Asp net secure web api

Question

I'm trying to find out which is the right way to secure my web api(I am using Sql as database).

Step one: client makes a Login in application. Client sends username and password.

Asp net checks in sql database if username and password exists. If exist it sends back a token-key.

In next client's request, do i send again username and password? Or only token? Also how can i retreive token from asp net and store it inside my asp net application?

Do i need to create a list Collection and add inside the token? But this way is not thread safe.... Is there any other mechanicm? For stroring-retreiving tokens and other data from asp net application?

Why do you want to invent your own authentication mechanism and not use Identity with bearer tokens, for example? — CodeCaster, Nov 29 '18 at 14:04
ASP.NET already has built-in authentication/authorization mechanisms. Use them. The framework does much of the work for you, and using industry-standard security. — David, Nov 29 '18 at 14:06
"In next client's request, do i send again username and password? Or only token?"...you'd send the token. Otherwise what was the point of generating it, do you suppose? But yeah,don't roll your own authentication, use something which already exists and plug it into your app. ASP.NET makes this fairly easy, on the whole. — ADyson, Nov 29 '18 at 14:08
Ok thank you for answers. If token will expire, then what next? Do i need to request from client, sending me again username and password for generation new token? — ddd, Nov 29 '18 at 14:13
yes, or you could use the refresh token pattern, as used things like Google's APIs via Oauth. But again, unless you're studying this for academic purposes, don't write your own authentication code...you'll just end up making all the same subtle mistakes which the established mechanisms have already found and fixed. — ADyson, Nov 29 '18 at 15:05
Thank you sir, i need one more question. Tokens are been saved in list, somewhere inside my software? And each time i have a get request Needs authentication, asp net read from this list? Should i manually add them in a list collection or something? What token is more suitable for connection mobile clients to server? OAath or jwt? — ddd, Nov 30 '18 at 06:41
Neither is more or less suitable as far as I know. They both implement a similar concept. You can read more detail about them online to know if there are any differences which would be significant for you. Yes you can store the tokens somewhere in your app. How you store them is up to you according to your application logic. Just make sure it's secure though. — ADyson, Nov 30 '18 at 10:29

Mihir Dave · Answer 1 · 2018-11-29T16:02:56.063

You should use JWT Tokens

Here is a useful link for that.

JWT Authentication for Asp.Net Web Api

E.g

Here is how you generate JWT Token

private const string Secret = "db3OIsj+BXE9NZDy0t8W3TcNekrF+2d/1sFnWG4HnV8TZY30iTOdtVWJG8abWvB1GlOgJuQZdcF2Luqm/hccMw==";

public static string GenerateToken(string username, int expireMinutes = 20)
{
    var symmetricKey = Convert.FromBase64String(Secret);
    var tokenHandler = new JwtSecurityTokenHandler();

    var now = DateTime.UtcNow;
    var tokenDescriptor = new SecurityTokenDescriptor
    {
        Subject = new ClaimsIdentity(new[]
                {
                    new Claim(ClaimTypes.Name, username)
                }),

        Expires = now.AddMinutes(Convert.ToInt32(expireMinutes)),

        SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(symmetricKey), SecurityAlgorithms.HmacSha256Signature)
    };

    var stoken = tokenHandler.CreateToken(tokenDescriptor);
    var token = tokenHandler.WriteToken(stoken);

    return token;
}

Asp net secure web api

1 Answers1