Skip to main content

Authentication with OAuth2 and OpenID Connect (OIDC) in .NET Core with an Item API

 

Authentication is a critical part of modern web applications, and OAuth2 combined with OpenID Connect (OIDC) provides a robust and secure method for user authentication. In this blog, we'll explore how to implement OAuth2 and OIDC authentication in a .NET Core application, using an Item API as an example.

What is OAuth2?

OAuth2 is an open standard for access delegation, commonly used for token-based authentication. It allows third-party services to exchange credentials for access tokens, which can then be used to access protected resources on behalf of a user.

What is OpenID Connect (OIDC)?

OIDC is an identity layer built on top of OAuth2. It adds authentication by allowing clients to verify the identity of the user based on the authentication performed by an authorization server. OIDC also provides additional information about the user in the form of an ID token.

Why Use OAuth2 and OIDC?

  • Security: OAuth2 and OIDC provide secure mechanisms for authentication and authorization.
  • Standardization: These protocols are widely adopted and supported by many providers (e.g., Google, Microsoft, Facebook).
  • Decoupling: OAuth2 allows separation between the client application and the authentication mechanism, enabling the use of third-party authentication providers.

Implementing OAuth2 and OIDC in a .NET Core Application

Let's implement OAuth2 and OIDC authentication in a .NET Core application using the Item API as an example. We'll use a popular identity provider like Azure Active Directory (AAD) or Auth0, but the concepts apply to other providers as well.

1. Setting Up an Identity Provider

Before we begin coding, you need to register your application with an identity provider that supports OAuth2 and OIDC, such as Azure AD, Google, or Auth0. This process typically involves:

  • Creating an application in the provider's portal.
  • Configuring redirect URIs.
  • Obtaining the client ID and client secret.

2. Configuring Authentication in .NET Core

Once you have your client ID and secret, configure OAuth2 and OIDC in your .NET Core application by adding the required services in the Startup.cs file.

Install the Necessary Packages

First, ensure you have the required NuGet packages:

dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer
dotnet add package Microsoft.IdentityModel.Protocols.OpenIdConnect
Configure Services in Startup.cs

Next, configure the authentication services:

public class Startup
{
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddControllers();

        services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        })
        .AddJwtBearer(options =>
        {
            options.Authority = "https://YOUR_AUTHORITY_URL"; // e.g., https://login.microsoftonline.com/{tenant}
            options.Audience = "YOUR_CLIENT_ID"; // e.g., Client ID from your identity provider

            options.TokenValidationParameters = new TokenValidationParameters
            {
                ValidateIssuer = true,
                ValidIssuer = "https://YOUR_AUTHORITY_URL",
                ValidateAudience = true,
                ValidAudience = "YOUR_CLIENT_ID",
                ValidateLifetime = true
            };
        });
    }

    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseExceptionHandler("/Home/Error");
            app.UseHsts();
        }

        app.UseHttpsRedirection();
        app.UseStaticFiles();

        app.UseRouting();

        app.UseAuthentication();
        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllers();
        });
    }
}

In this configuration:

  • DefaultAuthenticateScheme and DefaultChallengeScheme are set to JwtBearerDefaults.AuthenticationScheme, indicating that the app will use JWT (JSON Web Token) bearer tokens for authentication.
  • Authority points to the identity provider's endpoint, which is responsible for issuing tokens.
  • Audience is set to your application's client ID, ensuring that the token is intended for your application.

3. Securing the Item API with OAuth2 and OIDC

Now that authentication is configured, we can secure the Item API by adding the [Authorize] attribute to the controller or specific actions.

Securing the Controller
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using System.Collections.Generic;
using System.Linq;

namespace ItemApi.Controllers
{
    [Route("api/[controller]")]
    [ApiController]
    [Authorize]
    public class ItemsController : ControllerBase
    {
        private static List<Item> Items = new List<Item>
        {
            new Item { Id = 1, Name = "Item1", Description = "First item" },
            new Item { Id = 2, Name = "Item2", Description = "Second item" },
        };

        [HttpGet]
        public ActionResult<IEnumerable<Item>> GetItems()
        {
            return Ok(Items);
        }

        [HttpGet("{id}")]
        public ActionResult<Item> GetItem(int id)
        {
            var item = Items.FirstOrDefault(i => i.Id == id);
            if (item == null)
            {
                return NotFound();
            }
            return Ok(item);
        }

        // Other CRUD actions...
    }
}

The [Authorize] attribute ensures that only authenticated users can access the API. If a user tries to access the API without a valid token, they will receive a 401 Unauthorized response.

4. Testing the Authentication Flow

To test the authentication flow, you'll need to:

  1. Obtain an access token from your identity provider. This typically involves redirecting the user to the provider's login page and then receiving an authorization code or token in return.
  2. Use the access token in the Authorization header when making requests to the API.

Here’s an example of using the Authorization header with a bearer token in a request:

GET /api/items HTTP/1.1
Host: localhost:5001
Authorization: Bearer YOUR_ACCESS_TOKEN

If the token is valid and correctly configured, the request will succeed and return the list of items.

Conclusion

Implementing authentication with OAuth2 and OpenID Connect (OIDC) in .NET Core is a powerful way to secure your applications while leveraging the security features provided by modern identity providers. By following the steps in this blog, you can integrate OAuth2 and OIDC into your .NET Core applications, ensuring that only authenticated users have access to your APIs.

The example of the Item API demonstrates how to configure authentication, secure endpoints, and handle tokens in .NET Core. Whether you're building a small API or a large-scale application, OAuth2 and OIDC provide the flexibility and security needed for modern web applications.

Labels:

Comments

Post a Comment

Popular posts from this blog

Implementing and Integrating RabbitMQ in .NET Core Application: Shopping Cart and Order API

RabbitMQ is a robust message broker that enables communication between services in a decoupled, reliable manner. In this guide, we’ll implement RabbitMQ in a .NET Core application to connect two microservices: Shopping Cart API (Producer) and Order API (Consumer). 1. Prerequisites Install RabbitMQ locally or on a server. Default Management UI: http://localhost:15672 Default Credentials: guest/guest Install the RabbitMQ.Client package for .NET: dotnet add package RabbitMQ.Client 2. Architecture Overview Shopping Cart API (Producer): Sends a message when a user places an order. RabbitMQ : Acts as the broker to hold the message. Order API (Consumer): Receives the message and processes the order. 3. RabbitMQ Producer: Shopping Cart API Step 1: Install RabbitMQ.Client Ensure the RabbitMQ client library is installed: dotnet add package RabbitMQ.Client Step 2: Create the Producer Service Add a RabbitMQProducer class to send messages. RabbitMQProducer.cs : using RabbitMQ.Client; usin...
Post a Comment
Read more

How Does My .NET Core Application Build Once and Run Everywhere?

One of the most powerful features of .NET Core is its cross-platform nature. Unlike the traditional .NET Framework, which was limited to Windows, .NET Core allows you to build your application once and run it on Windows , Linux , or macOS . This makes it an excellent choice for modern, scalable, and portable applications. In this blog, we’ll explore how .NET Core achieves this, the underlying architecture, and how you can leverage it to make your applications truly cross-platform. Key Features of .NET Core for Cross-Platform Development Platform Independence : .NET Core Runtime is available for multiple platforms (Windows, Linux, macOS). Applications can run seamlessly without platform-specific adjustments. Build Once, Run Anywhere : Compile your code once and deploy it on any OS with minimal effort. Self-Contained Deployment : .NET Core apps can include the runtime in the deployment package, making them independent of the host system's installed runtime. Standardized Libraries ...
Post a Comment
Read more

Clean Architecture: What It Is and How It Differs from Microservices

In the tech world, buzzwords like   Clean Architecture   and   Microservices   often dominate discussions about building scalable, maintainable applications. But what exactly is Clean Architecture? How does it compare to Microservices? And most importantly, is it more efficient? Let’s break it all down, from understanding the core principles of Clean Architecture to comparing it with Microservices. By the end of this blog, you’ll know when to use each and why Clean Architecture might just be the silent hero your projects need. What is Clean Architecture? Clean Architecture  is a design paradigm introduced by Robert C. Martin (Uncle Bob) in his book  Clean Architecture: A Craftsman’s Guide to Software Structure and Design . It’s an evolution of layered architecture, focusing on organizing code in a way that makes it  flexible ,  testable , and  easy to maintain . Core Principles of Clean Architecture Dependency Inversion : High-level modules s...
Post a Comment
Read more