By Syed Rizwan

6-securing-api-endpoints-with-oauth-20-and-jwt-in-net-core.html

Securing API Endpoints with OAuth 2.0 and JWT in .NET Core

In today's digital landscape, securing your API endpoints is paramount. With the rise of mobile applications and microservices, the need for robust authentication and authorization mechanisms has never been greater. One of the most effective methods for achieving this is by using OAuth 2.0 combined with JSON Web Tokens (JWT). In this article, we will explore how to implement these technologies in a .NET Core application, providing you with actionable insights, clear code examples, and step-by-step instructions.

Understanding OAuth 2.0 and JWT

What is OAuth 2.0?

OAuth 2.0 is an open standard for access delegation, commonly used as a way to grant websites or applications limited access to user accounts on an HTTP service. It allows third-party applications to obtain limited access to an HTTP service, either on behalf of a resource owner or by allowing the third-party application to obtain access on its own behalf.

What is JWT?

JSON Web Tokens (JWT) are a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature structure or as the plaintext of a JSON Web Encryption structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and optionally encrypted.

Use Cases for OAuth 2.0 and JWT

  • Secure API Access: Protect your APIs by ensuring that only authenticated users can access sensitive data.
  • Single Sign-On (SSO): Allow users to log in once and gain access to multiple services without needing to log in again.
  • Third-Party Integration: Permit third-party applications to access your API securely without sharing user credentials.

Implementing OAuth 2.0 and JWT in .NET Core

Step 1: Setting Up Your Project

Start by creating a new .NET Core Web API project:

dotnet new webapi -n SecureApiExample
cd SecureApiExample

Next, add the necessary NuGet packages for authentication:

dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer

Step 2: Configuring JWT Bearer Authentication

Open Startup.cs and configure the services in the ConfigureServices method:

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication(options =>
    {
        options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
        options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
    })
    .AddJwtBearer(options =>
    {
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidateAudience = true,
            ValidateLifetime = true,
            ValidateIssuerSigningKey = true,
            ValidIssuer = Configuration["Jwt:Issuer"],
            ValidAudience = Configuration["Jwt:Audience"],
            IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Jwt:Key"]))
        };
    });

    services.AddControllers();
}

Step 3: Generating a JWT Token

Create a service class to handle user authentication and token generation. Create a new file named AuthService.cs:

public class AuthService
{
    private readonly IConfiguration _configuration;

    public AuthService(IConfiguration configuration)
    {
        _configuration = configuration;
    }

    public string GenerateToken(string username)
    {
        var claims = new[]
        {
            new Claim(JwtRegisteredClaimNames.Sub, username),
            new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString())
        };

        var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["Jwt:Key"]));
        var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
        var token = new JwtSecurityToken(
            issuer: _configuration["Jwt:Issuer"],
            audience: _configuration["Jwt:Audience"],
            claims: claims,
            expires: DateTime.Now.AddMinutes(30),
            signingCredentials: creds);

        return new JwtSecurityTokenHandler().WriteToken(token);
    }
}

Step 4: Controller for Authentication

Next, create a controller to handle authentication requests. Create a new file named AuthController.cs:

[ApiController]
[Route("api/[controller]")]
public class AuthController : ControllerBase
{
    private readonly AuthService _authService;

    public AuthController(AuthService authService)
    {
        _authService = authService;
    }

    [HttpPost("login")]
    public IActionResult Login([FromBody] LoginRequest request)
    {
        // Here you would validate the user credentials (e.g., against a database)
        if (request.Username == "test" && request.Password == "password") // Example validation
        {
            var token = _authService.GenerateToken(request.Username);
            return Ok(new { token });
        }

        return Unauthorized();
    }
}

Step 5: Securing API Endpoints

To secure your API endpoints, simply add the [Authorize] attribute to your controller or action methods. For example:

[Authorize]
[ApiController]
[Route("api/[controller]")]
public class SecureDataController : ControllerBase
{
    [HttpGet]
    public IActionResult GetSecureData()
    {
        return Ok("This is secured data.");
    }
}

Step 6: Testing the API

To test your API, you can use tools like Postman or curl. First, send a POST request to the /api/auth/login endpoint with a JSON body containing the username and password:

{
    "username": "test",
    "password": "password"
}

If successful, you will receive a JWT token, which you can then use to access secured endpoints by including it in the Authorization header:

Authorization: Bearer {YourTokenHere}

Troubleshooting Common Issues

  • Invalid Token: Ensure that the token is well-formed and has not expired.
  • Unauthorized Access: Check that the [Authorize] attribute is correctly placed and that the token is included in the request header.
  • Configuration Errors: Verify your appsettings.json for the correct JWT settings, including the issuer, audience, and key.

Conclusion

Securing your API endpoints using OAuth 2.0 and JWT in .NET Core is a powerful way to protect sensitive data and enhance user experience. By following the steps outlined in this article, you can implement a robust authentication mechanism that not only secures your APIs but also provides flexibility for future integrations. Whether you're building a new application or enhancing an existing one, implementing these security measures will ensure that your application is both secure and scalable.

With these actionable insights and clear examples, you are now equipped to secure your API endpoints effectively!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.