❔ New .NET Core Web API app. Guidelines for setting up authentication & authorization?
We're just starting a new Web API app with .NET Core. I don't seem to have any template choices that provide me with authentication via my IDE. I'm finding a lot of different answers for how to set up authentication.
Can someone point me in the right direction to a package/set of packages or whatever the best practice is now? I planned on just storing the data in the app's database and not outsourcing auth.
Thank you!
20 Replies
well, do you have a front end to provide access to your api, like in the form of api tokens?
@henkypenky yes, we will be building that (likely with sveltekit) - just getting the API squared away first
It sounds like .NET 8 promises clearing this up and providing out of the box solutions. Wondering if I should just try that out.
i didn't read about that
so with the prerequisite that your users have an api token already
sorry I should clarify. I imagine using JWTs, not api tokens
e.g. a user registers and can login... they don't create api tokens and tie them to an app or something. not sure if I was leading you the wrong way
it's fine
thanks for the info
then i will step aside, cause i never worked with JWT's
but good info so far
thanks - ill keep looking around
what do you need
do you need multiple users
if not, all you need is an API key
oops i did not backread
i'm looking into this myself as well. from what i've seen JWTs are typically used with a separate auth server
i.e. the client app authenticates with the auth server, gets a JWT, and sends that JWT to your API to authenticate to it
if you don't want to rely on an external auth server, you could use basic authentication, where the user just passes their username and password to the API, and then your API application handles everything from there
@schwartzmj
although it looks like ASP.NET doesn't support basic authentication out of the box, so you'd need to find a package https://stackoverflow.com/questions/35296648/basic-authentication-in-asp-net-core
yeah, i mean cookie based or JWT based. i guess i don't really care - its surprising that .net doesnt come with this baked in
https://github.com/dotnet/aspnetcore/issues/42158#issuecomment-1481742187
https://www.reddit.com/r/dotnet/comments/120wrf9/official_update_on_authentication_for_net_8/
^^ a couple related links
it sounds like the common package that was used was Identity Server but their licensing changed so now there isn't really a community or included package to roll with
yeah, so far I've been using azure AD B2C because that's what work uses so I haven't had to worry about it
and the one API i've built just needs a key
but my personal project is a SPA/API so i'll have to figure out the right way to do it as well
InfoWorld
How to implement JWT authentication in ASP.NET Core 6
It’s easy to secure minimal API endpoints in ASP.NET Core 6 using JSON Web Tokens for authentication and authorization. Just follow these steps.
Not a bad article
If you're implementing your own JWT auth, you will need code to create a JWT. An API endpoints stands between that code and your client. The JWT nuget package referenced in the article will help you do that
Then you need to modify your app startup and insert middlewares to check for the JWT, validate them, and reject or deny requests. Also describes in the article
thank you for this. ill take a look right now
There are plenty of blog posts, tutorials, etc out there. They should all follow the same theme and should be using the same Microsoft supported code / packages
thanks. will look into this post in particular. generally speaking, "rolling your own auth" usually seems like a no-no so i wasn't sure if i was missing something. but if it's just connecting a few MS packages, that sounds reasonable
It's higher risk than most things. You're responsible for password security now
You can delegate JWT creation, sign up, and login to auth providers such as Auth0 for a price
Microsoft "Identity" can also help you there. It's not "roll your own" but you're still responsible for storing hashes of passwords
@.mordeo i may also check out B2C - any thoughts on using that instead?
Ask in #web if you have specific questions along the way. Broader audience
WDYM B2C? Sounds like regular auth
Azure B2C
my understanding is its auth as a service
similar to Auth0 i'd imagine .. from the limited amount i've read of them
anyway, thank you very much for your help! let me know if you have any thoughts or experience with that
I've been using ASP.net Identity(I believe this is different than Identity Server, which definitely confused me) to handle authentication. It was a little challenging to learn since the documentation is geared towards MVC projects, but you can use the methods in a web api as well
Once I've verified the user's credentials using Identity, I build a JWT based on the user's permissions and return it. Then there's middleware that handles verifying the signature of the JWT is valid, and then each controller / method can use the
[Authorize] method to limit access.
I'm super new to using Identity and JWTs in C# too but it seems to work fineWas this issue resolved? If so, run
/close - otherwise I will mark this as stale and this post will be archived until there is new activity.