GithubHelp home page GithubHelp logo

sullivan008 / csharp-wcf_asp.net_mvc-authwithtoken Goto Github PK

View Code? Open in Web Editor NEW
0.0 2.0 0.0 48.38 MB

C# - WCF - ASP.NET Authentication Service with Token [Year of Development: 2018 and 2020]

C# 7.68% CSS 0.13% ASP 0.03% JavaScript 90.93% HTML 1.23%
wcf-service asp-net-mvc token interceptor token-authetication token-based-authentication basic-authentication entity-framework hash validator custom-authentication custom-authorizer ssl jquery jquery-ajax server-client-communication ajax-modal

csharp-wcf_asp.net_mvc-authwithtoken's Introduction

C# - WCF - ASP.NET Authentication with Token [Year of Development: 2018 and 2020]

About the application technologies and operation:

Technologies:

  • Programming Language: C#
  • FrontEnd Side: ASP.NET MVC with JQuery
  • BackEnd Side: .NET Framework 4.7.2.
  • Descriptive Language: HTML5
  • Style Description Language: CSS (Bootstrap 4.4.1)
  • Database: SQL Server (Database First)
  • Other used modul: Entity Framework 6.0.0.0

Installation/ Configuration:

  1. Restore necessary Packages on the selected project, run the following command in PM Console

    Update-Package -reinstall

  2. Connect to MSSQLLocalDb Instance with Windows Authentication

    (LocalDB)\MSSQLLocalDb

  3. CREATE necessary DATABASE with the following SCRIPT

    CREATE DATABASE AuthenticationExampleDB;

  4. CREATE necessary TABLES with the following SCRIPT (The scripts can be found in the following folder: DB TABLES)

    USE AuthenticationExampleDB;

CREATE TABLE [dbo].[User] (
    [Id]       INT            IDENTITY (1, 1) NOT NULL,
    [Name]     NVARCHAR (50)  NOT NULL,
    [Password] NVARCHAR (250) NOT NULL,
    [Salt]     NVARCHAR (250) NOT NULL,
    PRIMARY KEY CLUSTERED ([Id] ASC),
    CONSTRAINT [Unique_User] UNIQUE NONCLUSTERED ([Name] ASC)
);

CREATE TABLE [dbo].[Token] (
    [Id]         	INT            IDENTITY (1, 1) NOT NULL,
    [SecureToken]	NVARCHAR (250) NOT NULL,
    [UserId]     	INT            NOT NULL,
    [CreateDate] 	DATETIME       NOT NULL,
    PRIMARY KEY CLUSTERED ([Id] ASC),
    CONSTRAINT [Unique_Token] UNIQUE NONCLUSTERED ([SecureToken] ASC),
    CONSTRAINT [FK_Token_ToUser] FOREIGN KEY ([UserId]) REFERENCES [dbo].[User] ([Id])
);

  5. The following SCRIPT add a user as follows (User: user1, Password: pass1, Salt: salt1):

    USE AuthenticationExampleDB;

INSERT INTO [User] ([Name],[Password],[Salt]) VALUES ('user1','63dc4400772b90496c831e4dc2afa4321a4c371075a21feba23300fb56b7e19c','salt1')

  6. An example JSON file that you can test with for example Postman:

    {
    "User": "user1",
    "Password": "pass1"
}

About the application:

1. Authenticate once and store a token

This option seems the most secure. After authenticating, a token is returned to the user. The other web services can be accessed by using the token. Now the credentials are not stored. They are only passed over the network at authentication time.

I decided that for simple authentication, there needs to be an example on the web of a Basic Token Service.

In the basic token service, there is a the idea of a single service that provides authentication. That service returns a token if authenticated, an authentication failure otherwise. If authenticated, the front end is responsible for passing the token to any subsequent web services. This could be a header value, a cookie or a url parameter. I am going to use a header value in my project.

Authentication Token Service for WCF Services , we created a project that exposes an AuthenticationTokenService and a TestService. The user is to first authenticate using the AuthenticationTokenService. Authentication provides a token. Calls made to additional services should include the token as a header value.

2. IUserCredentialsValidator and Hash Class

Use IUserCredentialsValidator and the Hash class to check if those credentials match what is in the User table of the database.

3. ITokenBuilder and TokenBuilder() Method

We will create a new better random string generator using RNGCryptoServiceProvider. Se the BuildSecureToken() method below.

4. ITokenValidator and TokenIsValid() - TokenIsExpired() Method

Use a database query to check the validity of the token.

5. Implement Interceptors in the Server Application.

This is because the above code of attaching a cookie to the Operation Context seems to be a tedious job every time we need to do a service call. We can move these tasks to the background using WCF Interceptors.

MSDN: WCF Data Services enables an application to intercept request messages so that you can add custom logic to an operation. You can use this custom logic to validate data in incoming messages. You can also use it to further restrict the scope of a query request, such as to insert a custom authorization policy on a per request basis.

The following are the activities involved in this step.

  • Add Interceptor Behavior inside Server web.config.
  • Create the Interceptor Behavior class. (See in the project)
  • Create the TokenValidationBehaviorExtension class. (See in the project)

The following code to the web.config file of the service just under <system.serviceModel>

<system.serviceModel>
  <services>
    <service name="AuthWithTokenServer.TestService" behaviorConfiguration="AuthenticationTokenServiceBehavior">
    <endpoint address="" behaviorConfiguration="AjaxEnabledBehavior" binding="webHttpBinding" bindingConfiguration="webBindingSSL" contract="AuthWithTokenServer.TestService" />
    </service>
  </services>

  <behaviors>           
    <serviceBehaviors>
      <behavior name="AuthenticationTokenServiceBehavior">
        <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
        <serviceDebug includeExceptionDetailInFaults="true" />
        <TokenValidationBehaviorExtension />
      </behavior>
    </serviceBehaviors>
  </behaviors>

  <extensions>
    <behaviorExtensions>
      <add name="TokenValidationBehaviorExtension" type="AuthWithTokenServer.Core.Extensions.IDispatchMessageInspector.TokenValidationBehaviorExtension, AuthWithTokenServer, Version=1.0.0.0, Culture=neutral" />
    </behaviorExtensions>
  </extensions>

  <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>

6. Basic Authentication

Basic Authentication is an html request header. The header is named Authorization and the value is as follows:

Basic amFyZWQ6dGVzdHB3

The first part of the Authorization header value is just the word Basic followed by a space. The second part is the username and password concatenated together with a semicolon separator and then Base64 encoded.

testuser:testpassword
Basic dGVzdHVzZXI6dGVzdHBhc3N3b3Jk

7. IBasicAuthenticationDecoder and GetUserCredentials() Method

Use IBasicAuthenticationDecoder and GetUserCredentials to decode user basic credentials.

8. Setting Up Web Services for SSL

  • Add an Binding configuration with the security mode set to Transport.

  • Use webHttpBinding because we are using JSON and REST-like (not full REST) WCF services.

  • Configure the endpoints to use the newly created Binding configuration (use HTTPS not HTTP)

    <services>
  <service name="AuthWithTokenServer.AuthenticationTokenService" behaviorConfiguration="ServiceBehaviorHttp">
    <endpoint address="" behaviorConfiguration="AjaxEnabledBehavior" binding="webHttpBinding" bindingConfiguration="webBindingSSL" contract="AuthWithTokenServer.AuthenticationTokenService" />
  </service>
  <service name="AuthWithTokenServer.TestService" behaviorConfiguration="AuthenticationTokenServiceBehavior">
    <endpoint address="" behaviorConfiguration="AjaxEnabledBehavior" binding="webHttpBinding" bindingConfiguration="webBindingSSL" contract="AuthWithTokenServer.TestService" />
  </service>
</services>

<bindings>
  <webHttpBinding>
    <binding name="webBindingSSL">
      <security mode="Transport">
        <transport clientCredentialType="None"/>
      </security>
    </binding>
  </webHttpBinding>
</bindings>

csharp-wcf_asp.net_mvc-authwithtoken's People

Contributors

sullivan008 avatar

Watchers

avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.