Originally posted on https://samueleresca.net
Developing token authentication using ASP.NET Core
The following article shows how to developing token authentication using ASP.NET Core.
I have already written about ASP.NET Core here:
- Future of ASP.NET is open source and cross platform;
- Introducing ASP.NET 5 on Ubuntu;
- Querying MongoDB using .NET Core;
Token based authentication overview
Nowadays,Â Token based authentication is very common on the web and any major API or web applications use tokens.
Token authentication is stateless, secureÂ and designed to be scalable. In fact, it is quickly becoming a de facto standard for modern single-page applications and mobile apps.
The problems with server based authentication
Authentication is the process by which an application confirms user identity. Applications have traditionally persisted identity through session cookies, relying on session IDs stored server-side. A few major problems caused by this technique:
- Scalability: if sessions are stored in memory, this provides problems with scalability;
- CORS: as we want to expand our application to let our data be used across multiple mobile devices, we have to worry about cross-origin resource sharing (CORS);
- CSRF: we will also have protection against cross-site request forgery(CSRF);
- Sessions: Every time a user is authenticated, the server will need to create a record on our server;
How token based authentication works
Token based authentication is stateless. It don'tÂ storeÂ any information about our user on the server or in a session.
Here's the common steps of the token based authentication:
- user requests access by usingÂ username / password;
- application provides a signed token to the client;
- client stores that token and sends it along with every request;
- server verifies token and responds with data;
Every single request will require the token. TheÂ token should be sent in the HTTP header to keep the idea of stateless HTTP requests.
Implementing Token based authentication using ASP.Net Core
This example shows how toÂ developing token authentication using ASP.NET Core, the following Â UML schema shows the architecture of project:
Setup the project
Once the project is successfully created, add the following configurations to your
TokenAuthentication section configures some common information about token generation, for example the
SectionKey used by token.
Tokens transmission / validation
There are two ways to transmit the authorization tokens:
- using Â HTTP Authorization headers (aka Â Bearer authentication);
- using browser cookies to save the authentication token;
Bearer token validation
Microsoft.AspNetCore.Authentication.JwtBearer package enables you to protect routes by using a JWT Token.
To enable Bearer token authentication, import the following Nuget package
Microsoft.AspNetCore.Authentication.JwtBearerÂ in theÂ project.json:
To initialize the Bearer authentication you need to splitÂ your
Startup.cs file and useÂ another partial class, for example
Startup.Auth.cs file initialize the Bearer Authentication using Â configurations defined in the
appsettings.json file. The
tokenValidationParamaters object will be used also by Cookie validation.
Cookies validation enables the Token transport over browser cookies, to enable the CookieÂ token authentication you need to add the following package inside the
and Â create a custom validator for the input token.
To create the new validator add the following
Unprotect method decript and validate information provided by the input token. CallÂ the following method inÂ the
Startup.Auth.cs file, to use the Cookie authentication:
There isn't native support to Token generation in ASP.NET Core, but it is possible write a customÂ token generator middleware from scratch.
Firstly, you need to create a class which implementÂ token options :
The middleware class will use
TokenProviderOptions.cs to generate tokens:
TokenProviderMiddleware classÂ implement the
Invoke method to generate tokens by using theÂ
TokenProviderOptions. In order to initialize the middleware, it is necessary modify the
Startup.Auth.cs file and add in the
tokenProviderOptions defines the options of the token generator. The
IdentityResolver is the Task method which will check the identity of users. For demo purposes, the
IdentityResolver is implemented by a simple method called
Now is possible call the
ConfigureAuth method inside the
You can obtain the JWT token by calling the following route
POST and passing the username and password data:
All controllers decorated by the attribute
[Authorize] are protected by the JWT authentication.
In each http call you need to pass the
The demo code is available on Github.