Token Authentication and .NET

  • ASP.NET Core Identity automatically supports cookie authentication.
  • It is also straightforward to support authentication by external providersusing the GoogleFacebook, or Twitter ASP.NET Core authentication packages.

  • The customer has a local server with business information which will need to be accessed and updated periodically by client devices.
  • Rather than store user names and hashed passwords locally, the customer prefers to use a common authentication micro-service which is hosted in Remote network (Azure) and used in many scenarios beyond just this specific one.
  • This particular scenario is interesting, though, because the connection between the customer’s location (where the server and clients reside) and the internet is not reliable.
  • Therefore, they would like a user to be able to authenticate at some point in the morning when the connection is up and have a token that will be valid throughout that user’s work shift.
  • The local server, therefore, needs to be able to validate the token without access to the Azure authentication service.
  • This local validation is easily accomplished with JWT tokens. A JWT token typically contains a body with information about
    1. the authenticated user (subject identifier, claims, etc.),
    2. the issuer of the token,
    3. the audience (recipient) the token is intended for, and
    4. an expiration time (after which the token is invalid).
    5. The token also contains a cryptographic signature as detailed in RFC 7518.
  • This signature is generated by a private key known only to the authentication server, but can be validated by anyone in possession of the corresponding public key.
  • One JWT validation work flow (used by AD and some identity providers) involves requesting the public key from the issuing server and using it to validate the token’s signature.
  • In our offline scenario, though, the local server can be prepared with the necessary public key ahead of time.
  • The challenge with this architecture is that the local server will need to be given an updated public key anytime the private key used by the cloud service changes, but this inconvenience means that no internet connection is needed at the time the JWT tokens are validated.

authentication server

  • IdentityServer4 is a flexible OpenID Connect framework for ASP.NET Core.
  • Another good option is OpenIddict. Like IdentityServer4, OpenIddict offers OpenID Connect server functionality for ASP.NET Core.
  • Both OpenIddict and IdentityServer4 work well with ASP.NET Identity 3.
  • Please note that both IdentityServer4 and OpenIddict are pre-release packages currently.

Adding Roles

  • ASP.NET Identity 3 includes the concept of roles.
  • To take advantage of this, we need to create some roles which users can be assigned to.
  • In a real application, this would likely be done by managing roles through a web interface.



One Reply to “Token Authentication and .NET”

  1. This excellent website certainly has all of the info I wanted concerning this subjectand didn’t know who to ask.