dotnet add package ArtOfIntelligence.WebApiSecurity --version 2.0.1
NuGet\Install-Package ArtOfIntelligence.WebApiSecurity -Version 2.0.1
<PackageReference Include="ArtOfIntelligence.WebApiSecurity" Version="2.0.1" />
paket add ArtOfIntelligence.WebApiSecurity --version 2.0.1
#r "nuget: ArtOfIntelligence.WebApiSecurity, 2.0.1"
// Install ArtOfIntelligence.WebApiSecurity as a Cake Addin #addin nuget:?package=ArtOfIntelligence.WebApiSecurity&version=2.0.1 // Install ArtOfIntelligence.WebApiSecurity as a Cake Tool #tool nuget:?package=ArtOfIntelligence.WebApiSecurity&version=2.0.1
This document is maintained in GitHub under this link: https://github.com/ArtOfIntelligence/WebApiSecurity/blob/master/README.md
For ASP.NET Web API 2
Secure calls to ASP.NET Web API 2 controllers, using expiring tokens over HTTP
Authorization request header.
Contact me here.
- How Does It Work?
- Getting Started
- Authenticating API clients using tokens, and,
- Authorizing API methods execution based on user Roles.
The library uses a stateless mechanism, so no session variables needed on the server at all.
The library uses AES 256 bit encryption our other library
ArtOfIntelligence.Cryptography, yet you can trace and change this to any engine with some effort.
Additionally, if your API client is .NET based, you may use the wrapped client classes to speed up the authentication and authorization process.
How Does It Work?
After implementing this library into your project it should behave as following:
- Server: Application start and configuration is passed to library (explained below)
- Client: request a valid
- Client requests a
- Server provide an encrypted
- Client decrypts
Challengeand generates a
- Client send
Solutionto server and asks for a valid
- Client requests a
- Client: makes a call to any target method in any controller on your server with Authentication and Authorization attributes, and passes the HTTP
Authorizationrequest header (using
Tokendata as credentials)
- Server: Passes the request to Authentication filter:
Tokenis valid, filters allows request
Tokenis invalid or expired, server terminates request and sends (401 unauthorized)
- Server: If target method (or its controller) implements
Authorizationattribute with role(s), it will pass the request to the attribute to verify that client is authorized under that role:
- If authorized, request is delivered to target method for execution
- If not authorized, server terminates request and sends (401 unauthorized)
Contribution Needed: A clean flowchart explaining the above.
I estimate around 2 hours to implement this library if prerequisites are met. And trust me, this is way faster than the 6 days it took me to learn, build and debug.
- ASP.NET Web API 2 project
- A list of client entities (records) in your database for example, with the following fields:
- Client Id
- Client Secret
string(32 characters - 256 bit) (eg:
- Client Id
- Good understanding of your .NET language (eg: VB.NET/C#)
- LINQ would also help
ArtOfIntelligence.WebApiSecurity library for .NET is available on NuGet:
|1. Server Configuration||Provide security and authentication settings to library|
|2. Create Authentication Controller||Expose authentication methods vie Web API|
|3. Apply Authentication Filter Attribute(s)||Forcing authentication on your API controllers|
|4. Apply Authorization Attribute(s)||Forcing authorization on your API controllers and/or methods|
Client Authentication & Calls
For the API client to get authenticated and be able to make calls, a number of steps need to be executed. They are explained in the table below, but before you get scared and run away, I have encapsulated the client functionality in this library, so if your client app is built with .NET you will need to add just 2 lines of code.
|1. Request Challenge||Get a challenge from server to begin authentication|
|2. Decrypt Challenge||Provide solution to challenge and request token (Using AES encryption)|
|3. Request Token||Receive token to use with API calls|
|4. Make API Calls||Use server functions 😃|
Using Library in .NET Client Application
If your client is built with .NET, you will proceed as following:
|1. Client Configuration||Provide security, authentication and server URL and other settings to library|
|2. Add Authorization Header to Requests||Provide your credentials to API server|
Nuget takes care of adding library dependencies. The following libraries are required:
- ArtOfIntelligence.Cryptography (for AES Encryption)
- ArtOfIntelligence.Util (few Helpers)
- Newtonsoft.Json (for Serialization)
- This is the first time I publish open source since 1999 on planet-source-code.com, I just learned the basics of contributing to NuGet and GitHub, help me make this better
- This library is fully functioning for my needs, yet there are a lot of areas in which you can help in, if you are interested please contact me
I created an issue here: "General Discussions". (I hope that's the write way to do it in GitHub).
Next (Future features)
- Compose a more detailed documentation with examples for this library (if I see any demand as you can imagine how time consuming this is)
Contribution is welcome, really....
Jack Alexander (Taher) Business Solution Architect @ Art of Intelligence - Dubai
This project is licensed under the MIT License - see the LICENSE.md file for details
- We are standing on the shoulders of giants.
Microsoft's example Authentication Filters in ASP.NET Web API 2 (docs.microsoft.com)
Understand the basics of HTTP authentication The general HTTP authentication framework (developer.mozilla.org)
|.NET Framework||net45 net451 net452 net46 net461 net462 net463 net47 net471 net472 net48|
- ArtOfIntelligence.Cryptography (>= 1.0.2)
- ArtOfIntelligence.Util (>= 1.0.2)
- Microsoft.AspNet.WebApi (>= 5.2.6)
- Microsoft.AspNet.WebApi.Client (>= 5.2.6)
- Microsoft.AspNet.WebApi.Core (>= 5.2.6)
- Microsoft.AspNet.WebApi.WebHost (>= 5.2.6)
- Newtonsoft.Json (>= 6.0.4)
- System.Web.Http.Common (>= 4.0.20126.16343)
This package is not used by any NuGet packages.
This package is not used by any popular GitHub repositories.