Why Is It Important to Secure Your Web API?
APIs are frequently the foundation of contemporary applications, particularly in cloud-based and microservice architectures. Your API is susceptible to attacks including impersonation, illegal access, and data leaks if it is left unprotected. This is where ASP.NET Core Identity, OAuth 2.0, and JWT (JSON Web Tokens) come in handy, offering a comprehensive toolkit for securely authorizing and authenticating users.
Overview of Key Security Concepts
| Term | What It Means |
|
Authentication
|
Verifying who the user is (e.g., login)
|
|
Authorization
|
Controlling what the user can do (e.g., access certain endpoints)
|
|
JWT
|
A secure, compact token used to carry claims about the user
|
|
OAuth 2.0
|
An open standard for delegated authorization
|
|
ASP.NET Core Identity
|
Framework for managing users, roles, and credentials |
1. JWT Authentication in ASP.NET Core Web API
JWT (JSON Web Token) is the most common way to secure APIs in a stateless way.
Step-by-Step: Add JWT Authentication
Step 1. Add Required NuGet Packages.
dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer
Step 2. Configure JWT Authentication in Program.cs
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = "yourapp.com",
ValidAudience = "yourapp.com",
IssuerSigningKey = new SymmetricSecurityKey(
Encoding.UTF8.GetBytes("super_secret_key_12345"))
};
});
builder.Services.AddAuthorization();
var app = builder.Build();
app.UseAuthentication();
app.UseAuthorization();
Step 3. Secure Your Endpoints
[Authorize]
[HttpGet("secure-data")]
public IActionResult GetSecureData()
{
return Ok("You are authorized!");
}
Step 4. Issue a JWT Token on Login
[HttpPost("login")]
public IActionResult Login([FromBody] LoginModel login)
{
// Dummy check
if (login.Username == "admin" && login.Password == "password")
{
var claims = new[]
{
new Claim(ClaimTypes.Name, login.Username)
};
var key = new SymmetricSecurityKey(
Encoding.UTF8.GetBytes("super_secret_key_12345"));
var creds = new SigningCredentials(
key, SecurityAlgorithms.HmacSha256);
var token = new JwtSecurityToken(
issuer: "yourapp.com",
audience: "yourapp.com",
claims: claims,
expires: DateTime.Now.AddMinutes(30),
signingCredentials: creds);
return Ok(new
{
token = new JwtSecurityTokenHandler().WriteToken(token)
});
}
return Unauthorized();
}
2. OAuth 2.0 Authorization
OAuth 2.0 is an authorization framework used to grant access to third-party apps without sharing passwords. It’s used widely in login with Google, Facebook, Microsoft, etc.
Common OAuth Scenarios
- Sign in users via Google/Facebook.
- Authorize access to external services (like GitHub API).
- Delegate API access using access tokens.
Add OAuth2 to Your Web API
Example: Add Google Authentication.
builder.Services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = GoogleDefaults.AuthenticationScheme;
)
.AddCookie()
.AddGoogle(GoogleDefaults.AuthenticationScheme, options =>
{
options.ClientId = "your-google-client-id";
options.ClientSecret = "your-google-client-secret";
});
3. ASP.NET Core Identity
ASP.NET Core Identity is a full user management system that supports:
- Registration
- Login/Logout
- Password management
- Role-based authorization
Install Identity
dotnet add package Microsoft.AspNetCore.Identity.EntityFrameworkCore
Configure Identity in Program.cs
builder.Services.AddDbContext<ApplicationDbContext>(options =>
options.UseSqlServer(builder.Configuration.GetConnectionString("DefaultConnection")));
builder.Services.AddIdentity<IdentityUser, IdentityRole>()
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders();
Secure an Endpoint with Role
[Authorize(Roles = "Admin")]
[HttpGet("admin-only")]
public IActionResult GetAdminData()
{
return Ok("You are an Admin!");
}
Combine Identity + JWT for Token-Based User Management
You can extend Identity to generate JWT tokens after login instead of using cookies.
Example: Identity Login Returning JWT
[HttpPost("token")]
public async Task<IActionResult> Token([FromBody] LoginModel model)
{
var user = await userManager.FindByNameAsync(model.Username);
if (user != null && await userManager.CheckPasswordAsync(user, model.Password))
{
var tokenHandler = new JwtSecurityTokenHandler();
var key = Encoding.ASCII.GetBytes("your_super_secret_key");
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.Name, user.UserName),
}),
Expires = DateTime.UtcNow.AddHours(1),
SigningCredentials = new SigningCredentials(
new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
};
var token = tokenHandler.CreateToken(tokenDescriptor);
return Ok(new { token = tokenHandler.WriteToken(token) });
}
return Unauthorized();
}
Extra Security Best Practices
| Best Practice | Why It Matters |
| Use HTTPS |
Encrypts traffic between client and server |
| Hash & salt passwords |
Prevents password leaks if DB is compromised |
| Set token expiration |
Reduces the risk of stolen tokens |
| Rotate keys regularly |
Improves security hygiene |
| Use claims & roles properly |
Enforces fine-grained authorization |
| Logout (Token revocation) |
Invalidate sessions when needed |
Summary
| Feature | Use When... |
| JWT |
You need stateless, fast, token-based auth |
| OAuth2 |
You allow third-party logins or services |
| Identity |
You manage your user accounts and roles |
Conclusion
It is imperative that your.NET Web API be secured. The secret is to carefully integrate them according to the requirements of your application, whether you choose to utilize ASP.NET Core Identity for user management, OAuth2 for third-party authorization, or JWT for stateless APIs.