Menu
I am trying to understand the Asp.net Web Api Individual Accounts authentication and authorization. I have see several tutorials on the web including this one. In short, when a user agent provides username and password the API issues a token that the client will use in subsequent calls to the API for to identify itself. The user agent receives the token by making a request, typically to: http://example.com/Token. The path appears to be set in the Startup class like so:
TokenEndpointPath = new PathString("/Token")
My problem is, I can't find any controller methods that match that path. How does this work?
304
By default the token is not stored by the server. Only your client has it and is sending it through the authorization header to the server. If you used the default template provided by Visual Studio, in the Startup ConfigureAuth method the following IAppBuilder extension is called: app.
Token-based authentication is a process where the client application first sends a request to Authentication server with a valid credentials. The Authentication server sends an Access token to the client as a response. This token contains enough data to identify a particular user and it has an expiry time.
In ASP.NET or ASP.NET Core, calling a web API is done in the controller: Get a token for the web API by using the token cache. To get this token, you call the Microsoft Authentication Library (MSAL) AcquireTokenSilent method (or the equivalent in Microsoft. Identity.
Open Visual Studio, and click on "Create a new project". Select ASP.NET web application from templates and click on "Next". Then, give the project name as "OauthApp" and then click "Create". Now, choose Web API from the template and click on "Create".
The following is the procedure to do Token Based Authentication using ASP.NET Web API, OWIN and Identity. Create an empty solution for the project template "ASP.NET Web Application" and add a core reference of the Web API and set the authentication to “No Authentication”.
The token is generated from the server and our web API has a built-in way to understand this token and perform authentication. This type of authentication does not require cookies, so this authentication type can be used with mobile applications.
OAuth is not technically an authentication method, but a method of both authentication and authorization. By using OAuth we can create Token Based Authentication API. First, what is Token Based Authentication in Web API, advantages of Token Based Authentication in Web API and how does it work? What is Token Based Authentication in Web API?
Introduction The Open Web Interface for .NET (OWIN) defines a standard interface between .NET web servers and web applications. Katana is open-source components for building and hosting OWIN-based web applications. The following is the procedure to do Token Based Authentication using ASP.NET Web API, OWIN and Identity.
When you create a new Project with Individual Authentication in ASP.NET, the solution is created with an OAuth Provider to handle Authentication Request.
If you look at you solution, you should see a Providers Folder with a class ApplicationOAuthProvider.
This class implement all the logic for authenticate your members in you website. The configuration is set at Startup to allow you to customize the url endpoint through the OAuthOption.
OAuthOptions = new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/Token"),
Provider = new ApplicationOAuthProvider(PublicClientId),
AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
AllowInsecureHttp = true
};
The TokenEndPoint Path properties defined the url which will fired the GrantResourceOwnerCredentials method of the GrandResourceOwnerCredentials.
If you use fiddler to authenticate and use this kind of body
grant_type=password&username=testUserName&password=TestPassword
you should pass in the following method :
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>();
ApplicationUser user = await userManager.FindAsync(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
ClaimsIdentity oAuthIdentity = await user.GenerateUserIdentityAsync(userManager,
OAuthDefaults.AuthenticationType);
ClaimsIdentity cookiesIdentity = await user.GenerateUserIdentityAsync(userManager,
CookieAuthenticationDefaults.AuthenticationType);
AuthenticationProperties properties = CreateProperties(user.UserName);
AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, properties);
context.Validated(ticket);
context.Request.Context.Authentication.SignIn(cookiesIdentity);
}
where context.UserName and context.Password are set with the data used in the request. After the identity is confirmed (here using Entity Framework and a couple userName, Password in a database), a Bearer token is sent to the caller. This Bearer token could then be used to be authenticated for the other calls.
Regards.
199
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
