DEV Community: Oliver Rivett-Carnac The latest articles on DEV Community by Oliver Rivett-Carnac (@oliverrc). https://dev.to/oliverrc https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F359404%2Ff060c0d3-612e-44ed-b9c2-108bd0cd12de.jpg DEV Community: Oliver Rivett-Carnac https://dev.to/oliverrc en Secure AspNetCore .NET 6 API with Auth0 - Works with SwaggerUI Oliver Rivett-Carnac Tue, 21 Jun 2022 18:14:47 +0000 https://dev.to/oliverrc/secure-aspnetcore-net-6-api-with-auth0-works-with-swaggerui-1f5e https://dev.to/oliverrc/secure-aspnetcore-net-6-api-with-auth0-works-with-swaggerui-1f5e <p>I am not going into great detail into the inner workings of JWT authentication in AspNetCore. </p> <p>But to get started we need to add a Nuget package that validates JWT tokens for us which is what Auth0 will return on successful login.</p> <p>Change your working directory to the project where you want to add the authentication. Then run the following.</p> <p><code>dotnet add Microsoft.AspNetCore.Authentication.JwtBearer</code></p> <p>Next we will head over to our Program.cs file where we will add the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="kt">var</span> <span class="n">builder</span> <span class="p">=</span> <span class="n">WebApplication</span><span class="p">.</span><span class="nf">CreateBuilder</span><span class="p">(</span><span class="n">args</span><span class="p">);</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddAuthentication</span><span class="p">(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">options</span><span class="p">.</span><span class="n">DefaultAuthenticateScheme</span> <span class="p">=</span> <span class="n">JwtBearerDefaults</span><span class="p">.</span><span class="n">AuthenticationScheme</span><span class="p">;</span> <span class="n">options</span><span class="p">.</span><span class="n">DefaultChallengeScheme</span> <span class="p">=</span> <span class="n">JwtBearerDefaults</span><span class="p">.</span><span class="n">AuthenticationScheme</span><span class="p">;</span> <span class="p">})</span> <span class="p">.</span><span class="nf">AddJwtBearer</span><span class="p">(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">options</span><span class="p">.</span><span class="n">Authority</span> <span class="p">=</span> <span class="s">"https://&lt;auth0-domain&gt;/"</span><span class="p">;</span> <span class="n">options</span><span class="p">.</span><span class="n">Audience</span> <span class="p">=</span> <span class="s">"https://&lt;auth0-domain&gt;/userinfo"</span><span class="p">;</span> <span class="c1">// or "&lt;your audience&gt;"</span> <span class="p">});</span> </code></pre> </div> <p>As an illustration I've kept it simple but I advise using AspNetCore's configuration system to store the values.</p> <p>Essentially, this is going to configure the AspNetCore pipeline to look for an a JWT in the <code>Authorization</code> header arriving who's value is <code>Bearer &lt;auth0 access token jwt&gt;</code>. The library we added is going to validate the JWT from Auth0 against our configuration.</p> <p>Next we need to add two additional calls.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">UseAuthentication</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseAuthorization</span><span class="p">();</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="c1">// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddEndpointsApiExplorer</span><span class="p">();</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddSwaggerGen</span><span class="p">(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">options</span><span class="p">.</span><span class="nf">AddSecurityDefinition</span><span class="p">(</span><span class="s">"Auth0"</span><span class="p">,</span> <span class="k">new</span> <span class="nf">OpenApiSecurityScheme</span><span class="p">()</span> <span class="p">{</span> <span class="n">Type</span> <span class="p">=</span> <span class="n">SecuritySchemeType</span><span class="p">.</span><span class="n">OAuth2</span><span class="p">,</span> <span class="n">Flows</span> <span class="p">=</span> <span class="k">new</span> <span class="n">OpenApiOAuthFlows</span> <span class="p">{</span> <span class="n">AuthorizationCode</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">OpenApiOAuthFlow</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// you need to set the urls as they are specific to Auth0</span> <span class="n">AuthorizationUrl</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">Uri</span><span class="p">(</span><span class="s">"https://&lt;auth0-domain&gt;/authorize"</span><span class="p">),</span> <span class="n">TokenUrl</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">Uri</span><span class="p">(</span><span class="s">"https://&lt;auth0-domain&gt;/oauth/token"</span><span class="p">),</span> <span class="n">Scopes</span> <span class="p">=</span> <span class="k">new</span> <span class="n">Dictionary</span><span class="p">&lt;</span><span class="kt">string</span><span class="p">,</span> <span class="kt">string</span><span class="p">&gt;</span> <span class="p">{</span> <span class="p">{</span><span class="s">"openid"</span><span class="p">,</span> <span class="s">"openid"</span><span class="p">},</span> <span class="p">{</span><span class="s">"email"</span><span class="p">,</span> <span class="s">"email"</span><span class="p">},</span> <span class="p">{</span><span class="s">"profile"</span><span class="p">,</span> <span class="s">"profile"</span><span class="p">},</span> <span class="c1">// any additional custom scopes you want</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// optional if you are not using [Authorize] attributes</span> <span class="n">options</span><span class="p">.</span><span class="n">OperationFilter</span><span class="p">&lt;</span><span class="n">SecurityRequirementsOperationFilter</span><span class="p">&gt;();</span> <span class="p">});</span> </code></pre> </div> <p>The operation filter is only required if you are using global authorization policies. For example: <code>app.MapControllers().RequireAuthorization(...)</code> I've included the class code at the end.</p> <p>This next part is largely optional as I've described in the comments below. There are some additional values you can tweak on Swagger UI. </p> <p>Do watch out for the <code>audience</code> with Auth0. I spent many hours wondering why I was not getting back the right access token, until I saw this:</p> <blockquote> <p>In addition, if you have chosen to allow users to log in through an Identity Provider (IdP), such as Facebook, the IdP will issue its own access token to allow your application to call the IDP's API. For example, if your user authenticates using Facebook, the access token issued by Facebook can be used to call the Facebook Graph API. These tokens are controlled by the IdP and can be issued in any format. See Identity Provider Access Tokens for details. - <a href="https://auth0.com/docs/secure/tokens/access-tokens">Auth0 - Access Tokens</a><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="c1">// optional: only want to have Swagger UI available in Development </span> <span class="k">if</span> <span class="p">(</span><span class="n">app</span><span class="p">.</span><span class="n">Environment</span><span class="p">.</span><span class="nf">IsDevelopment</span><span class="p">())</span> <span class="p">{</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseSwagger</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseSwaggerUI</span><span class="p">(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="c1">// optional: just prefills the Swagger UI input boxes, if left off you must supply these values. Would make sense to get these from configuration and better yet user-secrets </span> <span class="n">options</span><span class="p">.</span><span class="nf">OAuthClientId</span><span class="p">(</span><span class="s">"&lt;auth0 client id&gt;"</span><span class="p">);</span> <span class="n">options</span><span class="p">.</span><span class="nf">OAuthClientSecret</span><span class="p">(</span><span class="s">"&lt;auth0 client secret&gt;"</span><span class="p">);</span> <span class="c1">// optional &amp; gotcha: but if you are using Auth0 with a Social Connection you MUST supply an audience otherwise you will get back the underlying identity providers access token, NOT Auth0's</span> <span class="n">options</span><span class="p">.</span><span class="nf">OAuthAdditionalQueryStringParams</span><span class="p">(</span><span class="k">new</span> <span class="n">Dictionary</span><span class="p">&lt;</span><span class="kt">string</span><span class="p">,</span> <span class="kt">string</span><span class="p">&gt;</span> <span class="p">{</span> <span class="p">{</span><span class="s">"audience"</span><span class="p">,</span> <span class="s">"&lt;your audience&gt;"</span><span class="p">}</span> <span class="p">});</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>Now that everything is setup from a code perspective you can run you API and navigate to <code>/swagger/</code>. Now you should see an Authorize button.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--DAjW8X5y--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/bmy1g31qa3j6clofz3rs.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--DAjW8X5y--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/bmy1g31qa3j6clofz3rs.png" alt="Swagger UI Authorize" width="176" height="62"></a></p> <p>You will need to configure Auth0 with the SwaggerUI callback url e.g <code>https://&lt;your api url&gt;/swagger/oauth2-redirect.html</code></p> <p>The final <code>Program.cs</code> file should look something like this:<br> <a href="https://gist.github.com/OliverRC/650436fbae77371a55b84c646c35ba3a">https://gist.github.com/OliverRC/650436fbae77371a55b84c646c35ba3a</a></p> <h2> Credit </h2> <p>A huge shout out to his article which inspired most of what I've written about here: </p> <p><a href="https://dotnetcoretutorials.com/2021/02/14/using-auth0-with-an-asp-net-core-api-part-3-swagger/">https://dotnetcoretutorials.com/2021/02/14/using-auth0-with-an-asp-net-core-api-part-3-swagger/</a></p> <h2> Addendum - SecurityRequirementsOperationFilter </h2> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">class</span> <span class="nc">SecurityRequirementsOperationFilter</span> <span class="p">:</span> <span class="n">IOperationFilter</span> <span class="p">{</span> <span class="c1">/// &lt;summary&gt;</span> <span class="c1">/// Applies the this filter on swagger documentation generation.</span> <span class="c1">/// &lt;/summary&gt;</span> <span class="c1">/// &lt;param name="operation"&gt;&lt;/param&gt;</span> <span class="c1">/// &lt;param name="context"&gt;&lt;/param&gt;</span> <span class="k">public</span> <span class="k">void</span> <span class="nf">Apply</span><span class="p">(</span><span class="n">OpenApiOperation</span> <span class="n">operation</span><span class="p">,</span> <span class="n">OperationFilterContext</span> <span class="n">context</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// then check if there is a method-level 'AllowAnonymous', as this overrides any controller-level 'Authorize'</span> <span class="kt">var</span> <span class="n">anonControllerScope</span> <span class="p">=</span> <span class="n">context</span> <span class="p">.</span><span class="n">MethodInfo</span> <span class="p">.</span><span class="n">DeclaringType</span><span class="p">?.</span><span class="nf">GetCustomAttributes</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="p">.</span><span class="n">OfType</span><span class="p">&lt;</span><span class="n">AllowAnonymousAttribute</span><span class="p">&gt;();</span> <span class="kt">var</span> <span class="n">anonMethodScope</span> <span class="p">=</span> <span class="n">context</span> <span class="p">.</span><span class="n">MethodInfo</span> <span class="p">.</span><span class="nf">GetCustomAttributes</span><span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="p">.</span><span class="n">OfType</span><span class="p">&lt;</span><span class="n">AllowAnonymousAttribute</span><span class="p">&gt;();</span> <span class="c1">// only add authorization specification information if there is at least one 'Authorize' in the chain and NO method-level 'AllowAnonymous'</span> <span class="k">if</span> <span class="p">(</span><span class="n">anonMethodScope</span><span class="p">.</span><span class="nf">Any</span><span class="p">())</span> <span class="k">return</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="n">anonControllerScope</span> <span class="p">!=</span> <span class="k">null</span> <span class="p">&amp;&amp;</span> <span class="n">anonControllerScope</span><span class="p">.</span><span class="nf">Any</span><span class="p">())</span> <span class="k">return</span><span class="p">;</span> <span class="c1">// add generic message if the controller methods dont already specify the response type</span> <span class="k">if</span> <span class="p">(!</span><span class="n">operation</span><span class="p">.</span><span class="n">Responses</span><span class="p">.</span><span class="nf">ContainsKey</span><span class="p">(</span><span class="s">"401"</span><span class="p">))</span> <span class="n">operation</span><span class="p">.</span><span class="n">Responses</span><span class="p">.</span><span class="nf">Add</span><span class="p">(</span><span class="s">"401"</span><span class="p">,</span> <span class="k">new</span> <span class="n">OpenApiResponse</span> <span class="p">{</span> <span class="n">Description</span> <span class="p">=</span> <span class="s">"If Authorization header is not present, the value is empty or value is not a valid jwt bearer token"</span> <span class="p">});</span> <span class="k">if</span> <span class="p">(!</span><span class="n">operation</span><span class="p">.</span><span class="n">Responses</span><span class="p">.</span><span class="nf">ContainsKey</span><span class="p">(</span><span class="s">"403"</span><span class="p">))</span> <span class="n">operation</span><span class="p">.</span><span class="n">Responses</span><span class="p">.</span><span class="nf">Add</span><span class="p">(</span><span class="s">"403"</span><span class="p">,</span> <span class="k">new</span> <span class="n">OpenApiResponse</span> <span class="p">{</span> <span class="n">Description</span> <span class="p">=</span> <span class="s">"If user is not authorized to perform requested action"</span> <span class="p">});</span> <span class="kt">var</span> <span class="n">jwtAuthScheme</span> <span class="p">=</span> <span class="k">new</span> <span class="n">OpenApiSecurityScheme</span> <span class="p">{</span> <span class="n">Reference</span> <span class="p">=</span> <span class="k">new</span> <span class="n">OpenApiReference</span> <span class="p">{</span> <span class="n">Type</span> <span class="p">=</span> <span class="n">ReferenceType</span><span class="p">.</span><span class="n">SecurityScheme</span><span class="p">,</span> <span class="n">Id</span> <span class="p">=</span> <span class="s">"Auth0"</span> <span class="p">}</span> <span class="p">};</span> <span class="n">operation</span><span class="p">.</span><span class="n">Security</span> <span class="p">=</span> <span class="k">new</span> <span class="n">List</span><span class="p">&lt;</span><span class="n">OpenApiSecurityRequirement</span><span class="p">&gt;</span> <span class="p">{</span> <span class="k">new</span> <span class="n">OpenApiSecurityRequirement</span> <span class="p">{</span> <span class="p">[</span> <span class="n">jwtAuthScheme</span> <span class="p">]</span> <span class="p">=</span> <span class="k">new</span> <span class="n">List</span><span class="p">&lt;</span><span class="kt">string</span><span class="p">&gt;()</span> <span class="p">}</span> <span class="p">};</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> net6 auth0 swagger aspnetcore Validating non-nullable property in Body as Required - AspNetCore 3.1 Oliver Rivett-Carnac Wed, 10 Jun 2020 14:16:02 +0000 https://dev.to/oliverrc/validating-non-nullable-property-in-body-as-required-aspnetcore-3-1-1ken https://dev.to/oliverrc/validating-non-nullable-property-in-body-as-required-aspnetcore-3-1-1ken <div class="ltag__stackexchange--container"> <div class="ltag__stackexchange--title-container"> <div class="ltag__stackexchange--title"> <div class="ltag__stackexchange--header"> <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--7Gn-iPj_--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev.to/assets/stackoverflow-logo-b42691ae545e4810b105ee957979a853a696085e67e43ee14c5699cf3e890fb4.svg" alt=""> <a href="https://stackoverflow.com/questions/62279845/validating-non-nullable-property-in-body-as-required-aspnetcore-3-1" rel="noopener noreferrer"> Validating non-nullable property in Body as Required - AspNetCore 3.1 </a> </div> <div class="ltag__stackexchange--post-metadata"> <span>Jun 9 '20</span> <span>Comments: 2</span> <span>Answers: 1</span> </div> </div> <a class="ltag__stackexchange--score-container" href="https://stackoverflow.com/questions/62279845/validating-non-nullable-property-in-body-as-required-aspnetcore-3-1" rel="noopener noreferrer"> <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--Y9mJpuJP--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev.to/assets/stackexchange-arrow-up-eff2e2849e67d156181d258e38802c0b57fa011f74164a7f97675ca3b6ab756b.svg" alt=""> <div class="ltag__stackexchange--score-number"> 8 </div> <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--wif5Zq3z--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev.to/assets/stackexchange-arrow-down-4349fac0dd932d284fab7e4dd9846f19a3710558efde0d2dfd05897f3eeb9aba.svg" alt=""> </a> </div> <div class="ltag__stackexchange--body"> <p>I am trying to validate that if a property / field is completely left off on a request that the ModelState is invalid and a BadRequest is sent back to the client, however I am struggling with handling of non-nullable types in request bodies.</p> <h3>Works for nullable types</h3> <pre><code>[Required] public</code></pre>… </div> <div class="ltag__stackexchange--btn--container"> <a href="https://stackoverflow.com/questions/62279845/validating-non-nullable-property-in-body-as-required-aspnetcore-3-1" class="ltag__stackexchange--btn" rel="noopener noreferrer">Open Full Question</a> </div> </div> aspnetcore dotnet dotnetcore netcore31