Last post Sep 23, 2016 03:39 PM by BrockAllen
Sep 22, 2016 03:55 PM|behrooz66|LINK
I would like to implement individual user accounts authentication using local database for my .Net Core web api app, having the following capabilities:
- Generating access tokens
- Generating refresh tokens
- providing roll-based authorization
- enabling social logins
- local database storage.
Any tutorial or help on this?
Sep 22, 2016 03:59 PM|maherjendoubi|LINK
I recommand this workshop https://github.com/blowdart/AspNetAuthorizationWorkshop
Sep 22, 2016 04:01 PM|Dmitry Sikorsky|LINK
Why you want to generate access and refresh tokens? Could you describe that. You can use existing Identity provider to work with users (authorization, storing, managing roles and claims, social logins etc.) or implement custom one. Please provide more information
about what you are going to develop.
Sep 22, 2016 04:07 PM|BrockAllen|LINK
This is what Microsoft is recommending for ASP.NET Core if you need your own token server:
Sep 22, 2016 04:34 PM|behrooz66|LINK
Thanks for the suggestion, but as far as I had a glance, this provides Cookies authentication which is not what I would ideally want. I would like to have token authentication as it is a much more suitable choice when you want to have web api on server side
and a totally disjoint client side application.
Is that something that is provided in the workshop you provided?
Sep 22, 2016 04:39 PM|behrooz66|LINK
Well, currently the .net Core Web API option in visual studio does not provide an authentication for individual users. (It does provide Cookies based authentication but that is not something I would want. I need token based authentication as I want to have
a totally disjoint client side application).
Access tokens are provided in exchange of a user's username & password (or social logins) and refresh tokens are used to extend the life time of the access tokens without asking the user to sign in again. When you want to develop a completely separate client
side application to connect to your Web APIs on the server side, token based authentication (sending bearer tokens in the HTTP header) is the proper solution.
that sort of answer your question?
Sep 22, 2016 04:40 PM|behrooz66|LINK
Yes that has been my first stop. However, the documentation on that project is unfortunately very poor and skips most of the details. I know the concepts but I am stuck in the implementation.
Sep 22, 2016 04:47 PM|Dmitry Sikorsky|LINK
API. Now it is clear. I had tasks like this and I used custom solutions and it was not too complicated. What kind of help do you need?
Sep 22, 2016 04:52 PM|maherjendoubi|LINK
There are some samples here https://github.com/blowdart/AspNetAuthorization-Samples/tree/master/src
where you can find authorization about API : https://github.com/blowdart/AspNetAuthorization-Samples/blob/master/src/AspNetAuthorization/Controllers/AccountController.cs
Sep 22, 2016 04:54 PM|maherjendoubi|LINK
And for token authentification here is an interesting blog post https://stormpath.com/blog/token-authentication-asp-net-core
Sep 22, 2016 04:58 PM|behrooz66|LINK
Well I would actually need suggestions on a custom solution that achieves all of the items I mentioned in my original post, with possibly some help or documentation on how to implement them.
Thanks in advance
Thanks Buddy :)
Sep 22, 2016 05:57 PM|behrooz66|LINK
I would need suggestions on a custom solution that achieves all of the items I mentioned in my original post, with possibly some help or documentation on how to implement them.
Sep 22, 2016 06:32 PM|Dmitry Sikorsky|LINK
I still don't understand what is the level of the help you need, so I will start from the top level tasks.
1. You need to have such models as User, Role, UserRole, Token. Also you will need RefreshToken, Credential etc. It is later.
2. So, when somebody needs to use your API he needs to make a call to some authorize method and put login and password there (socials - later).
3. If the login and password are valid your controller should generate Token (for example, Guid Id and UserId), save it to the db and return to user. If login and password are not valid return error description.
4. That's all. After user has the token he can make any other API call passing that token as one of the parameters. You API receives the token, gets the Token object from the database, gets the UserId from that token object and has the user that sent the
request. If token not found or user not found (deleted) send the error.
To use social everything is the same, except of the way of obtaining token. You need to navigate user to social login first (using browser). Social login will post code to some your URL and by that code you will get the social network token. After that,
using that token you make request to the social network and receive the user information, like UserId in the social network. That's all you need. You can fully trust that userid because you have received it from server side, so you just look for the local
user which has Credential of type Facebook and UserId = received user id from facebook for example. If you found, generate and return Token for that user.
Please tell me what I should describe more detailed.
Sep 23, 2016 03:19 PM|bruce (sqlwork.com)|LINK
one minor variation is to use a JWT token instead of the database. the login method would return a JWT token which has the userid in it. you could also include roles (if supporting real time changes to roles is not required).
this seems to be a reasonable article on using JWT
Sep 23, 2016 03:39 PM|BrockAllen|LINK
If you decide to build your own token service, be sure to read the thread model on such a thing: