Asp.Net Web Api Using Basic Auth Token Auth Jwt Complete Guide

 Last Update:2025-06-23T00:00:00     .NET School AI Teacher - SELECT ANY TEXT TO EXPLANATION.    9 mins read      Difficulty-Level: beginner

Understanding the Core Concepts of ASP.NET Web API Using Basic Auth, Token Auth, JWT

ASP.NET Web API Using Basic Auth, Token Auth, JWT Overview

Basic Authentication

Basic Authentication is the simplest method for web service security. It involves sending a username and password with each request, encoded in Base64. This approach is widely used due to its simplicity and ease of implementation.

Key Points:

  • Encoding: Credentials are encoded as a Base64 string in the Authorization header.
  • Insecure: Transmitting credentials in plaintext over unsecured connections (HTTP) can lead to security risks.
  • Use Cases: Primarily suitable for APIs that require minimal security, such as internal applications or sandbox environments.

Implementation in ASP.NET Web API:

public class BasicAuthenticationAttribute : AuthorizationFilterAttribute
{
    public override void OnAuthorization(HttpActionContext actionContext)
    {
        if (actionContext.Request.Headers.Authorization == null)
        {
            actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized);
        }
        else
        {
            var authHeader = actionContext.Request.Headers.Authorization;
            if (authHeader.Scheme.Equals("Basic", StringComparison.OrdinalIgnoreCase))
            {
                string credentials = Encoding.UTF8.GetString(Convert.FromBase64String(authHeader.Parameter));
                string username = credentials.Split(':')[0];
                string password = credentials.Split(':')[1];

                if (Validate(username, password))
                {
                    actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.OK);
                }
                else
                {
                    actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized);
                }
            }
            else
            {
                actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.BadRequest);
            }
        }
    }

    private bool Validate(string username, string password)
    {
        // Implement credential validation logic here
        return username == "admin" && password == "password";
    }
}

Token Authentication

Token-based authentication involves the server issuing a token to the client after successful authentication. The client then includes this token in subsequent requests to access protected resources. This method is more secure than Basic Authentication as it does not require credentials to be included with each request.

Key Points:

  • Tokens: Can be opaque, JWT, OAuth tokens, etc.
  • Decoupled: Clients only need to manage tokens; they don't need to know the underlying authentication mechanism.
  • Revocation: Easier to revoke or invalidate tokens in case of security breaches.

Implementation in ASP.NET Web API:

public class TokenAuthenticationAttribute : AuthorizationFilterAttribute
{
    public override void OnAuthorization(HttpActionContext actionContext)
    {
        if (actionContext.Request.Headers.Authorization != null)
        {
            string token = actionContext.Request.Headers.Authorization.Parameter;

            ITokenHandler tokenHandler = new SimpleTokenHandler();
            if (!tokenHandler.ValidateToken(token))
            {
                actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized, "Invalid token");
            }
        }
        else
        {
            actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized, "No token provided");
        }
    }
}

public class SimpleTokenHandler : ITokenHandler
{
    public bool ValidateToken(string token)
    {
        // Implement token validation logic (e.g., check expiration, signature, etc.)
        return token == "valid_token";
    }
}

JSON Web Tokens (JWT)

JWT is a compact, URL-safe means of representing claims to be transferred between two parties. It's widely used in Token Authentication due to its self-contained nature, which includes both headers and payload, digitally signed for integrity.

Key Points:

  • Structure: Comprises three parts: Header (algorithm, token type), Payload (claims, data), and Signature.
  • Claims: Information about the entity (typically, user) and additional data.
  • Security: Can be encrypted and optionally include an expiration time.

Implementation in ASP.NET Web API:

  1. Install Required Packages

    Install-Package System.IdentityModel.Tokens.Jwt

  2. Generate JWT:

    public string GenerateJwt(string username, string secretKey, double expireMinutes)
{
    var symmetricKey = Convert.FromBase64String(secretKey);
    var signingCredentials = new SigningCredentials(new SymmetricSecurityKey(symmetricKey), SecurityAlgorithms.HmacSha256Signature);

    var claims = new[]
    {
        new Claim(ClaimTypes.Name, username),
        new Claim(ClaimTypes.Email, "example@example.com")
    };

    var header = new JwtHeader(signingCredentials);
    var payload = new JwtPayload(null, null, claims, DateTime.Now, DateTime.Now.AddMinutes(expireMinutes));
    var secToken = new JwtSecurityToken(header, payload);
    var handler = new JwtSecurityTokenHandler();

    return handler.WriteToken(secToken);
}

  3. Validate JWT:

    public ClaimsPrincipal GetPrincipal(string token, string secretKey)
{
    try
    {
        var tokenHandler = new JwtSecurityTokenHandler();
        var jwtToken = tokenHandler.ReadJwtToken(token);

        if (jwtToken == null)
            return null;

        var validationParameters = new TokenValidationParameters()
        {
            ValidateIssuer = false,
            ValidateAudience = false,
            IssuerSigningKey = Convert.FromBase64String(secretKey)
        };

        SecurityToken securityToken;
        var principal = tokenHandler.ValidateToken(token, validationParameters, out securityToken);

        return principal;
    }
    catch (Exception)
    {
        return null;
    }
}

  4. Authentication Filter:

    public class JwtAuthenticationAttribute : AuthorizationFilterAttribute
{
    public override void OnAuthorization(HttpActionContext actionContext)
    {
        if (actionContext.Request.Headers.Authorization != null)
        {
            string authToken = actionContext.Request.Headers.Authorization.Parameter;

            IJwtTokenHandler handler = new SimpleJwtTokenHandler();
            var principal = handler.GetPrincipal(authToken, "your_secret_key");

            if (principal != null)
            {
                actionContext.RequestContext.Principal = principal;
            }
            else
            {
                actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized, "Invalid JWT token");
            }
        }
        else
        {
            actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized, "No JWT token provided");
        }
    }
}

Importance of Security in Web Services

  • Confidentiality: Protects data from unauthorized access.
  • Integrity: Ensures data consistency and reliability.
  • Availability: Guarantees that the service is accessible when needed.
  • Non-repudiation: Prevents denial of actions performed.

By choosing the right authentication method, developers can safeguard their web services against common security threats such as man-in-the-middle attacks, replay attacks, and brute force login attempts. ASP.NET Web API provides a flexible and powerful platform for implementing various security strategies, ensuring robust protection of sensitive information.

In summary, Basic Authentication, Token Authentication, and JWT each serve unique purposes and have distinct characteristics. The choice of authentication method heavily depends on the specific requirements and constraints of the application. Implementing a secure authentication mechanism is crucial for protecting web services and ensuring the trustworthiness of the system.

Conclusion

Online Code run

🔔 Note: Select your programming language to check or run code at

💻 Run Code Compiler

Step-by-Step Guide: How to Implement ASP.NET Web API Using Basic Auth, Token Auth, JWT

Step 1: Set Up ASP.NET Core Web API Project

  1. Open Visual Studio and create a new project.
  2. Select "ASP.NET Core Web Application" and click "Next".
  3. Provide a suitable project name and click "Next".
  4. Choose ".NET Core" as the target framework and select "ASP.NET Core 5.0" or later. Choose "API" as the project template and leave authentication as "No Authentication".
  5. Click "Create".

Step 2: Add Basic Auth Middleware

  1. Create a Basic Authentication Scheme:

    • Create a new folder named Authentication in your project.
    • Add a new class named BasicAuthenticationHandler:
    using System.Net.Http.Headers;
using System.Security.Principal;
using System.Text;
using System.Text.Encodings.Web;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authentication;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;

namespace WebApiWithAuth.Authentication
{
    public class BasicAuthenticationHandler : AuthenticationHandler<AuthenticationSchemeOptions>
    {
        public BasicAuthenticationHandler(
            IOptionsMonitor<AuthenticationSchemeOptions> options,
            ILoggerFactory logger,
            UrlEncoder encoder,
            ISystemClock clock)
            : base(options, logger, encoder, clock)
        {
        }

        protected override Task<AuthenticateResult> HandleAuthenticateAsync()
        {
            if (!Request.Headers.ContainsKey("Authorization"))
            {
                return Task.FromResult(AuthenticateResult.NoResult());
            }

            string authorizationHeader = Request.Headers["Authorization"];
            var authorizationHeaderValues = AuthenticationHeaderValue.Parse(authorizationHeader);

            if (!authorizationHeaderValues.Scheme.Equals("Basic", StringComparison.OrdinalIgnoreCase) ||
                string.IsNullOrWhiteSpace(authorizationHeaderValues.Parameter))
            {
                return Task.FromResult(AuthenticateResult.NoResult());
            }

            string parameter = authorizationHeaderValues.Parameter;
            byte[] bytesFromBase64String = Convert.FromBase64String(parameter);
            string decodedString = Encoding.UTF8.GetString(bytesFromBase64String);

            string username = decodedString.Split(':')[0];
            string password = decodedString.Split(':')[1];

            if (!ValidateCredentials(username, password))
            {
                return Task.FromResult(AuthenticateResult.Fail("Invalid credentials"));
            }

            ClaimsIdentity identity = new ClaimsIdentity(
                new[]
                {
                    new Claim(ClaimTypes.Name, username)
                },
                Scheme.Name
            );

            ClaimsPrincipal principal = new ClaimsPrincipal(identity);
            AuthenticationTicket ticket = new AuthenticationTicket(principal, Scheme.Name);

            return Task.FromResult(AuthenticateResult.Success(ticket));
        }

        private bool ValidateCredentials(string username, string password)
        {
            // Just for demonstration.
            return username == "admin" && password == "password";
        }
    }
}

  2. Register the Basic Auth Middleware:

    • Open Startup.cs or Program.cs if you are using .NET 6 or later.
    • Add the following code in the ConfigureServices method:
    using Microsoft.AspNetCore.Authentication;

public void ConfigureServices(IServiceCollection services)
{
    // Basic auth
    services.AddAuthentication("BasicAuthentication")
        .AddScheme<AuthenticationSchemeOptions, BasicAuthenticationHandler>("BasicAuthentication", null);

    services.AddControllers();
}
    • Add the following code in the Configure method:
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }

    app.UseRouting();

    // Add basic auth to the pipeline
    app.UseAuthentication();
    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllers();
    });
}

Step 3: Create a Token Auth Scheme (JWT)

  1. Install the JWT NuGet Package:

    • Open NuGet Package Manager and install Microsoft.AspNetCore.Authentication.JwtBearer.

  2. Configure token authentication:

    • Add a class for JWT settings:
    public class JwtTokenSettings
{
    public string SecretKey { get; set; }
    public string Issuer { get; set; }
    public string Audience { get; set; }
}
    • Add the JWT settings in appsettings.json:
    "JwtTokenSettings": {
    "SecretKey": "a_secret_key_that_should_be_kept_secret",
    "Issuer": "yourdomain.com",
    "Audience": "yourdomain.com"
}

  3. Configure JWT in Startup.cs or Program.cs:

    using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.IdentityModel.Tokens;

// Inside ConfigureServices method
services.Configure<JwtTokenSettings>(Configuration.GetSection("JwtTokenSettings"));

services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
    JwtTokenSettings jwtTokenSettings = Configuration.GetSection("JwtTokenSettings").Get<JwtTokenSettings>();
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = true,
        ValidateAudience = true,
        ValidateLifetime = true,
        ValidateIssuerSigningKey = true,
        ValidIssuer = jwtTokenSettings.Issuer,
        ValidAudience = jwtTokenSettings.Audience,
        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtTokenSettings.SecretKey))
    };
});

services.AddControllers();

  4. Create a token generation service:

    using Microsoft.IdentityModel.Tokens;
using System;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;

public class TokenService
{
    private readonly JwtTokenSettings _jwtTokenSettings;

    public TokenService(IOptions<JwtTokenSettings> jwtTokenSettings)
    {
        _jwtTokenSettings = jwtTokenSettings.Value;
    }

    public string GenerateToken(string username)
    {
        var tokenHandler = new JwtSecurityTokenHandler();
        var key = Encoding.ASCII.GetBytes(_jwtTokenSettings.SecretKey);
        var tokenDescriptor = new SecurityTokenDescriptor
        {
            Subject = new ClaimsIdentity(new Claim[]
            {
                new Claim(ClaimTypes.Name, username)
            }),
            Expires = DateTime.UtcNow.AddDays(7),
            Issuer = _jwtTokenSettings.Issuer,
            Audience = _jwtTokenSettings.Audience,
            SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
        };
        var token = tokenHandler.CreateToken(tokenDescriptor);
        return tokenHandler.WriteToken(token);
    }
}

  5. Register the token service in Startup.cs or Program.cs:

    services.AddSingleton<TokenService>();

  6. Create a controller for authentication:

    using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Options;

[ApiController]
[Route("[controller]")]
public class AuthController : ControllerBase
{
    private readonly TokenService _tokenService;
    private readonly JwtTokenSettings _jwtTokenSettings;

    public AuthController(TokenService tokenService, IOptions<JwtTokenSettings> jwtTokenSettings)
    {
        _tokenService = tokenService;
        _jwtTokenSettings = jwtTokenSettings.Value;
    }

    [HttpPost("login")]
    public IActionResult Login([FromBody] LoginRequest request)
    {
        if (!ValidateCredentials(request.Username, request.Password))
        {
            return Unauthorized();
        }

        string token = _tokenService.GenerateToken(request.Username);

        return Ok(new
        {
            token,
            token_type = "Bearer",
            expires_in = 604800 // 7 days
        });
    }

    private bool ValidateCredentials(string username, string password)
    {
        // Just for demonstration.
        return username == "admin" && password == "password";
    }
}

public class LoginRequest
{
    public string Username { get; set; }
    public string Password { get; set; }
}

Step 4: Secure Your Controllers

You can now secure your controllers using either Basic Auth or JWT.

  1. For Basic Auth:

    • Add the [Authorize(AuthenticationSchemes = "BasicAuthentication")] attribute to your controller or actions.
    [ApiController]
[Route("api/[controller]")]
[Authorize(AuthenticationSchemes = "BasicAuthentication")]
public class ProductsController : ControllerBase
{
    [HttpGet]
    public IActionResult GetProducts()
    {
        // Your logic here
        return Ok(new[] { "Product1", "Product2" });
    }
}

  2. For JWT Auth:

    • Add the [Authorize] attribute to your controller or actions.
    [ApiController]
[Route("api/[controller]")]
[Authorize]
public class OrdersController : ControllerBase
{
    [HttpGet]
    public IActionResult GetOrders()
    {
        // Your logic here
        return Ok(new[] { "Order1", "Order2" });
    }
}

Summary

You've gone through setting up a simple ASP.NET Core Web API with both Basic Authentication and JWT Authentication. You can now test your application with tools like Postman or curl.

Testing the API

  1. Basic Auth:

    • Send a request with the Authorization header: 
      GET /api/products
Host: localhost:5000
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
      (where YWRtaW46cGFzc3dvcmQ= is the base64 encoding of admin:password).

  2. JWT Auth:

    • First, get the token:

Top 10 Interview Questions & Answers on ASP.NET Web API Using Basic Auth, Token Auth, JWT

1. What is Basic Authentication in ASP.NET Web API?

Answer: Basic Authentication in ASP.NET Web API is a simple method of access control where the username and password are encoded using Base64 and sent with each request as part of the HTTP header. Despite its ease, it's not recommended for production environments without HTTPS due to security concerns.

2. How does Basic Authentication work?

Answer: When a client sends a request to an ASP.NET Web API server, the server sends back a 401 Unauthorized response with a WWW-Authenticate: Basic header if the user hasn't provided credentials. The client then sends another request, this time including an Authorization header with the Base64-encoded username and password. If the credentials are valid, the server processes the request; otherwise, it returns a 401.

3. What are the drawbacks of using Basic Authentication?

Answer: The main drawbacks include:

  • Security Risks: Credentials are transmitted in an easily decodable format over the network.
  • No Expiry Time: The same credentials can be used indefinitely until revoked.
  • Stateless: It doesn’t support state tracking, making it difficult to manage session-based information.

4. Can Basic Authentication be secure?

Answer: Yes, Basic Authentication can be considered secure when combined with HTTPS, which encrypts the username and password while in transit. However, even secure, it still lacks features like token expiration, session management, and the ability to revoke tokens easily.

5. What is Token Authentication in ASP.NET Web API?

Answer: Token Authentication allows users to obtain a security token after successful authentication. This token is included in subsequent requests to access protected resources. Different types of tokens can be used, such as opaque tokens or those based on standards like OAuth or JWT.

6. How does Token Authentication differ from Basic Authentication?

Answer: Token Authentication involves exchanging a user’s credentials for a token that is used to prove their identity in future requests. This allows the server to validate the token instead of decoding credentials every time a request is made. Token Authentication offers flexibility regarding token type, revocation, and expiration, whereas Basic Auth simply includes the username and password in each request.

7. What is JSON Web Token (JWT) and how does it work?

Answer: JSON Web Token (JWT) is an open standard used to securely transmit information between parties as a JSON object. The encoded JWT can be signed using a secret (with HMAC) or a public/private key pair using RSA. A typical JWT consists of three parts:

  • Header: Metadata about the signing algorithm used.
  • Payload: Data about the user claim.
  • Signature: Used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.

8. What are the advantages of using JWT?

Answer: JWTs offer several advantages:

  • Stateless: No need for session management; all required user information is contained within the JWT.
  • Efficiency: Smaller than other token types and easily parsed.
  • Flexibility: Allows additional claims to be stored.
  • Cross-Domain/Platform Compatibility: JWTs can be shared across different platforms since they use standard encoding methods.

9. How can I implement Basic Authentication in ASP.NET Core Web API?

Answer: To implement Basic Authentication in ASP.NET Core, you typically create middleware to intercept unauthorized requests and check credentials against a user store. Here's an example of creating basic authentication middleware:

public class BasicAuthenticationMiddleware
{
    private readonly RequestDelegate _next;
    private readonly IConfiguration _configuration;

    public BasicAuthenticationMiddleware(RequestDelegate next, IConfiguration configuration)
    {
        _next = next;
        _configuration = configuration;
    }

    public async Task InvokeAsync(HttpContext context)
    {
        string authHeader = context.Request.Headers["Authorization"];
        if (authHeader != null && authHeader.StartsWith("Basic "))
        {
            var credentialBytes = Convert.FromBase64String(authHeader.Substring("Basic ".Length).Trim());
            var credentials = Encoding.UTF8.GetString(credentialBytes).Split(':', 2);
            string username = credentials[0];
            string password = credentials[1];

            if (await AuthenticateUser(username, password))
            {
                context.User = new ClaimsPrincipal(
                    new ClaimsIdentity(new[] { new Claim(ClaimTypes.Name, username) }, "BasicAuthentication"));
            }
            else
            {
                context.Response.StatusCode = 401;
                await context.Response.WriteAsync("Unauthorized");
                return;
            }
        }
        await _next(context);
    }

    private Task<bool> AuthenticateUser(string username, string password)
    {
        // Example implementation. Replace with your actual validation logic.
        return Task.FromResult(_configuration["Username"] == username && _configuration["Password"] == password);
    }
}

10. How do you configure JWT Authentication in ASP.NET Core Web API?

Answer: Configuring JWT Authentication in ASP.NET Core involves several steps including creating JWTs, validating them, and setting up the authentication pipeline. A typical setup looks like:

services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(o =>
{
    o.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuerSigningKey = true,
        IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes("Your Secret Key")),
        ValidateIssuer = false,
        ValidateAudience = false,
        ValidateLifetime = true, // Validates the expiration date
        ClockSkew = TimeSpan.Zero
    };
});

Additionally, you need to create a security token and return it to the client upon successful login:

You May Like This Related .NET Topic

📥 Download Code ▶️ Watch Online 📖 Read Description

Login to post a comment.