Skip to main content

Authentication with OAuth2 (Without OpenID Connect) in .NET Core with an Item API

 

OAuth2 is widely used for authorization in web applications, allowing third-party services to access resources on behalf of a user without exposing their credentials. In this blog, we'll explore how to implement OAuth2 authentication in a .NET Core application, focusing on securing an Item API without using OpenID Connect (OIDC).

What is OAuth2?

OAuth2 is an open standard protocol for authorization, providing a secure way for users to grant third-party applications access to their resources without sharing their credentials. OAuth2 is commonly used for token-based authentication and access control.

Why Use OAuth2 Without OIDC?

While OpenID Connect (OIDC) is often used alongside OAuth2 to add user authentication and identity management, there are cases where you might want to use OAuth2 alone, such as when:

  • You only need to authorize access to resources, not authenticate users.
  • Your application doesn't require the identity information provided by OIDC.

Implementing OAuth2 in a .NET Core Application

Let's walk through the implementation of OAuth2 in a .NET Core application using an Item API as an example.

1. Setting Up an OAuth2 Authorization Server

Before implementing OAuth2 in your .NET Core application, you need an OAuth2 authorization server. This server is responsible for issuing access tokens to clients after they successfully authenticate.

You can use existing services like Auth0, Azure AD, or your own implementation. For this example, we'll assume you're using a third-party OAuth2 provider.

2. Configuring OAuth2 in .NET Core

Once your authorization server is set up, you need to configure your .NET Core application to use OAuth2 for securing your API.

Install the Required Packages

Ensure you have the necessary NuGet package:

dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer
Configure Services in Startup.cs

Next, configure the authentication services in the Startup.cs file:

public class Startup
{
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddControllers();

        services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        })
        .AddJwtBearer(options =>
        {
            options.Authority = "https://YOUR_OAUTH2_AUTHORITY_URL"; // e.g., https://auth.example.com
            options.Audience = "YOUR_API_AUDIENCE"; // e.g., API identifier or client ID from your OAuth2 provider

            options.TokenValidationParameters = new TokenValidationParameters
            {
                ValidateIssuer = true,
                ValidIssuer = "https://YOUR_OAUTH2_AUTHORITY_URL",
                ValidateAudience = true,
                ValidAudience = "YOUR_API_AUDIENCE",
                ValidateLifetime = true
            };
        });
    }

    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseExceptionHandler("/Home/Error");
            app.UseHsts();
        }

        app.UseHttpsRedirection();
        app.UseStaticFiles();

        app.UseRouting();

        app.UseAuthentication();
        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllers();
        });
    }
}

In this configuration:

  • JwtBearerDefaults.AuthenticationScheme is used to specify that the app will authenticate using JWT tokens issued by an OAuth2 authorization server.
  • Authority is the URL of your OAuth2 authorization server.
  • Audience is the identifier of your API that clients must specify when requesting tokens.

3. Securing the Item API with OAuth2

With OAuth2 configured, you can secure your Item API by adding the [Authorize] attribute to your controller or specific actions.

Securing the Controller
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using System.Collections.Generic;
using System.Linq;

namespace ItemApi.Controllers
{
    [Route("api/[controller]")]
    [ApiController]
    [Authorize]
    public class ItemsController : ControllerBase
    {
        private static List<Item> Items = new List<Item>
        {
            new Item { Id = 1, Name = "Item1", Description = "First item" },
            new Item { Id = 2, Name = "Item2", Description = "Second item" },
        };

        [HttpGet]
        public ActionResult<IEnumerable<Item>> GetItems()
        {
            return Ok(Items);
        }

        [HttpGet("{id}")]
        public ActionResult<Item> GetItem(int id)
        {
            var item = Items.FirstOrDefault(i => i.Id == id);
            if (item == null)
            {
                return NotFound();
            }
            return Ok(item);
        }

        // Other CRUD actions...
    }
}

The [Authorize] attribute ensures that only requests with valid access tokens can reach the API. If a request is made without a token or with an invalid token, the response will be a 401 Unauthorized error.

4. Testing OAuth2 Authentication

To test the OAuth2 authentication flow:

  1. Obtain an Access Token: Use the OAuth2 authorization server to obtain an access token. This usually involves redirecting the user to the server's login page and then receiving a token in return.
  2. Use the Access Token: Include the access token in the Authorization header when making API requests.

Example request with an access token:

GET /api/items HTTP/1.1
Host: localhost:5001
Authorization: Bearer YOUR_ACCESS_TOKEN

If the token is valid and the configuration is correct, the API will return the requested data. Otherwise, it will return a 401 Unauthorized error.

Conclusion

OAuth2 is a powerful and flexible protocol for securing web APIs. By following the steps outlined in this blog, you can implement OAuth2 authentication in your .NET Core applications, securing your endpoints with token-based access control.

This example demonstrates how to configure OAuth2 in a .NET Core application, secure an Item API, and handle requests with access tokens. Whether you're using a third-party authorization server or your own implementation, OAuth2 provides a robust solution for managing access to your APIs.

Labels:

Comments

Post a Comment

Popular posts from this blog

Implementing and Integrating RabbitMQ in .NET Core Application: Shopping Cart and Order API

RabbitMQ is a robust message broker that enables communication between services in a decoupled, reliable manner. In this guide, we’ll implement RabbitMQ in a .NET Core application to connect two microservices: Shopping Cart API (Producer) and Order API (Consumer). 1. Prerequisites Install RabbitMQ locally or on a server. Default Management UI: http://localhost:15672 Default Credentials: guest/guest Install the RabbitMQ.Client package for .NET: dotnet add package RabbitMQ.Client 2. Architecture Overview Shopping Cart API (Producer): Sends a message when a user places an order. RabbitMQ : Acts as the broker to hold the message. Order API (Consumer): Receives the message and processes the order. 3. RabbitMQ Producer: Shopping Cart API Step 1: Install RabbitMQ.Client Ensure the RabbitMQ client library is installed: dotnet add package RabbitMQ.Client Step 2: Create the Producer Service Add a RabbitMQProducer class to send messages. RabbitMQProducer.cs : using RabbitMQ.Client; usin...
Post a Comment
Read more

How Does My .NET Core Application Build Once and Run Everywhere?

One of the most powerful features of .NET Core is its cross-platform nature. Unlike the traditional .NET Framework, which was limited to Windows, .NET Core allows you to build your application once and run it on Windows , Linux , or macOS . This makes it an excellent choice for modern, scalable, and portable applications. In this blog, we’ll explore how .NET Core achieves this, the underlying architecture, and how you can leverage it to make your applications truly cross-platform. Key Features of .NET Core for Cross-Platform Development Platform Independence : .NET Core Runtime is available for multiple platforms (Windows, Linux, macOS). Applications can run seamlessly without platform-specific adjustments. Build Once, Run Anywhere : Compile your code once and deploy it on any OS with minimal effort. Self-Contained Deployment : .NET Core apps can include the runtime in the deployment package, making them independent of the host system's installed runtime. Standardized Libraries ...
Post a Comment
Read more

Clean Architecture: What It Is and How It Differs from Microservices

In the tech world, buzzwords like   Clean Architecture   and   Microservices   often dominate discussions about building scalable, maintainable applications. But what exactly is Clean Architecture? How does it compare to Microservices? And most importantly, is it more efficient? Let’s break it all down, from understanding the core principles of Clean Architecture to comparing it with Microservices. By the end of this blog, you’ll know when to use each and why Clean Architecture might just be the silent hero your projects need. What is Clean Architecture? Clean Architecture  is a design paradigm introduced by Robert C. Martin (Uncle Bob) in his book  Clean Architecture: A Craftsman’s Guide to Software Structure and Design . It’s an evolution of layered architecture, focusing on organizing code in a way that makes it  flexible ,  testable , and  easy to maintain . Core Principles of Clean Architecture Dependency Inversion : High-level modules s...
Post a Comment
Read more