Reputation: 4733
Very basic bearer token authentication and authorization in Web API 2
I have an intranet site, hosted locally within my organisation. The same site also exposes some data through various web services. It's written using ASP.NET MVC 5 and WebAPI 2, and it's .NET 4.5, not Core.
At the moment users can login to the website using Windows Authentication, and once authenticated they can access the APIs. However, I need to also allow access to the APIs using tokens so that they can be interrogated by automated processes, so I've created a page where authenticated users can go and request a token.
It's my intention that this token can be used as a Bearer token, included in the header of HTTP requests to the Web API, to allow access to the APIs. As I understand it, a Bearer token intrinsically represents the User's right to access the data and doesn't require any other information (even a username).
However, I've struggled to find a complete, end-to-end tutorial for authenticating and authorizing the requests. There are questions on this site and Microsoft aritcles which give some great pointers but I feel that they're perhaps hinting at something much too complicated for my requirements. I don't need to return any kind of Identity with Claims or anything like that, and I'm not concerned with OAuth at all.
I'm using Microsoft's Web API framework so it seems reasonable to assume that it should be fairly straightforward to do something as basic as extract and check a token from the request header!
Would somebody be able to outline the components and the process I need to put in place within my application to allow it to extract the Bearer token from the HTTP request, use my own code to check its validity and then support the Authorize attribute on Web API Methods if the token is valid?
Upvotes: 2
Views: 12172
Answers (2)
Reputation: 137
Expanding on Min's answer above:
string token = Request.Headers.Authorization.ToString().Split(' ')[1];
Upvotes: 1
Reputation: 562
Looks like we have the same need, I also just needed a quick bearer token verification to not leave the API completely wide open.
I copied most parts from here and tweaked it so it just checks the Bearer token https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/authentication-filters
Add filter in WebApiConfig.cs
public class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
// Add authentication
config.Filters.Add(new SimpleAuthenticationFilter()):
foo
}
}
SimpleAuthenticationFilter.cs
public class SimpleAuthenticationFilter : IAuthenticationFilter
{
private readonly string _bearerToken = ConfigurationManager.AppSettings["simpleToken"];
public bool AllowMultiple { get; }
public async Task AuthenticateAsync(HttpAuthenticationContext context, CancellationToken cancellationToken)
{
// 1. Look for credentials in the request.
var request = context.Request;
var authorization = request.Headers.Authorization;
// 2. If there are no credentials, do nothing.
if (authorization == null)
{
context.ErrorResult = new AuthenticationFailureResult("Authorization header is 'null''", request);
return;
}
// 3. If there are credentials but the filter does not recognize the
// authentication scheme, do nothing.
if (!authorization.Scheme.Equals("Bearer"))
{
context.ErrorResult = new AuthenticationFailureResult("Authentication type must be 'Bearer'", request);
return;
}
// 4. If there are credentials that the filter understands, try to validate them.
// 5. If the credentials are bad, set the error result.
if (string.IsNullOrEmpty(authorization.Parameter))
{
context.ErrorResult = new AuthenticationFailureResult("Bearer token is null or empty", request);
return;
}
if (!authorization.Parameter.Equals(_bearerToken))
{
context.ErrorResult = new AuthenticationFailureResult("Bearer token invalid", request);
}
}
public Task ChallengeAsync(HttpAuthenticationChallengeContext context, CancellationToken cancellationToken)
{
return Task.FromResult(0);
}
}
AuthenticationFailureResponse.cs
public class AuthenticationFailureResult : IHttpActionResult
{
public AuthenticationFailureResult(string reasonPhrase, HttpRequestMessage request)
{
ReasonPhrase = reasonPhrase;
Request = request;
}
private string ReasonPhrase { get; }
private HttpRequestMessage Request { get; }
public Task<HttpResponseMessage> ExecuteAsync(CancellationToken cancellationToken)
{
return Task.FromResult(Execute());
}
private HttpResponseMessage Execute()
{
var response = new HttpResponseMessage(HttpStatusCode.Unauthorized)
{
RequestMessage = Request, ReasonPhrase = ReasonPhrase
};
return response;
}
}
Upvotes: 4
Related Questions
- Using a bearer token for authentication(≠ authorization)
- Web API – authenticate with bearer token
- Token based authentication in ASP.NET Web API 2 not working
- Authentication and Authorization in asp.net core WEB API
- Basic Token authentification and authorization on Web.Api
- Bearer token identity webapi - fine grained security
- Forms authentication to create bearer tokens for Web API?
- Web API Security and Authentication - bearer token
- Bearer Token Authentication with ASP.net API
- Token Based Authorization Web API