Token Based Authentication using ASP.NET 5 and Identity vs custom user database

1
votes

I've got an existing ASP.NET 4 project consisting of a web api and a Single-page-application which is consuming the api. I've done the jwt implementation like described here http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/ , however to my big disappointment this is not so easy to port over to ASP.NET 5 and MVC 6.. I need to be able to have my own SimpleAuthorizationServerProvider class (or equivalent), since I'm authorizing my users against a local database of mine.

Inside the SimpleauthorizationServerProvider I'm:

  1. looking up the context's username and password in my local users db, returns an error or continues
  2. creating a var identity = new ClaimsIdentity(context.Options.AuthenticationType);
  3. adding claims - eg. identity.AddClaim(new Claim("sub", context.UserName));, also setting roles like eg. identity.AddClaim(new Claim(ClaimTypes.Role, role));
  4. finally, context.Validated(identity);

So I can use [Authorize] or even claims to protect my web api routes.

I've done a lot of googling on this, but I can't seem to find enough info on how to achieve this. As the author of the article linked to above says:

"The authentication/authorization in ASP,NET 5 is really different than this version, until now you can not issue access token, you can just consume them, You need to relay on identity provider for this task. So there is no direct way to upgrade this project to the latest ASP.NET 5 without using external identity provider."

I guess what I'm hoping for is help to figure out how to port that example over to ASP.NET 5, the right way.

2
asp.netasp.net-core-mvc

2 Answers

1
votes

Check out OpenIddict - I think gives you what you need.

This is practically all the configuration I needed:

ConfigureServices:

services.AddIdentity<ApplicationUser, ApplicationRole>()
            .AddEntityFrameworkStores<ApplicationDbContext>()
            .AddDefaultTokenProviders()
            .AddOpenIddictCore<Application>(config => config.UseEntityFramework()); //added this line

Configure

app.UseOpenIddictCore(builder =>
{
    // tell openiddict you're wanting to use jwt tokens
    builder.Options.UseJwtTokens();
    // NOTE: for dev consumption only! for live, this is not encouraged!
    builder.Options.AllowInsecureHttp = true;
    builder.Options.ApplicationCanDisplayErrors = true;
});

// use jwt bearer authentication
app.UseJwtBearerAuthentication(options =>
{
    options.AutomaticAuthenticate = true;
    options.AutomaticChallenge = true;
    options.RequireHttpsMetadata = false;
    // these urls must match the value in the payload posted from the client side during login
    options.Audience = "http://localhost:58292/";
    options.Authority = "http://localhost:58292/";
});

There are one or two other minor things, such as your DbContext needs to derive from OpenIddictContext<ApplicationUser, Application, ApplicationRole, string>.

You can see a full length explanation (including links to the github repo) on this blog post: http://capesean.co.za/blog/asp-net-5-jwt-tokens/