Token based authentication in Web API without any user interface

Question

I am developing a REST API in ASP Net Web API  My API will be only accessible via non-browser based clients  I need to implement security for my API so I decided to go with Token based authentication  I have a fair understanding of token based authentication and have read a few tutorials  but they all have some user interface for login  I don t need any UI for login as the login details will be passed by the client through HTTP POST which will be authorized from our database  How can I implement token based authentication in my API  Please note- my API will be accessed in high frequency so I also have to take care of performance  Please let me know if I can explain it any better

User · Answer

ASP Net Web API has Authorization Server build-in already  You can see it inside Startup cs when you create a new ASP Net Web Application with Web API template   OAuthOptions   new OAuthAuthorizationServerOptions       TokenEndpointPath   new PathString   Token        Provider   new ApplicationOAuthProvider PublicClientId       AuthorizeEndpointPath   new PathString   api Account ExternalLogin        AccessTokenExpireTimeSpan   TimeSpan FromDays 14          In production mode set AllowInsecureHttp   false     AllowInsecureHttp   true      All you have to do is to post URL encoded username and password inside query string     Token userName johndoe 40example com amp password 1234 amp grant type password   If you want to know more detail  you can watch  User Registration and Login - Angular Front to Back with Web API by Deborah Kurata

User · Answer

I think there is some confusion about the difference between MVC and Web Api  In short  for MVC you can use a login form and create a session using cookies  For Web Api there is no session  That s why you want to use the token   You do not need a login form  The Token endpoint is all you need  Like Win described you ll send the credentials to the token endpoint where it is handled   Here s some client side C  code to get a token         using System        using System Collections Generic        using System Net        using System Net Http        string token   GetToken  https   localhost  lt port gt     userName  password        static string GetToken string url  string userName  string password            var pairs   new List lt KeyValuePair lt string  string gt  gt                                                new KeyValuePair lt string  string gt    grant type    password                              new KeyValuePair lt string  string gt    username   userName                             new KeyValuePair lt string  string gt     Password   password                                  var content   new FormUrlEncodedContent pairs           ServicePointManager ServerCertificateValidationCallback     sender  cert  chain  sslPolicyErrors    gt  true          using  var client   new HttpClient                  var response   client PostAsync url    Token   content  Result              return response Content ReadAsStringAsync   Result                    In order to use the token add it to the header of the request         using System        using System Collections Generic        using System Net        using System Net Http        var result   CallApi  https   localhost  lt port gt  something   token        static string CallApi string url  string token            ServicePointManager ServerCertificateValidationCallback     sender  cert  chain  sslPolicyErrors    gt  true          using  var client   new HttpClient                  if   string IsNullOrWhiteSpace token                     var t   JsonConvert DeserializeObject lt Token gt  token                    client DefaultRequestHeaders Clear                    client DefaultRequestHeaders Add  Authorization    Bearer     t access token                             var response   client GetAsync url  Result              return response Content ReadAsStringAsync   Result                    Where Token is     using Newtonsoft Json   class Token       public string access token   get  set        public string token type   get  set        public int expires in   get  set        public string userName   get  set         JsonProperty   issued        public string issued   get  set         JsonProperty   expires        public string expires   get  set        Now for the server side   In Startup Auth cs          var oAuthOptions   new OAuthAuthorizationServerOptions                       TokenEndpointPath   new PathString   Token                Provider   new ApplicationOAuthProvider  self                AccessTokenExpireTimeSpan   TimeSpan FromDays 14                  https             AllowInsecureHttp   false                       Enable the application to use bearer tokens to authenticate users         app UseOAuthBearerTokens oAuthOptions     And in ApplicationOAuthProvider cs the code that actually grants or denies access     using Microsoft AspNet Identity Owin    using Microsoft Owin Security    using Microsoft Owin Security OAuth    using System    using System Collections Generic    using System Security Claims    using System Threading Tasks   public class ApplicationOAuthProvider   OAuthAuthorizationServerProvider       private readonly string  publicClientId       public ApplicationOAuthProvider string publicClientId                if  publicClientId    null              throw new ArgumentNullException  publicClientId              publicClientId   publicClientId             public override async Task GrantResourceOwnerCredentials OAuthGrantResourceOwnerCredentialsContext context                var userManager   context OwinContext GetUserManager lt ApplicationUserManager gt              var user   await userManager FindAsync context UserName  context Password           if  user    null                        context SetError  invalid grant    The user name or password is incorrect                 return                     ClaimsIdentity oAuthIdentity   await user GenerateUserIdentityAsync userManager           var propertyDictionary   new Dictionary lt string  string gt       userName   user UserName              var properties   new AuthenticationProperties propertyDictionary            AuthenticationTicket ticket   new AuthenticationTicket oAuthIdentity  properties              Token is validated          context Validated ticket              public override Task TokenEndpoint OAuthTokenEndpointContext context                foreach  KeyValuePair lt string  string gt  property in context Properties Dictionary                        context AdditionalResponseParameters Add property Key  property Value                     return Task FromResult lt object gt  null              public override Task ValidateClientAuthentication OAuthValidateClientAuthenticationContext context                   Resource owner password credentials does not provide a client ID          if  context ClientId    null              context Validated             return Task FromResult lt object gt  null              public override Task ValidateClientRedirectUri OAuthValidateClientRedirectUriContext context                if  context ClientId     publicClientId                        var expectedRootUri   new Uri context Request Uri                     if  expectedRootUri AbsoluteUri    context RedirectUri                  context Validated                      return Task FromResult lt object gt  null              As you can see there is no controller involved in retrieving the token  In fact  you can remove all MVC references if you want a Web Api only  I have simplified the server side code to make it more readable  You can add code to upgrade the security   Make sure you use SSL only  Implement the RequireHttpsAttribute to force this   You can use the Authorize   AllowAnonymous attributes to secure your Web Api  Additionally you can add filters  like RequireHttpsAttribute  to make your Web Api more secure  I hope this helps

[c#] Token based authentication in Web API without any user interface

Examples related to c#

Examples related to .net

Examples related to authentication

Examples related to asp.net-web-api

Examples related to http-token-authentication