Sumit Singh
Sumit Singh

Reputation: 59

Authentication and Authorization in asp.net core WEB API

I am new in asp.net core and want to implement authentication and authorization in WEB API 2 project. I am little bit confuse to use basic authentication, bearer token, JWT token or any other. please suggest more preferable Thanks

Upvotes: 2

Views: 2091

Answers (2)

Rahul Uttarkar
Rahul Uttarkar

Reputation: 3645

ASP.NET Core 2.0 and above Web API authentication and authorization

Bearer type JWT Token based authentication

[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]

Please implement as following below post

https://fullstackmark.com/post/13/jwt-authentication-with-aspnet-core-2-web-api-angular-5-net-core-identity-and-facebook-login

Upvotes: 0

Matt
Matt

Reputation: 13399

Basic auth is as the name suggests, very basic and not very secure, it uses base64 encoding of the username and password so you must use HTTPS if you use it, but best is not to use it at all.

A bearer token is a type of token which effectively gives access to a resource to the "bearer" of the token. Both basic and bearer are used in an HTTP Authorization header.

You can have different formats of bearer tokens, one of which is JWT - JWT is the industry standard so I recommend you use it, and therefore you'll be using bearer tokens.

This article is a good starting point to look into all this in the context of asp.net core. See also this video series and this article goes into more detail about JWT validation.

Edit

To answer your questions in the comments:

OAuth is a standard for users to delegate permissions to apps or websites to access their resources, for example when you allow some web app to post on your behalf to your Facebook feed. Various tokens are used in this process and they're very often JWT. OAuth2 adds authentication via OpenID Connect.

OWIN on the other hand is a standard for web servers which decouples IIS and ASP.NET with the aim of allowing ASP.NET to run on other web servers which implement OWIN and other frameworks generally to run on OWIN compatible servers if those frameworks are OWIN compatible.

Auth0 is an identity platform which can do OAuth and allows you to use JWTs, generally it handles your identity and SSO. IdentityServer is another identity platform with some similar features.

I'd still recommend starting with the articles I linked at the top, don't worry too much about OWIN, and read more about OAuth to determine if you really need it. If you do, I'd recommend IdentityServer.

Upvotes: 2

Related Questions