How to Secure a.Net Core App Using Identity Core?

The first thing that comes to mind when building an API is how to secure it. When you think of security, two words immediately spring to mind: authentication and authorization. Authentication is the process of determining whether or not a user is a valid member of the system. Authorization signifies that the member has the authority to carry out the following action.

JWT

JWT and API security go hand in hand. JWT means Json web token. It is used as an authentication or authorization token for your API.

It is like a Gate pass, which allows API to open a gate for the user or block him outside.

We can use the JWT token with our custom authentication and authorization mechanism, or we can use an identity that provides a built-in function to use for general use case.

We will try to secure our application through .Net Identity.

ASP .Net Identity

First, create the new Web API Project.

Add the following NuGet Package.

Microsoft.AspNetCore.Identity.EntityFrameworkCore
Microsoft.Extensions.Identity.Core
Microsoft.Extensions.Identity.Stores

We will be extending the Identity User with some custom property.

Now we need to create the Identities in our Database and create an Identity Context

We will be renaming the Identity table also.

Now Add the connection string in the appSetting.

Now we need to define the identity of the program.cs.

Now run the migration by following the command.

“add-migration Initial”

Now update the database

“update-database”

We now need to implement registration and login flow.

Let’s create a Registration flow first. Create a Register API.

I am using CQRS architecture, but you can design your API as you want.

Now create a static class with User Roles. We will use this in the registration flow and also when creating a claim during login.

Now we will create the user through Identity User Manager if it does not exist already and will assign the role to it.

Now that our registration flow is complete, we need to create a login API for the login flow.

Now we will use Identity User Manager and Role Manager to authenticate the user if he is a valid user of the system and will create it claim according to his role.

Now after the successful login of the user, we are returning the Bearer token, which will be used to authenticate and authorize the user if he has access to the following api.

Now create a test API to check if the authentication and Authorization are working.

<span class="token punctuation">[</span><span class="token attribute"><span class="token class-name">Authorize</span><span class="token attribute-arguments"><span class="token punctuation">(</span>Roles <span class="token operator">=</span> UserRoles<span class="token punctuation">.</span>Admin<span class="token punctuation">)</span></span></span><span class="token punctuation">]</span>
<span class="token punctuation">[</span><span class="token attribute"><span class="token class-name">HttpGet</span><span class="token attribute-arguments"><span class="token punctuation">(</span><span class="token string">"GetUserList"</span><span class="token punctuation">)</span></span></span><span class="token punctuation">]</span>

<span class="token punctuation">[</span><span class="token attribute"><span class="token class-name">ProducesResponseType</span><span class="token attribute-arguments"><span class="token punctuation">(</span>StatusCodes<span class="token punctuation">.</span>Status200OK<span class="token punctuation">)</span></span></span><span class="token punctuation">]</span>

<span class="token keyword keyword-public">public</span> <span class="token keyword keyword-async">async</span> <span class="token return-type class-name">Task<span class="token punctuation">&lt;</span>ActionResult<span class="token punctuation">&gt;</span></span> <span class="token function">Get</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
<span class="token punctuation">{</span>
    <span class="token class-name"><span class="token keyword keyword-var">var</span></span> result <span class="token operator">=</span> <span class="token keyword keyword-await">await</span> _mediator<span class="token punctuation">.</span><span class="token function">Send</span><span class="token punctuation">(</span><span class="token keyword keyword-new">new</span> <span class="token constructor-invocation class-name">GetUsersRequest</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token keyword keyword-return">return</span> <span class="token function">Ok</span><span class="token punctuation">(</span>result<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

[Authorize(Roles = UserRoles.Admin)]

[HttpGet("GetUserList")]

[ProducesResponseType(StatusCodes.Status200OK)]

public async Task<ActionResult> Get()

{

var result = await _mediator.Send(new GetUsersRequest());

return Ok(result);

}

The authorization tag will secure the application.

Now we need to add authentication and authorization configuration in our program.cs file, and we are good to go.