One of the ways to secure the API's is using JWT. This is how it works, We will create a controller with an AllowAnonymous action. Make sure you have Authorize attribute over all of your controllers otherwise you have a potential loophole dangling in there.
Here is the Action method
[AllowAnonymous]
[HttpPost]
public IActionResult Login([FromBody]User user)
{
var authUserToken = _loginService.Login(user.Username, user.Password);
if (authUserToken == null)
return BadRequest(new { message = "Username or password is incorrect" });
return Ok(new { AccessToken = authUserToken });
}
The login service is another entity which actually generates the Web Token using Microsoft.IdentityModel.Tokens
private string GenerateJSONWebToken(User user)
{
//secret token and the algorithm to use
var secretToken = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_settings.SecretToken));
var credentials = new SigningCredentials(secretToken, SecurityAlgorithms.HmacSha256);
// creating a with one hour validity.
var token = new JwtSecurityToken(_settings.TokenIssuer,
null,
null,
expires: DateTime.Now.AddHours(1),
signingCredentials: credentials);
return new JwtSecurityTokenHandler().WriteToken(token);
}
To generate token we need to pass a secret string which ideally should be long enough otherwise, it will fail to generate. Here we are creating a token which is valid for 1 hour.
The generated token will be in this format xxxxx.yyyyy.zzzzz
which is equivalent to header.payload.signature. You can verify the generated and the signature using jwt.io.
Any request to your API now should send this below header
Authorization:Bearer {{jwt}}
Which will be intercepted by the Authorize
attribute and verified.
For Authorize attribute to work, we need to say dotnetcore using ConfigureServices like this in StartUp.cs file
services.AddAuthentication(a =>
{
a.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
a.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(x =>
{
x.RequireHttpsMetadata = false;
x.SaveToken = true;
x.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(secretToken),
ValidateIssuer = false,// validate the server that generates the token
ValidateAudience = false//validate the user who generates token is authorized
};
});
Photo by ZSun Fu on Unsplash
Top comments (0)