public IActionResult Authenticate([FromBody] User user)
{
var validUser = authService.Authenticate(user.UserName);
if(validUser == null)
return BadRequest();
return Ok(validUser);
}
}

Step 5: Authorisation and claims

To this stage, the authentication is considered done. Controller or endpoints can now be protected from invalid or unregconised users. Optionally, we could make this app better by adding the customised authorisation. For example, only user with role as admin could work with the DocumentsController. In my sample app, I used claim-based authorisation for HTTP requests:

[Authorize("IsAdmin")]
[Route("api/documents")]
public class DocumentsController : Controller
{
...
}
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthorization(options =>
{
options.AddPolicy("IsAdmin", policy =>
{
policy.RequireClaim(ClaimTypes.Role, "admin");
});
});
}
var tokenDescriptor = new SecurityTokenDescriptor
{
...
Subject = new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.Role, user.Role)
}
...
}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Teng Wei Song

Teng Wei Song

My journey as a self-taught developer. Feel free to drop by my online profile at tengweisong.com as well!