ASP.NET Core Web API Tutorial – Part 3

By | October 17, 2017

In this Part of ASP.NET Core Web API Tutorial, we will briefly explain Web API Security Architecture? Also, how to setup an authentication filter? as well as implement a Web API authentication filter with the help of an example.

ASP.NET provides a very well customizable framework in order to authenticate users and authorized the access of user. In order to go in deep, lets first take a look at the difference between the concept of authentication and authorization as following:

  • Authentication is identifying the user. For example, John logs in to the system and the system ask for his password with his username in order to authenticate John. Therefore, authentication is the action of verifying the validity of the identity of the user.
  • Authorization refers to the action of deciding whether a user is allowed to perform a certain action. This concept is more related to the access control mechanism. For example, John has permission to get a resource but not create a resource. Therefore, when John would try to create a resource, system would prevent that operation.

How Authentication is Performed?

Here are the steps that occur during the time of user authentication in ASP.NET

  • In order to verify user with username and password, if the user is authenticated, host creates a principal, an instance of IPrincipal object, representing the security context.
  • The principal object is then get attached to the current thread as following:
  • Now in order to verify the user, system checks associated Identity object with the principal object. If the user is authenticated, the Identity.IsAuthenticated is true. Otherwise, Identity.IsAuthenticated is false.

How to Setup an Authentication Filter?

  • Enable Basic Authentication: Create a authentication filter call ‘IdentityBasicAuthentication’ and then configure that for the controller.
  • Using Authorize to the API controller class as following:
  • Using custom Authorize to the API controller class as following:
  • It is possible to make any method public in a web api controller even though the controller itself is restricted.
    Here even though HelloRequestController is restricted, Get method can be accessed by anonymous user which is eventually similar to a public request.
  • Restricted to only a list of Users: Here in this example, the only allowed user are defined in a list of users.
  • Restricted by role: Similar to user, it is also possible to make a controller restricted to only specific roles.
  • It is also possible to implement method and define different block inside the method for different role as in following example:
  • Build a full-stack web app with ASP.NET Core, Entity Framework Core and Angular 2 & 4.
  • Implement a Clean & Decouple Architecture.
  • Properly implement the Repository and Unit of work patterns.
  • Troubleshoot common runtime errors.
  • Test APIs using PostMan.
  • Integrate ASP.NET MVC/Core with AngularJS.
  • Understand and apply the Dependency Inversion Principle (DIP).
  • Use the new dependency injection feature in ASP.NET Core.
  • Build APIs with ASP.NET Core.
  • and more….

Implement a Web API Authentication Filter?

Here are the steps in order  to implement an authentication filter.

  • Start Visual Studio and create a new ASP.NET Web Application project. Select the Web API template. Under “Add folders and core references for”, select the Web API checkbox.ASP.NET Core Web API Application
  •  Now create Web API controller as:
  • Run the application locally.
  • Open a browser and navigate to http://localhost/api/helloworld/,. It will show the response text, “GET: Hello World!”.
  • Then select MVC for the ASP.NET project type.
  • A custom authorization filter need to be extended from one of these following types:
    • AuthorizeAttribute: This is a basic authorization attribute, it considers the current user and its role in order to imply the authorization logic.
    • AuthorizationFilterAttribute: This attribute filter out synchronous authorization logic that is not aligned with current user or its role.
    • IAuthorizationFilter: This interface contains all the methods in order to execute asynchronous authorization logic.Authorize Attribute for Core Web API
  • Create a class and extends necessary authorization class, here in this example, we would define a filter for Basic authentication.
  • The next step is to implement the method from IAuthenticationFilter as following:
  • Now use this filter to the API controller class as following:

Along with Basic Authentication, it is also possible to make any particular method of the controller to be accessible only by the particular role, for example:

How to build a SPA (Single Page Application) using ASP.NET Web API 2, Entity Framework and jQuery? Complete Application from start to end.

Here every method has the annotation, [Authorize(Roles=”Admin”)], which is making this method accessible only to the logged in user whose role is Admin.

Step forward in 2017: Build in-demand career skills with Coursera

More Web Development and related Tutorials