How to use bearer tokens with MVC 6 API?

Question

How to use bearer tokens with MVC 6 API?

I work through some MVC 6 and ASP.NET 5 samples, and I am having trouble finding any decent documentation on using media tokens to protect the API. I can make such samples work with VS 2013, MVC 5, but I can’t transfer them to VS 2015 and MVC 6. Does anyone know any good examples of implementation of media tokens in MVC 6 to protect the API?

+5

asp.net-core asp.net-core-mvc asp.net-identity bearer-token

Chad cromer Feb 13 '15 at 21:59

source share

3 answers

tugberk · Answer 1 · 2015-04-19T18:23:38+0000

To authenticate a request using media tokens, you can take out the package Microsoft.AspNet.Security.OAuthBearer . You can then add the OAuthBearerAuthenticationMiddleware middleware to the pipeline using the UseOAuthBearerAuthentication extension method.

Example:

 public void Configure(IApplicationBuilder app) { // ... app.UseOAuthBearerAuthentication(options => { options.Audience = "Redplace-With-Real-Audience-Info"; options.Authority = "Redplace-With-Real-Authority-Info"; }); }

Also, see the WebApp-WebAPI-OpenIdConnect-AspNet5 sample.

jasdefer · Answer 2 · 2016-07-18T12:23:37+0000

Asp.Net Core does not have the middleware that generates the carrier token. You can create your own custom solution or implement some community-based approaches, for example

Darxtar · Answer 3 · 2016-04-17T11:30:08+0000

I implemented a one-page application with the implementation of token-based authentication using MVC 6, OpenId and Aurelia front end framework. In Startup.cs, the Configure method looks like this:

  // This method gets called by the runtime. Use this method to configure the HTTP request pipeline. public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) { app.UseIISPlatformHandler(); // Add a new middleware validating access tokens. app.UseJwtBearerAuthentication(options => { // Automatic authentication must be enabled // for SignalR to receive the access token. options.AutomaticAuthenticate = true; // Automatically disable the HTTPS requirement for development scenarios. options.RequireHttpsMetadata = !env.IsDevelopment(); // Note: the audience must correspond to the address of the SignalR server. options.Audience = clientUri; // Note: the authority must match the address of the identity server. options.Authority = serverUri; }); // Add a new middleware issuing access tokens. app.UseOpenIdConnectServer(options => { options.Provider = new AuthenticationProvider(); }); app.UseIISPlatformHandler(options => options.AuthenticationDescriptions.Clear()); app.UseStaticFiles(); app.UseMvc(routes => { routes.MapRoute( name: "default", template: "{controller=Home}/{action=Index}/{id?}"); }); }

The authentication provider is defined as follows:

 public class AuthenticationProvider : OpenIdConnectServerProvider { public override Task ValidateClientAuthentication(ValidateClientAuthenticationContext context) { if (context.ClientId == "AureliaNetAuthApp") { // Note: the context is marked as skipped instead of validated because the client // is not trusted (JavaScript applications cannot keep their credentials secret). context.Skipped(); } else { // If the client_id doesn't correspond to the // intended identifier, reject the request. context.Rejected(); } return Task.FromResult(0); } public override Task GrantResourceOwnerCredentials(GrantResourceOwnerCredentialsContext context) { var user = new { Id = "users-123", Email = " alex@123.com ", Password = "AureliaNetAuth" }; if (context.UserName != user.Email || context.Password != user.Password) { context.Rejected("Invalid username or password."); return Task.FromResult(0); } var identity = new ClaimsIdentity(OpenIdConnectDefaults.AuthenticationScheme); identity.AddClaim(ClaimTypes.NameIdentifier, user.Id, "id_token token"); identity.AddClaim(ClaimTypes.Name, user.Email, "id_token token"); context.Validated(new ClaimsPrincipal(identity)); return Task.FromResult(0); } }

This defines the marker endpoint that can be reached on url /connect/token .

So, to request a token from the client side, here is the javascript code taken from AuthService in authSvc.js:

 login(username, password) { var baseUrl = yourBaseUrl; var data = "client_id=" + yourAppClientId + "&grant_type=password" + "&username=" + username + "&password=" + password + "&resource=" + encodeURIComponent(baseUrl); return this.http.fetch(baseUrl + 'connect/token', { method: 'post', body : data }); }

The full source can be seen here:

https://github.com/alexandre-spieser/AureliaAspNetCoreAuth

Hope this helps,

Best

Alex

How to use bearer tokens with MVC 6 API?

More articles: