Authenticated REST API for a mobile app and website on ASP.NET Core

Question

I want to build a REST API, to be hosted on Azure, built from the "ASP.NET Core Web Application (.NET Framework)" template stores the identities in EF.

I want to avoid having Views etc as it clutters the codebase.

It should then be callable as described in this article (TL;DR: header authentication and POST to a /token endpoint and controllers with [Authorize]) https://blogs.msdn.microsoft.com/martinkearn/2015/03/25/securing-and-securely-calling-web-api-and-authorize/

However, I fail to find how to get to the /token endpoint in ASP.NET Core. I'm reading a bunch of stuff on JWT, Bearer, OWin, ..., and that Basic Auth is bad, but am lost on how to proceed.

The API would be used by a website and mobile apps.

What do I need and what steps do I need to take to get a "hello world" up and running?

Also, why am I seemingly the only one with this architecture?

Answer 1

There isn't a token endpoint in ASP.NET Core.

You can build a custom middleware, as explained in this article: ASP.NET Core Token Authentication Guide Or you can use an external package:

• IdentityServer4
• AspNet.Security.OpenIdConnect.Server
• OpenIddict

For the last, I suggest this article: Bearer Token Authentication in ASP.NET Core

If you are interested in an Angular 2 SPA with ASP.NET Core Web API that uses token authentication (through IdentityServer4), give a look at this repository: https://github.com/robisim74/Angular2SPAWebAPI (disclaimer, it's mine).