Skip to content
/ WebApiSecure Public

Secures Web API 2 using JWT (JsonWebToken) or your own implementation

6 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

AtomStar/WebApiSecure

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
.nuget
.nuget
 
 
WebApiSecure
WebApiSecure
 
 
packages
packages
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
WebApiSecure.sln
WebApiSecure.sln
 
 

Repository files navigation

WebApiSecure

Secure your Web API 2 using JWT (Json Web Token) or your own implementation. Basic Authorization is used for the token request and Bearer Authorization using a token for API requests. The project provides a token endpoint against which a user can authorize to get a token. Further requests to the api can then be made with the token. There is a built in authorization handler that validates this token for all requests made - it secures all api endpoints.

WebApiSecure is available via Nuget: install-package WebApiSecure

###Dependency Injection

WebApiSecure makes use of dependency injection using a Unity container which allows you to specify your own implementation for credential validation, token creation and validation. A default implementation using a JWT (Json Web Token) is provided in the form of 3 services:

  1. CredentialService
  2. TokenService
  3. ValidationService

#Getting started

  1. Open Package Manager Console and type: install-package WebApiSecure
  • After installation you will see UnityConfig.cs added below App_Start and a new Services folder with the 3 default implmentation services mentioned above:
  • alt tag
  1. Add reference to System.IdentityModel if needed.
  2. Modify CredentialService.cs
  • Add code to validate credential in the IsValidCredential method
  • Return an IClaim object in GetClaim based on the credentials. Basically, the claims associated with the credential
  • Change the parsing of the authorization header if needed. The default uses Base64 encoding.
  1. Modify TokenService.cs
  • Change the JWT token settings: issuer,audience and lifetime
  • Set your secret symmetric key to be used for signing the token in CreateSigningCredentials()
  1. Modify ValidationService.cs
  • Change the TokenValidationParameters and set your secret symmetric signing key
  1. Wire up the services in UnityConfig.cs
  • Set the allowed route to the token endpoint via parameter injection. This route will be ignored by the AuthHandler, so that users can make a request to the token endpoint.
  • alt tag
  1. Modify WebApiConfig.cs
  • Set the route to the token endpoint. WebApiSecure uses a TokenController that exposes to POST endpoints: PostSecure and Post. PostSecure should be used since it requires a secure SSL connection to submit the client credentials. For testing purposes the unsecure Post may be used.
  • Secure your api by enabling the AuthHandler by adding it as a MessageHandler
  • alt tag

#Test it Fire up Fiddler to test your secured API:

  1. Make a GET request. This should return HTTP status 400 - Bad Request, since no authorization header is present the request fails.
  • alt tag
  1. Make a POST request to the token endpoint to get a token. Set header: Authorization: Basic yourBase64Credentials. Copy the returned token.
  • alt tag
  1. Make a valid GET/POST request. Set header: Authorization: Bearer yourTokenString
  • alt tag

#Roll your own

###Interfaces to implement You can roll your own by implementing the following interfaces and then wiring your classes up in UnityConfig.cs:

  1. IClaim
  2. ITokenBuilder
  3. IValidateToken
  4. IValidateCredential

About

Secures Web API 2 using JWT (JsonWebToken) or your own implementation

Resources

Readme
Activity

Stars

6 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages