The latest articles on DEV Community by Dor Danai (@karnafun). https://dev.to/karnafun https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3597343%2Feba2c378-2a91-44d6-815a-76caa4e16755.png https://dev.to/karnafun en Dor Danai Sun, 09 Nov 2025 12:04:19 +0000 https://dev.to/karnafun/building-a-secure-stripe-checkout-integration-with-aspnet-core-and-webhook-handling-ga3 https://dev.to/karnafun/building-a-secure-stripe-checkout-integration-with-aspnet-core-and-webhook-handling-ga3 <h2> Intro </h2> <p>This demo shows how to integrate Stripe Checkout with ASP.NET Core. We handle the complete payment flow including session creation, webhook processing, and race condition management between client callbacks and server notifications.</p> <p>Why this matters: Stripe webhooks and client callbacks can arrive in any order. Your system needs to handle this race condition safely. This demo shows atomic state transitions and proper webhook verification for production-grade payment processing.</p> <p><em>(This demo simplifies some production implementations, explained in detail at the end.)</em></p> <h2> Project / Setup Overview </h2> <p>The project contains a single ASP.NET Core application running on <code>https://localhost:5001</code>.</p> <p>Folder Structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>stripe-checkout-aspnet-demo/ ├── Controllers/ │ ├── CheckoutController.cs # Creates Stripe sessions │ ├── CallbackController.cs # Handles success redirect │ └── WebhookController.cs # Processes Stripe webhooks ├── Services/ │ ├── ProductService.cs # Maps products to Stripe prices │ └── OrderService.cs # Business logic for orders ├── Repositories/ │ └── OrderRepository.cs # Order state management ├── Contracts/ │ ├── Enums.cs # OrderStatus enum │ └── CreateCheckoutSessionRequest.cs └── wwwroot/ └── checkout.html # Test checkout form </code></pre> </div> <p><strong>Endpoints:</strong></p> <ul> <li> <code>POST /api/checkout/create-session</code> – Creates Stripe Checkout session, registers order as Pending</li> <li> <code>GET /success</code> – Client redirect handler, updates order to Confirmed</li> <li> <code>POST /stripe-webhook</code> – Stripe server notification, finalizes order as Fulfilled</li> </ul> <p><strong>Order States:</strong></p> <ul> <li> <strong>Pending</strong> – Initial state after session creation</li> <li> <strong>Confirmed</strong> – Set when user returns from Stripe</li> <li> <strong>Fulfilled</strong> – Set by webhook, may skip Confirmed if webhook arrives first</li> <li> <strong>Failed</strong> – Reserved for unexpected database errors (should not occur in this demo)</li> </ul> <h2> How It Works </h2> <h3> Session Creation </h3> <p>The frontend calls <code>/api/checkout/create-session</code> with <code>ItemId</code> and <code>Quantity</code>. The backend maps the item to a Stripe Price ID on the server side. This prevents price tampering since clients never see the actual price.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">class</span> <span class="nc">CreateCheckoutSessionRequest</span> <span class="p">{</span> <span class="p">[</span><span class="nf">Required</span><span class="p">(</span><span class="n">ErrorMessage</span> <span class="p">=</span> <span class="s">"Item ID must be provided."</span><span class="p">)]</span> <span class="k">public</span> <span class="n">required</span> <span class="kt">string</span> <span class="n">ItemId</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="k">set</span><span class="p">;</span> <span class="p">}</span> <span class="p">[</span><span class="nf">Range</span><span class="p">(</span><span class="m">1</span><span class="p">,</span> <span class="m">100</span><span class="p">,</span> <span class="n">ErrorMessage</span> <span class="p">=</span> <span class="s">"Quantity must be between 1 and 100."</span><span class="p">)]</span> <span class="k">public</span> <span class="kt">long</span> <span class="n">Quantity</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="k">set</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The server registers the order as Pending and creates a Stripe session. The session URL redirects users to Stripe's hosted checkout page.</p> <h3> Payment Process </h3> <p>After payment, Stripe performs two actions:</p> <ul> <li>Redirects the browser to <code>/success</code> </li> <li>Sends a webhook to <code>/stripe-webhook</code> </li> </ul> <p>These can arrive in any order. The webhook might arrive before the redirect, or vice versa.</p> <h3> Race Condition Handling </h3> <p>Both endpoints attempt to update order state. The <code>OrderRepository</code> uses <code>ConcurrentDictionary.TryUpdate</code> for atomic transitions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="kt">bool</span> <span class="nf">TryUpdateStatus</span><span class="p">(</span><span class="kt">string</span> <span class="n">orderId</span><span class="p">,</span> <span class="n">OrderStatus</span> <span class="n">currentStatus</span><span class="p">,</span> <span class="n">OrderStatus</span> <span class="n">newStatus</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">_orderStatuses</span><span class="p">.</span><span class="nf">TryUpdate</span><span class="p">(</span><span class="n">orderId</span><span class="p">,</span> <span class="n">newStatus</span><span class="p">,</span> <span class="n">currentStatus</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The <code>/success</code> endpoint tries: Pending → Confirmed</p> <p>The webhook tries two transitions:</p> <ol> <li>Pending → Fulfilled (if webhook arrives first)</li> <li>Confirmed → Fulfilled (if redirect arrived first) </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="kt">bool</span> <span class="nf">TryFulfillOrder</span><span class="p">(</span><span class="kt">string</span> <span class="n">orderId</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Try to transition from PENDING -&gt; FULFILLED</span> <span class="k">if</span> <span class="p">(</span><span class="n">_orderRepository</span><span class="p">.</span><span class="nf">TryUpdateStatus</span><span class="p">(</span><span class="n">orderId</span><span class="p">,</span> <span class="n">OrderStatus</span><span class="p">.</span><span class="n">Pending</span><span class="p">,</span> <span class="n">OrderStatus</span><span class="p">.</span><span class="n">Fulfilled</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="k">true</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// If that failed, try to transition from CONFIRMED -&gt; FULFILLED</span> <span class="k">if</span> <span class="p">(</span><span class="n">_orderRepository</span><span class="p">.</span><span class="nf">TryUpdateStatus</span><span class="p">(</span><span class="n">orderId</span><span class="p">,</span> <span class="n">OrderStatus</span><span class="p">.</span><span class="n">Confirmed</span><span class="p">,</span> <span class="n">OrderStatus</span><span class="p">.</span><span class="n">Fulfilled</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="k">true</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="k">false</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Whichever arrives first locks in the state. The second arrival safely fails the transition and logs appropriately.</p> <h3> Webhook Verification </h3> <p>The webhook controller verifies Stripe's signature before processing events. This prevents unauthorized webhook calls.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="p">[</span><span class="n">HttpPost</span><span class="p">]</span> <span class="k">public</span> <span class="k">async</span> <span class="n">Task</span><span class="p">&lt;</span><span class="n">IActionResult</span><span class="p">&gt;</span> <span class="nf">Index</span><span class="p">()</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">json</span> <span class="p">=</span> <span class="k">await</span> <span class="k">new</span> <span class="nf">StreamReader</span><span class="p">(</span><span class="n">HttpContext</span><span class="p">.</span><span class="n">Request</span><span class="p">.</span><span class="n">Body</span><span class="p">).</span><span class="nf">ReadToEndAsync</span><span class="p">();</span> <span class="kt">var</span> <span class="n">stripeEvent</span> <span class="p">=</span> <span class="n">EventUtility</span><span class="p">.</span><span class="nf">ConstructEvent</span><span class="p">(</span> <span class="n">json</span><span class="p">,</span> <span class="n">Request</span><span class="p">.</span><span class="n">Headers</span><span class="p">[</span><span class="s">"Stripe-Signature"</span><span class="p">],</span> <span class="n">_webhookSecret</span> <span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">stripeEvent</span><span class="p">.</span><span class="n">Type</span> <span class="p">==</span> <span class="s">"checkout.session.completed"</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">session</span> <span class="p">=</span> <span class="n">stripeEvent</span><span class="p">.</span><span class="n">Data</span><span class="p">.</span><span class="n">Object</span> <span class="k">as</span> <span class="n">Session</span><span class="p">;</span> <span class="kt">string</span> <span class="n">orderId</span> <span class="p">=</span> <span class="n">session</span><span class="p">.</span><span class="n">Metadata</span><span class="p">.</span><span class="nf">GetValueOrDefault</span><span class="p">(</span><span class="s">"internal_order_id"</span><span class="p">,</span> <span class="s">"Unknown"</span><span class="p">);</span> <span class="kt">bool</span> <span class="n">fulfilled</span> <span class="p">=</span> <span class="n">_orderService</span><span class="p">.</span><span class="nf">TryFulfillOrder</span><span class="p">(</span><span class="n">orderId</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">fulfilled</span><span class="p">)</span> <span class="p">{</span> <span class="n">_logger</span><span class="p">.</span><span class="nf">LogInformation</span><span class="p">(</span><span class="s">"Order {OrderId} fulfilled successfully."</span><span class="p">,</span> <span class="n">orderId</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">_logger</span><span class="p">.</span><span class="nf">LogWarning</span><span class="p">(</span><span class="s">"Order {OrderId} fulfillment skipped (already fulfilled)."</span><span class="p">,</span> <span class="n">orderId</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h3> Dependency Injection </h3> <p>Services and repositories are registered in <code>Program.cs</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="c1">// Register services and repositories</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="n">AddSingleton</span><span class="p">&lt;</span><span class="n">OrderRepository</span><span class="p">&gt;();</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="n">AddScoped</span><span class="p">&lt;</span><span class="n">OrderService</span><span class="p">&gt;();</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="n">AddSingleton</span><span class="p">&lt;</span><span class="n">ProductService</span><span class="p">&gt;();</span> </code></pre> </div> <p>Note: <code>OrderRepository</code> uses Singleton lifetime because the in-memory dictionary must be shared across requests. In production with a real database, use Scoped lifetime to match DbContext lifecycle.</p> <h2> Demo / Usage </h2> <h3> Step 1: Configure Stripe Keys </h3> <p>Add your Stripe keys to <code>appsettings.json</code> or use .NET Secret Manager:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"Stripe"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"SecretKey"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sk_test_..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"WebhookSecret"</span><span class="p">:</span><span class="w"> </span><span class="s2">"whsec_..."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Get your webhook signing secret using Stripe CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>stripe listen <span class="nt">--forward-to</span> https://localhost:5001/stripe-webhook </code></pre> </div> <p>The output shows your webhook secret:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt; Ready! You are using Stripe API Version [2025-10-29.clover]. Your webhook signing secret is whsec_... (^C to quit) </code></pre> </div> <p>Copy the <code>whsec_</code> value to your configuration.</p> <p>Learn more: <a href="https://stripe.com/docs/stripe-cli/webhooks" rel="noopener noreferrer">Listening to webhooks with Stripe CLI</a></p> <h3> Step 2: Define Product Mapping </h3> <p>In <code>ProductService.cs</code>, map your internal product IDs to Stripe Price IDs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">private</span> <span class="k">readonly</span> <span class="n">Dictionary</span><span class="p">&lt;</span><span class="kt">string</span><span class="p">,</span> <span class="kt">string</span><span class="p">&gt;</span> <span class="n">SecurePriceMap</span> <span class="p">=</span> <span class="k">new</span><span class="p">()</span> <span class="p">{</span> <span class="p">{</span> <span class="s">"premium_product_demo"</span><span class="p">,</span> <span class="s">"price_1ABC..."</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <p><strong>Important:</strong> Stripe Price IDs are account-specific. Create your own products and prices in the Stripe Dashboard, then use those Price IDs here.</p> <h3> Step 3: Run the Project </h3> <p>Start the application and navigate to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://localhost:5001/checkout.html </code></pre> </div> <p>Click <strong>Proceed to Checkout</strong>. You'll be redirected to Stripe's hosted checkout page.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faq591u4wu0rwctgy548u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faq591u4wu0rwctgy548u.png" alt="Checkout Button" width="456" height="61"></a></p> <h3> Step 4: Complete Payment </h3> <p>Use Stripe's test card number: <code>4242 4242 4242 4242</code></p> <ul> <li>Any future expiry date</li> <li>Any 3-digit CVC</li> <li>Any ZIP code</li> </ul> <p>After payment, observe the console output showing state transitions:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foxk8rn2c9qqezip251ut.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foxk8rn2c9qqezip251ut.png" alt="Console Log" width="800" height="156"></a></p> <p>The Stripe CLI also shows webhook delivery:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs5a4c562eptq2d056wpb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs5a4c562eptq2d056wpb.png" alt="Stripe Webhook" width="800" height="219"></a><br> You'll be redirected to <code>/success</code> with a JSON response showing the final order state.</p> <h2> Next Steps / Extensions </h2> <ul> <li>Replace <code>OrderRepository</code> in-memory storage with Entity Framework Core or Dapper backed by SQL Server or PostgreSQL.</li> <li>Implement retry logic for webhook processing using Polly or similar libraries.</li> <li>Track processed Stripe Event IDs in the database to ensure idempotency.</li> <li>Replace console logging with Serilog or another production logger.</li> <li>Add customer email notifications using SendGrid or similar services.</li> <li>Implement comprehensive error handling and monitoring with Application Insights or Sentry.</li> <li>Add unit tests for order state transitions and webhook handling.</li> </ul> <h2> Production Notes / Limitations </h2> <p><strong>In-Memory Storage:</strong> <code>OrderRepository</code> uses <code>ConcurrentDictionary</code> to simulate database persistence. This data disappears when the application restarts. Production systems need Entity Framework Core, Dapper, or another data access layer backed by a real database.</p> <p><strong>Singleton Lifetime:</strong> <code>OrderRepository</code> is registered as Singleton because the in-memory dictionary must be shared across all requests. With a real database, use Scoped lifetime to match DbContext lifecycle and ensure proper transaction boundaries.</p> <p><strong>Idempotency:</strong> Production systems must track processed Stripe Event IDs to prevent duplicate fulfillment. Stripe may send the same webhook multiple times. Store event IDs in your database and skip already-processed events.</p> <p><strong>Security:</strong> Always verify webhook signatures using <code>EventUtility.ConstructEvent</code>. Never process webhooks without signature verification. Use HTTPS for webhook endpoints in production.</p> <p><strong>Error Handling:</strong> Implement comprehensive logging for all state transitions. Monitor webhook processing failures and set up alerts. Implement retry logic for transient failures.</p> <p><strong>Testing:</strong> Stripe provides test mode for development. Use different API keys for test and production environments. Never expose secret keys in client-side code or public repositories.</p> <p>This demo serves as an educational foundation rather than production-ready code. It demonstrates proper architectural patterns and race condition handling, but requires additional hardening for production use.</p> <h2> TL;DR </h2> <p>Stripe Checkout integration with ASP.NET Core showing proper webhook handling and race condition management. The demo uses atomic state transitions to handle asynchronous payment flows safely. Webhooks and client callbacks can arrive in any order, and the system handles both scenarios correctly.</p> <p>GitHub Repository: <a href="https://github.com/karnafun/stripe-checkout-aspnet-demo" rel="noopener noreferrer">https://github.com/karnafun/stripe-checkout-aspnet-demo</a></p> <p>Looking for help integrating payment systems or building secure APIs? <a href="https://www.fiverr.com/s/NNKV0VG" rel="noopener noreferrer">Hire me</a></p> <p>Backend engineer &amp; API integrator. Building secure, scalable APIs with .NET.</p> dotnet csharp stripe webhooks Dor Danai Thu, 06 Nov 2025 18:45:42 +0000 https://dev.to/karnafun/building-an-oauth2-protected-api-with-c-identityserver-and-aspnet-core-23g2 https://dev.to/karnafun/building-an-oauth2-protected-api-with-c-identityserver-and-aspnet-core-23g2 <h2> Intro </h2> <p>This demo demonstrates protecting an ASP.NET Core API with OAuth2 and JWT tokens. We use Duende IdentityServer as the authorization server. The API validates tokens and allows only authenticated requests.</p> <p><strong>Why this matters:</strong> OAuth2 is the standard for securing APIs. Understanding token-based authentication helps you build production-ready applications. This setup shows the complete flow from token request to protected endpoint access.</p> <h2> Project / Setup Overview </h2> <p>The solution contains two projects:</p> <ol> <li> <strong>IdentityServer</strong> – Issues OAuth2 tokens</li> <li> <strong>ApiDemo</strong> – Protected API that validates JWT tokens</li> </ol> <p><strong>Folder Structure:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>CSharp-API-OAuth2-Demo/ ├── IdentityServer/ │ ├── Config.cs # Client, scope, and resource definitions │ ├── Users.cs # Test user credentials │ ├── Program.cs # IdentityServer setup │ └── wwwroot/ │ └── test-token.html # Token request form └── ApiDemo/ ├── Controllers/ │ └── UsersController.cs # Protected endpoint ├── Configuration/ │ └── IdentityServerOptions.cs # Strongly-typed config └── Program.cs # API with JWT validation </code></pre> </div> <p><strong>Endpoints:</strong></p> <ul> <li> <code>POST /connect/token</code> (IdentityServer) – Request access token</li> <li> <code>GET /Users</code> (ApiDemo) – Protected endpoint requiring a valid token</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1z886rvx7qfjtpq4jbz2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1z886rvx7qfjtpq4jbz2.png" alt="Visual Studio solution showing IdentityServer (authorization server) and ApiDemo (protected API) projects side by side" width="345" height="68"></a></p> <h2> How It Works </h2> <h3> IdentityServer Configuration </h3> <p>IdentityServer defines clients, scopes, and resources. Clients represent applications that request tokens. Scopes define what the token allows. Resources are the APIs being protected.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">static</span> <span class="n">IEnumerable</span><span class="p">&lt;</span><span class="n">Client</span><span class="p">&gt;</span> <span class="n">Clients</span> <span class="p">=&gt;</span> <span class="k">new</span> <span class="n">List</span><span class="p">&lt;</span><span class="n">Client</span><span class="p">&gt;</span> <span class="p">{</span> <span class="k">new</span> <span class="n">Client</span> <span class="p">{</span> <span class="n">ClientId</span> <span class="p">=</span> <span class="s">"demo-client"</span><span class="p">,</span> <span class="n">AllowedGrantTypes</span> <span class="p">=</span> <span class="n">GrantTypes</span><span class="p">.</span><span class="n">ResourceOwnerPassword</span><span class="p">,</span> <span class="n">ClientSecrets</span> <span class="p">=</span> <span class="p">{</span> <span class="k">new</span> <span class="nf">Secret</span><span class="p">(</span><span class="s">"demo-secret"</span><span class="p">.</span><span class="nf">Sha256</span><span class="p">())</span> <span class="p">},</span> <span class="n">AllowedScopes</span> <span class="p">=</span> <span class="p">{</span> <span class="s">"api.read"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <p><strong>Note:</strong> Resource Owner Password grant is simple for demos. It allows direct username/password exchange for tokens. Production systems should use Authorization Code with PKCE for better security.</p> <p>The API resource defines the audience that tokens are issued for:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">new</span> <span class="nf">ApiResource</span><span class="p">(</span><span class="s">"api-demo"</span><span class="p">,</span> <span class="s">"API Demo"</span><span class="p">)</span> <span class="p">{</span> <span class="n">Scopes</span> <span class="p">=</span> <span class="p">{</span> <span class="s">"api.read"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> API Token Validation </h3> <p>The API validates incoming JWT tokens using the <code>JwtBearer</code> authentication scheme. It checks the token signature against IdentityServer's public key and validates the audience to ensure the token was issued for this API.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddAuthentication</span><span class="p">(</span><span class="s">"Bearer"</span><span class="p">)</span> <span class="p">.</span><span class="nf">AddJwtBearer</span><span class="p">(</span><span class="s">"Bearer"</span><span class="p">,</span> <span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">options</span><span class="p">.</span><span class="n">Authority</span> <span class="p">=</span> <span class="n">authority</span><span class="p">;</span> <span class="c1">// IdentityServer URL</span> <span class="n">options</span><span class="p">.</span><span class="n">TokenValidationParameters</span> <span class="p">=</span> <span class="k">new</span> <span class="n">TokenValidationParameters</span> <span class="p">{</span> <span class="n">ValidateAudience</span> <span class="p">=</span> <span class="k">true</span><span class="p">,</span> <span class="n">ValidAudience</span> <span class="p">=</span> <span class="s">"api-demo"</span> <span class="p">};</span> <span class="p">});</span> </code></pre> </div> <p><strong>Configuration validation:</strong> The Authority URL comes from <code>appsettings.json</code>. Validation at startup ensures required settings are present:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="n">AddOptions</span><span class="p">&lt;</span><span class="n">IdentityServerOptions</span><span class="p">&gt;()</span> <span class="p">.</span><span class="nf">Bind</span><span class="p">(</span><span class="n">builder</span><span class="p">.</span><span class="n">Configuration</span><span class="p">.</span><span class="nf">GetSection</span><span class="p">(</span><span class="s">"IdentityServer"</span><span class="p">))</span> <span class="p">.</span><span class="nf">ValidateDataAnnotations</span><span class="p">()</span> <span class="p">.</span><span class="nf">Validate</span><span class="p">(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="p">!</span><span class="kt">string</span><span class="p">.</span><span class="nf">IsNullOrWhiteSpace</span><span class="p">(</span><span class="n">options</span><span class="p">.</span><span class="n">Authority</span><span class="p">),</span> <span class="s">"IdentityServer:Authority configuration value is required."</span><span class="p">)</span> <span class="p">.</span><span class="nf">ValidateOnStart</span><span class="p">();</span> </code></pre> </div> <h3> Protected Endpoint </h3> <p>Controllers use the <code>[Authorize]</code> attribute to require authentication:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="p">[</span><span class="n">HttpGet</span><span class="p">]</span> <span class="p">[</span><span class="n">Authorize</span><span class="p">]</span> <span class="k">public</span> <span class="n">IActionResult</span> <span class="nf">Get</span><span class="p">()</span> <span class="p">=&gt;</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">new</span> <span class="n">List</span><span class="p">&lt;</span><span class="kt">object</span><span class="p">&gt;</span> <span class="p">{</span> <span class="k">new</span> <span class="p">{</span> <span class="n">Name</span> <span class="p">=</span> <span class="s">"Demo User"</span><span class="p">,</span> <span class="n">Role</span> <span class="p">=</span> <span class="s">"Admin"</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <ul> <li>Without a valid token: <strong>401 Unauthorized</strong> </li> <li>With a valid token: returns user data</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fog1mktwusuqvudbe2ids.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fog1mktwusuqvudbe2ids.png" alt="Token request form showing username, password, client credentials, and scope fields" width="475" height="699"></a></p> <h2> Demo / Usage </h2> <h3> Step 1: Start Both Projects </h3> <p>Run IdentityServer on <code>https://localhost:5001</code> and ApiDemo on <code>https://localhost:5002</code>. Both projects enforce HTTPS redirection.</p> <h3> Step 2: Request a Token </h3> <p>Navigate to <code>https://localhost:5001/test-token.html</code>. The form is pre-filled with demo credentials:</p> <ul> <li> <strong>Username:</strong> <code>demo</code> </li> <li> <strong>Password:</strong> <code>password</code> </li> <li> <strong>Client ID:</strong> <code>demo-client</code> </li> <li> <strong>Client Secret:</strong> <code>demo-secret</code> </li> <li> <strong>Scope:</strong> <code>api.read</code> </li> </ul> <p>Click <strong>Get Token</strong>. The response contains an <code>access_token</code> field. Copy this token.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3xko42vj4arti9gi7h81.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3xko42vj4arti9gi7h81.png" alt="Token response showing JSON with raw `access_token` endraw field" width="800" height="136"></a></p> <h3> Step 3: Call the Protected API </h3> <p>Use the token in the Authorization header. <strong>Format:</strong> <code>Bearer &lt;your-token&gt;</code></p> <p><strong>Using Swagger:</strong></p> <ol> <li>Open <code>https://localhost:5002/swagger</code> </li> <li>Click <strong>Authorize</strong> </li> <li>Enter <code>Bearer &lt;your-token&gt;</code> </li> <li>Click <strong>Authorize</strong> </li> <li>Call the <code>GET /Users</code> endpoint</li> </ol> <p><strong>Using curl:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-H</span> <span class="s2">"Authorization: Bearer &lt;your-token&gt;"</span> <span class="se">\</span> https://localhost:5002/Users </code></pre> </div> <p><strong>Expected response:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Demo User"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Admin"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span></code></pre> </div> <p><strong>Without token:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl https://localhost:5002/Users <span class="c"># Returns 401 Unauthorized</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faxcq5s1rxpv9q6d7kzvv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faxcq5s1rxpv9q6d7kzvv.png" alt="Swagger UI showing authorized request with successful response" width="800" height="456"></a></p> <p><strong>Error handling:</strong> The HTML form shows clear notifications for errors, including network failures and invalid credentials. Clipboard copy operations also handle browser restrictions.</p> <h2> Next Steps / Extensions </h2> <ol> <li> <strong>Replace Resource Owner Password grant</strong> – Use Authorization Code with PKCE for web apps, or Client Credentials for service-to-service. </li> <li> <strong>Store users in a database</strong> – Replace test users with ASP.NET Core Identity. </li> <li> <strong>Store clients dynamically</strong> – Use <code>IClientStore</code> for database-driven client management. </li> <li> <strong>Add refresh tokens</strong> – Implement token refresh flow for longer sessions. </li> <li> <strong>Add role-based authorization</strong> – Enforce roles using claims: <code>[Authorize(Roles = "Admin")]</code>. </li> <li> <strong>Environment-specific configuration</strong> – Use <code>appsettings.Production.json</code> and secure secrets in Azure Key Vault or similar. </li> <li> <strong>Add CORS</strong> – Configure for APIs used by web apps from different origins.</li> </ol> <p><strong>Learning resources:</strong></p> <ul> <li> <a href="https://docs.duendesoftware.com/identityserver" rel="noopener noreferrer">Duende IdentityServer Documentation</a> </li> <li> <a href="https://oauth.net/2/" rel="noopener noreferrer">OAuth 2.0 Specification</a> </li> <li> <a href="https://jwt.io/" rel="noopener noreferrer">JWT.io</a> – Decode and inspect JWT tokens</li> </ul> <h2> TL;DR </h2> <p>IdentityServer issues JWT tokens. The API validates them to protect endpoints using <code>[Authorize]</code>. Configuration validation ensures required settings are present. Extend this with database-backed users, different grant types, and production-ready security practices.</p> <p><strong>GitHub Repository:</strong> [<a href="https://github.com/karnafun/identityserver-oauth2-demo" rel="noopener noreferrer">https://github.com/karnafun/identityserver-oauth2-demo</a>] </p> <p>Looking for help building secure APIs? <a href="https://www.fiverr.com/s/NNKV0VG" rel="noopener noreferrer">Hire me</a> </p> <p><em>Backend engineer &amp; API integrator. Building secure, scalable APIs with .NET.</em></p> dotnet security csharp api