{"id":570,"date":"2016-09-23T13:08:32","date_gmt":"2016-09-23T11:08:32","guid":{"rendered":"https:\/\/zaven.co\/blog\/?p=570"},"modified":"2025-04-08T19:55:19","modified_gmt":"2025-04-08T17:55:19","slug":"user-authentication-asp-net-web-api-2-rsa-jwt-tokens-part-4","status":"publish","type":"post","link":"https:\/\/zaven.co\/blog\/user-authentication-asp-net-web-api-2-rsa-jwt-tokens-part-4\/","title":{"rendered":"User Authentication in ASP.NET WEB API 2 with RSA-signed JWT Tokens (part 4)"},"content":{"rendered":"

After creating, signing and verifying the JWT Token<\/a>, we can move on to programming the login controller and testing our application<\/strong>.<\/p>\n

Login controller: MembershipController<\/h2>\n

In this part we\u2019ll create the MembershipController <\/code>with one GET<\/code> method<\/strong>, which will return a JWT token as a compact string after receiving user\u2019s login data.<\/p>\n

Our endpoint URL is:<\/p>\n

\n\/api\/Membership\/Authenticate?username=admin93&password=password<\/code><\/pre>\n
\nusing System;\nusing System.Web.Http;\nusing System.Threading.Tasks;\nusing Zaven.Practices.Auth.JWT.Services.Interfaces;\n...\npublic class MembershipController : ApiController\n    {\n        private readonly IAuthService _authService;\n        \n        public MembershipController(IAuthService authService)\n        {\n            _authService = authService;\n        }\n\n        \/\/ GET: Membership\n        [HttpGet]\n        public async Task Authenticate(String username, String password)\n        {\n            string Token = await _authService.GenerateJwtTokenAsync(username, password);\n            return Token;\n        }\n    }\n<\/code><\/pre>\n
After receiving the token our web app should store it in browser data and place it in the header of every request.<\/p>\n
Authorization: Bearer<\/code><\/p>\n
Exemplary controller: ValuesController<\/h2>\n
To check if the authentication process works, let\u2019s create a simple ApiController ValuesController<\/code>, which methods were applied with filter as a TokenAuthenticate<\/code> attribute.<\/p>\n
\nusing JWTAuth.Filters;\nusing System.Collections.Generic;\nusing System.Web.Http;\n...\n[TokenAuthenticate]\n    public class ValuesController : ApiController\n    {\n\t...\n        \/\/ GET api\/values\/5 \n        public string Get(int id)\n        {\n            return \"You have access to this data:\\n- Very important data number 5\";\n        }\n\t... \n    }\n<\/code><\/pre>\n
TokenAuthentication filter<\/h2>\n
Finally we have to implement the TokenAuthenticate<\/code> filter.<\/p>\n
\nusing System;\nusing System.Net.Http;\nusing System.Net.Http.Headers;\nusing System.Threading;\nusing System.Threading.Tasks;\nusing System.Web.Http.Filters;\nusing Zaven.Practices.Auth.JWT.Services.Interfaces;\n...\npublic class TokenAuthenticate : Attribute, IAuthenticationFilter\n    {\n       \n        public bool AllowMultiple\n        {\n            get\n            {\n                return false;\n            }\n        }\n\n        public async Task AuthenticateAsync(HttpAuthenticationContext context, CancellationToken cancellationToken)\n        {\n            try\n            {\n                IAuthService _authService = context.ActionContext.ControllerContext.Configuration\n                                  .DependencyResolver.GetService(typeof(IAuthService)) as IAuthService;\n\n                HttpRequestMessage request = context.Request;\n                AuthenticationHeaderValue authorization = request.Headers.Authorization;\n                \n                if (authorization == null)\n                {\n                    context.ErrorResult = new AuthenticationFailureResult(\"Missing autorization header\", request);\n                    return;\n                }\n                if (authorization.Scheme != \"Bearer\")\n                {\n                    context.ErrorResult = new AuthenticationFailureResult(\"Invalid autorization scheme\", request);\n                    return;\n                }                   \n                if (String.IsNullOrEmpty(authorization.Parameter))\n                {\n                    context.ErrorResult = new AuthenticationFailureResult(\"Missing Token\", request);\n                    return;\n                }\n\n                Boolean correctToken = await _authService.ValidateTokenAsync(authorization.Parameter);\n                if(!correctToken)\n                    context.ErrorResult = new AuthenticationFailureResult(\"Invalid Token\", request);                \n            }\n            catch (Exception ex)\n            {\n                context.ErrorResult = new AuthenticationFailureResult(\"Exception: \\n\" + ex.Message, context.Request);\n            }            \n        }\n...\n    }\n<\/code><\/pre>\n
The most interesting is the AuthenticateAsync<\/code> which, in this case, is responsible for reading the token from the HTTP request header and validating it (calling the ValidateTokenAsync()<\/code> from AuthService<\/code>). Depending on the result, the are three outcomes: a positive authentication, moving on to controllers method or sending the response with a 401 code.<\/p>\n
401 response: AuthenticationFailureResult<\/h2>\n
In case the HTTP request header lacks the \u201cAuthorization: Bearer\u201d<\/code> part (or basically any other kind of error), context.ErrorResult<\/code> will filter it out and set the IHttpActionResult<\/code>. This part is responsible for providing error response codes (e.g. 401 if unauthorized) as a type of AuthenticationFailureResult<\/code>. Below, you can see the code in action.<\/p>\n
\nusing System.Net;\nusing System.Net.Http;\nusing System.Threading;\nusing System.Threading.Tasks;\nusing System.Web.Http;\n...\npublic class AuthenticationFailureResult : IHttpActionResult\n    {\n        public string ReasonPhrase { get; private set; }\n        public HttpRequestMessage Request { get; private set; }\n\n        public AuthenticationFailureResult(string reasonPhrase, HttpRequestMessage request)\n        {\n            ReasonPhrase = reasonPhrase;\n            Request = request;\n        }\n\n        public Task ExecuteAsync(CancellationToken cancellationToken)\n        {\n            return Task.FromResult(Execute());\n        }\n\n        private HttpResponseMessage Execute()\n        {\n            HttpResponseMessage response = new HttpResponseMessage(HttpStatusCode.Unauthorized);\n            response.RequestMessage = Request;\n            response.ReasonPhrase = ReasonPhrase;\n            return response;\n        }\n    }\n<\/code><\/pre>\n
Application test<\/h3>\n
When running our app in the console, you should see the initial request being sent. In response you should get a JWT token, which is then added to the HTTP headers of any further requests. If the token is accepted, we get access to our protected data.<\/p>\n
\"login<\/p>\n
Summary<\/h3>\n
JWT token is a quick and easy way to authenticate access to server resources.<\/strong> The transmitted data can be signed and thanks to that they\u2019re safe and resistant to man-in-the-middle attacks. RSA signng is fast, it doesn\u2019t slow down your application and the token itself doesn\u2019t have to be stored in the database.<\/p>\n
Check out other tutorials<\/a> on our blog.<\/p>\n
Sources: <\/span><\/p>\n