Developing token authentication using ASP.NET Core
(Credits :Virtual street art Golinelli )
The following article shows how to developing token authentication using ASP.NET Core.
I have already written about ASP.NET Core here:
- Future of ASP.NET is open source and cross platform;
- Introducing ASP.NET 5 on Ubuntu;
- Querying MongoDB using .NET Core;
Token based authentication overview
Nowadays, Token based authentication is very common on the web and any major API or web applications use tokens.
Token authentication is stateless, secure and designed to be scalable. In fact, it is quickly becoming a de facto standard for modern single-page applications and mobile apps.
The problems with server based authentication
Authentication is the process by which an application confirms user identity. Applications have traditionally persisted identity through session cookies, relying on session IDs stored server-side. A few major problems caused by this technique:
- Scalability: if sessions are stored in memory, this provides problems with scalability;
- CORS: as we want to expand our application to let our data be used across multiple mobile devices, we have to worry about cross-origin resource sharing (CORS);
- CSRF: we will also have protection against cross-site request forgery(CSRF);
- Sessions: Every time a user is authenticated, the server will need to create a record on our server;
How token based authentication works
Token based authentication is stateless. It don’t store any information about our user on the server or in a session.
Here’s the common steps of the token based authentication:
- user requests access by using username / password;
- application provides a signed token to the client;
- client stores that token and sends it along with every request;
- server verifies token and responds with data;
Every single request will require the token. The token should be sent in the HTTP header to keep the idea of stateless HTTP requests.
Implementing Token based authentication using ASP.Net Core
This example shows how to developing token authentication using ASP.NET Core, the following UML schema shows the architecture of project:
Setup the project
Once the project is successfully created, add the following configurations to your
TokenAuthentication section configures some common information about token generation, for example the
SectionKey used by token.
Tokens transmission / validation
There are two ways to transmit the authorization tokens:
- using HTTP Authorization headers (aka Bearer authentication);
- using browser cookies to save the authentication token;
Bearer token validation
Microsoft.AspNetCore.Authentication.JwtBearer package enables you to protect routes by using a JWT Token.
To enable Bearer token authentication, import the following Nuget package
Microsoft.AspNetCore.Authentication.JwtBearer in the project.json:
To initialize the Bearer authentication you need to split your
Startup.cs file and use another partial class, for example
Startup.Auth.cs file initialize the Bearer Authentication using configurations defined in the
appsettings.json file. The
tokenValidationParamaters object will be used also by Cookie validation.
Cookies validation enables the Token transport over browser cookies, to enable the Cookie token authentication you need to add the following package inside the
and create a custom validator for the input token.
To create the new validator add the following
Unprotect method decript and validate information provided by the input token. Call the following method in the
Startup.Auth.cs file, to use the Cookie authentication:
There isn’t native support to Token generation in ASP.NET Core, but it is possible write a custom token generator middleware from scratch.
Firstly, you need to create a class which implement token options :
The middleware class will use
TokenProviderOptions.cs to generate tokens:
TokenProviderMiddleware class implement the
Invoke method to generate tokens by using the
TokenProviderOptions. In order to initialize the middleware, it is necessary modify the
Startup.Auth.cs file and add in the
tokenProviderOptions defines the options of the token generator. The
IdentityResolver is the Task method which will check the identity of users. For demo purposes, the
IdentityResolver is implemented by a simple method called
Now is possible call the
ConfigureAuth method inside the
You can obtain the JWT token by calling the following route
POST and passing the username and password data:
All controllers decorated by the attribute
[Authorize] are protected by the JWT authentication.
n each http call you need to pass the
You need to pass the token in the header request:
UPDATE: The project runs on .NET Core 2.0. The demo code is available on Github.