-
Resource request samples
Sample requests to test if authorization and authentication is working. Done inSampleController
. -
Authentication with credentials
API -POST /token/Issue
ITokenIssuer
is the abstraction for issuing token.IdentityTokenIssuer
implementsITokenIssuer
and uses .NET core identity to verify the user credentials. -
Authentication with refresh token
See 2 Verification of refresh token is done by database lookup. -
Renew access token
Renew and issue is done with the same workflow. See 2 -
Access token generation
ITokenBuilder
is the abstraction for creating token and is implemented byJwtTokenBuilder
. Output is aToken
object that contains both JWT access token and crypto random refresh token.
Configs for generating tokens are inITokenConfig
. A sample configuration is provided bySampleTokenConfig
. We can have a implementation which reads the config from a configuration file or may be database. -
Refresh token generation
See 5
The refresh tokens are stored inRefreshToken
table. An entity model class with same name is there. -
Encoding/Decoding
Encoding/decoding of JWT is done usingSystem.IdentityModel.Tokens.Jwt
. I created a staticCryptoRandomGenerator
class which is used to generate crypto random refresh token.
SampleTokenConfig
uses a symetric key. You can just replace it with asymatric key if you want. Asymatric key should be used if your business service API is deployed separately from Authentication API.
Note: I just noticed that there is no abstraction for just creating the refresh token. You need to have a separate implementation of ITokenBuilder and have to reimplement JWT building too. -
Revoke refresh token
My initial proposal was to revoke access token which does not make much sense. Revoke refresh token has been implemented.
API -GET /token/Revoke
-
User management
Done using Identity
API -/user/*
Implemented features:
9.1 Fetch:GET
9.2 Create:POST
9.3 Delete:DELETE
9.4 Update:PUT
9.5 Reset Password:PUT /user/ResetPassword
9.6 Change Email:PUT /user/ChangeEmail
9.6 Add roles:PUT /user/AddRoles
9.6 Delete Roles:PUT /user/DeleteRoles
Authorization: Any user profile related changes are restricted to admin. If you check theUserController
, you will see that it is decorated by[Authorize(Roles = BuiltInRoles.Admin)]
. You can even add multiple roles here to allow multiple types of user to be able to change this. For instance, you may want to have a separate role likeProfileAdmin
whom you want to give access to change user profile. To do that simply change the decorator to[Authorize(Roles = $"{BuiltInRoles.Admin},{BuiltInRoles.ProfileAdmin}")]
.
There is no such thing asBuiltInRoles.ProfileAdmin
right now, but of course, you can just openBuiltInRoles
class and add a proeprty there. Also, do not forget to add the role fromStartup.Seed()
. -
Seed data
SeeStartup.Seed()
mohayemin/TokenAuth-WebApi2
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
About
An token auth implementation with .NET Core Web api 2.0
Topics
Resources
Stars
Watchers
Forks
Packages 0
No packages published