Why Is It Important to Secure Your Web API?
APIs are frequently the foundation of contemporary applications, particularly in cloud-based and microservice architectures. Your API is susceptible to attacks including impersonation, illegal access, and data leaks if it is left unprotected. This is where ASP.NET Core Identity, OAuth 2.0, and JWT (JSON Web Tokens) come in handy, offering a comprehensive toolkit for securely authorizing and authenticating users.

Overview of Key Security Concepts

Term What It Means

Authentication

Verifying who the user is (e.g., login)

Authorization

Controlling what the user can do (e.g., access certain endpoints)

JWT

A secure, compact token used to carry claims about the user

OAuth 2.0

An open standard for delegated authorization

ASP.NET Core Identity

Framework for managing users, roles, and credentials

1. JWT Authentication in ASP.NET Core Web API
JWT (JSON Web Token) is the most common way to secure APIs in a stateless way.

Step-by-Step: Add JWT Authentication
Step 1. Add Required NuGet Packages.
dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer

Step 2. Configure JWT Authentication in Program.cs
var builder = WebApplication.CreateBuilder(args);

builder.Services.AddAuthentication("Bearer")
    .AddJwtBearer("Bearer", options =>
    {
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidateAudience = true,
            ValidateLifetime = true,
            ValidateIssuerSigningKey = true,
            ValidIssuer = "yourapp.com",
            ValidAudience = "yourapp.com",
            IssuerSigningKey = new SymmetricSecurityKey(
                Encoding.UTF8.GetBytes("super_secret_key_12345"))
        };
    });

builder.Services.AddAuthorization();
var app = builder.Build();
app.UseAuthentication();
app.UseAuthorization();

Step 3. Secure Your Endpoints
[Authorize]
[HttpGet("secure-data")]
public IActionResult GetSecureData()
{
    return Ok("You are authorized!");
}


Step 4. Issue a JWT Token on Login
[HttpPost("login")]
public IActionResult Login([FromBody] LoginModel login)
{
    // Dummy check
    if (login.Username == "admin" && login.Password == "password")
    {
        var claims = new[]
        {
            new Claim(ClaimTypes.Name, login.Username)
        };
        var key = new SymmetricSecurityKey(
            Encoding.UTF8.GetBytes("super_secret_key_12345"));

        var creds = new SigningCredentials(
            key, SecurityAlgorithms.HmacSha256);

        var token = new JwtSecurityToken(
            issuer: "yourapp.com",
            audience: "yourapp.com",
            claims: claims,
            expires: DateTime.Now.AddMinutes(30),
            signingCredentials: creds);

        return Ok(new
        {
            token = new JwtSecurityTokenHandler().WriteToken(token)
        });
    }
    return Unauthorized();
}


2. OAuth 2.0 Authorization
OAuth 2.0 is an authorization framework used to grant access to third-party apps without sharing passwords. It’s used widely in login with Google, Facebook, Microsoft, etc.

Common OAuth Scenarios

  • Sign in users via Google/Facebook.
  • Authorize access to external services (like GitHub API).
  • Delegate API access using access tokens.

Add OAuth2 to Your Web API
Example: Add Google Authentication.
builder.Services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = GoogleDefaults.AuthenticationScheme;
)
.AddCookie()
.AddGoogle(GoogleDefaults.AuthenticationScheme, options =>
{
    options.ClientId = "your-google-client-id";
    options.ClientSecret = "your-google-client-secret";
});


3. ASP.NET Core Identity
ASP.NET Core Identity is a full user management system that supports:

  • Registration
  • Login/Logout
  • Password management
  • Role-based authorization

Install Identity
dotnet add package Microsoft.AspNetCore.Identity.EntityFrameworkCore

Configure Identity in Program.cs
builder.Services.AddDbContext<ApplicationDbContext>(options =>
    options.UseSqlServer(builder.Configuration.GetConnectionString("DefaultConnection")));

builder.Services.AddIdentity<IdentityUser, IdentityRole>()
    .AddEntityFrameworkStores<ApplicationDbContext>()
    .AddDefaultTokenProviders();

Secure an Endpoint with Role
[Authorize(Roles = "Admin")]
[HttpGet("admin-only")]
public IActionResult GetAdminData()
{
    return Ok("You are an Admin!");
}

Combine Identity + JWT for Token-Based User Management
You can extend Identity to generate JWT tokens after login instead of using cookies.

Example: Identity Login Returning JWT

[HttpPost("token")]
public async Task<IActionResult> Token([FromBody] LoginModel model)
{
    var user = await userManager.FindByNameAsync(model.Username);
    if (user != null && await userManager.CheckPasswordAsync(user, model.Password))
    {
        var tokenHandler = new JwtSecurityTokenHandler();
        var key = Encoding.ASCII.GetBytes("your_super_secret_key");

        var tokenDescriptor = new SecurityTokenDescriptor
        {
            Subject = new ClaimsIdentity(new Claim[]
            {
                new Claim(ClaimTypes.Name, user.UserName),
            }),
            Expires = DateTime.UtcNow.AddHours(1),
            SigningCredentials = new SigningCredentials(
                new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
        };
        var token = tokenHandler.CreateToken(tokenDescriptor);
        return Ok(new { token = tokenHandler.WriteToken(token) });
    }
    return Unauthorized();
}

Extra Security Best Practices

Best Practice Why It Matters
Use HTTPS Encrypts traffic between client and server
Hash & salt passwords Prevents password leaks if DB is compromised
Set token expiration Reduces the risk of stolen tokens
Rotate keys regularly Improves security hygiene
Use claims & roles properly Enforces fine-grained authorization
Logout (Token revocation) Invalidate sessions when needed

Summary

Feature Use When...
JWT You need stateless, fast, token-based auth
OAuth2 You allow third-party logins or services
Identity You manage your user accounts and roles

Conclusion

It is imperative that your.NET Web API be secured. The secret is to carefully integrate them according to the requirements of your application, whether you choose to utilize ASP.NET Core Identity for user management, OAuth2 for third-party authorization, or JWT for stateless APIs.