Please enable Javascript for better experience...
Web API Tutorial C# - Part 3: Implementing basic Bearer authentication in Web API application
By Rahul Kumar Jha | Jan 4, 2020 | In Tutorials | Update: Jan 9, 2020 | Total Views [ 12665 ]
Taged In
(4 Like)
Rate

This is part 3 of Web API tutorial series. In this tutorial you will learn implementing basic bearer authentication in Web API application. There are many kind of security you can implement in your Web API. In this part we will learn about bearer authentication.

Introduction

In this section, we will learn how to implement bearer authentication in Web API. This is only for demostration purpose, so, we are not using any database or other medium to fetch user record and only taking hard coded username and password. Before we start, let's understand what is Bearer Authentication. You can think this as a Token Authentication where the bearer or user has a token with him and interestingly, only those are authorized who has this token with them. This is very basic kind of authentication where token can be generation using username and password or it could be a hard coded token. This token has to passed with the reqeust for authorization and once request is authorized, communication is set between client and Web API and user can get the response. Request goes to Authorization server which generated encrypted token which is also known as bearer token. This sever is also used to validate the token and authorize the bearer user.

Authentication using Authorize Attribute

Authorize attribute is the in-built feature to implement authentication. It works on Identity (we will cover this in later part of tutorial) and validate users on the basis of data stored in AspNetIdentity database.

image 01

System will throw 401 error if request is not authorized.

image 02

Creating Custom Authentication Filter

You can also create custom filter to implement authentication. In this tutorial we created CustomAuthenticationAttribute which inherits from AuthorizationFilterAttribute which is under System.Web.Http.Filters namespace. Create a class CustomAuthenticationAttribute, inherits from AuthorizationFilterAttribute and add below code into this.

image 03

image 04

Above code checks for bearer token in Authorize parameter in request header, it decrypt token and match with existing username and password. Once request is validated, communication is set between Web API and client and respose is provided else 401 error is passed back as response.

Now add this attribute in EmployeeController class in Web API application.

image 05

Now add below code in EmployeeController under MVC applicaiton inside GetEmployee() and GetEmpoyeeByID() methods. In below code, we have hard coded username and password for demonstration purpose (you can change it accordingly). We are creating encrypted token using Base64

image 06

image 09

Build the application and check the output. It should not throw any error as use has been authorized, bearer token is being passed in request header as authorize parameter which is validated at Web API side.

image 07

image 10

On thing is to note that now you cannot directly request this Web API from browser as it needs token along with the request.

image 08

Hope this helps you.

<< Web API Tutorial C# - Part 2: Creating MVC with Web API Application
Web API Tutorial C# - Part 4: Testing Web API using Postman >>

Share this

About the Author

Rahul Kumar Jha
Rahul Kumar Jha
Founder, Developer dotnet-concept.com

Public profile: user/profile/99900001


Has working experience in different phases of Software Development Life Cycle (SDLC) in CMS, Gaming, Health Care and Financial Services domain using Agile pattern. Working experience in Design patterns, ASP.NET, MVC, ANGULAR, ANGULAR JS, Windows application, WCF, ADO.NET, SQL Server and Test Driven Development (TDD) environment with JQuery, JavaScript, N-Unit, Entity Frameworks, LINQ, Code Refactoring and Business Objects Models.

User's Comments


 
Please SignUp/Login to comment...

Or comment as anonymous...
* Name
* Email ID
Comment
 
 
 
 
 
 
Sponsors