CODEWITHSUNDEEP
oauth-2.0jwtasp.net-core-webapiidentityserver4openid-connect
Michał Szymański
Michał Szymański

Reputation: 354

How to make secure authentication for .NET Core Web API?

I am developing an app with .NET Core Web API, Entity Framework and React. I've been reading a lot recently about possible authentication techniques for my API and I've discovered that plain JWT is not entirely secure, so at first I decided to use OpenID Connect with IdentityServer 4. I understand the idea behind OAuth 2.0 and OpenID Connect is to hide user credentials during login process and to involve external authentication provider in issuing an access token, but I don't want to rely on such services because not everyone have an account on Facebook etc. I consider this as an optional way to login. I want to give users an ability to sign in with just login and password. So what is the best (secure) way to accomplish this in modern web apps?

Having project 1 as Client App, project 2 as API Resources and project 3 as Authorization Service (IdentityServer4), I consider following scenarios:

  1. A user is able to create an account on Authorization Service which is responsible for issuing a token required to get access to API Resources through Client App. Authorization Service is registered as authorization provider only for my Client App.

  2. Get authorization token from Authorization Service using resource owner password grant - this one is not recommended by the specs but in my case since user must provide credentials to Authorization Service anyway and I will be hosting every project I can't see any problem.

  3. Don't bother with OAuth and implement authorization mechanism using ASP.NET Core Identity + bearer token authentication.

Any ideas or recommendations highly apprecieated.

Upvotes: 1

Views: 751

Answers (1)

Adrian Brand
Adrian Brand

Reputation: 21628

I use the JwtBearer package, wire it up in your Startup.cs Configure method like

                .UseJwtBearerAuthentication(new JwtBearerOptions
                {
                    AutomaticAuthenticate = true,
                    AutomaticChallenge = true,
                    TokenValidationParameters = new TokenValidationParameters
                    {
                        IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(Configuration["AppSettings:AuthConfig:SecretKey"])),
                        ValidateIssuer = true,
                        ValidIssuer = Configuration["AppSettings:AuthConfig:Issuer"],

                        ValidateAudience = true,
                        ValidAudience = Configuration["AppSettings:AuthConfig:Audience"],

                        ValidateLifetime = true,
                    }
                })

and my login action on my User controller looks like

        [HttpPost]
        public string Post([FromBody]LoginRequest request)
        {
            var contact = dbContext.Contacts.Where(c => c.Active && c.Email == request.Email).Select(c => new { c.Id, c.PasswordHash }).SingleOrDefault();

            if (contact == null || !Security.PasswordHash.ValidatePassword(request.Password, contact.PasswordHash))
            {
                return string.Empty;
            }

            var signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(appSettings.AuthConfig.SecretKey));

            var now = DateTime.UtcNow;

            var claims = new Claim[]
            {
                new Claim(JwtRegisteredClaimNames.Sub, contact.Id.ToString()),
                new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
                new Claim(JwtRegisteredClaimNames.Iat, DateTimeOffset.Now.ToUnixTimeSeconds().ToString(), ClaimValueTypes.Integer64)
            };

            var jwt = new JwtSecurityToken(
                issuer: appSettings.AuthConfig.Issuer,
                audience: appSettings.AuthConfig.Audience,
                claims: claims,
                notBefore: now,
                expires: now.AddDays(30),
                signingCredentials: new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256));

            jwt.Payload.Add("roles", dbContext.ContactRoles.Where(cr => cr.ContactId == contact.Id).Select(ur => ur.Role.Name).ToArray());

            return new JwtSecurityTokenHandler().WriteToken(jwt);
        }

I use a JWT package for Angular on the client, there may be something similar for React.

Upvotes: 1

Related Questions