Skip links

The Blinking Caret

Web Api

ASP.NET Core Web Api Antiforgery

by Leave a Comment

When deciding how to secure a Web Api there are a few choices available, for example you can choose to use JWT tokens or with a little bit less effort (but with other trade-offs), cookies.

If you decide to go with cookies and if your web api is consumed through a web application (e.g. Angular) it will be vulnerable to cross-site request forgery attacks (frequently referred to as CSRF or XSRF).

Image of an open vault door representing the CSRF vulnerability in ASP.NET Antiforgery

You can find the sample project for this blog post here in github.

What is CSRF and how it can be mitigated

To understand how CSRF works you need to understand how browsers handle cookies.

Every time you visit a website (e.g. mywebsite.com) and that website sends a response with a header named Set-Cookie a cookie is created. An example of a header that creates a cookie named myCookie with the value myCookieValue is: Set-Header: myCookie=myCookieValue.

Usually cookies are stored in a file on disk. This actually depends on the browser you are using but that’s essentially all they are. That is also the reason why you can log in to the same website with two different accounts if you use different browsers. Your “identity” is stored in a cookie and each browser can hold a different one for the same website.

Also, a cookie is specific to one website. That means that a cookie for example.com is not valid for foo.com. This boils down to the browser exclusively sending cookies to example.com that were created in a response to a request to example.com.

The way the browser “sends” the cookies is by including a header named Cookie whenever there is a request to the website from which the cookie originated.

For example if the browser has a cookie for example.com and you have a bookmark for example.com/homepage and you click it, the browser will automatically include a cookie header with the cookie value (e.g.: Cookie: myCookie=myValue). There are exceptions to this namely the use of the SameSite policy. However this feature is still “experimental” and for the use case of allowing your web api to be potentially used by anyone, using a SameSite policy would not work.

The abuse of this mechanism (i.e. the browser sending the cookies automatically) is what CSRF exploits.

Here’s a simple example. Imagine your website has an endpoint at example.com/logout that responds to GET requests (which is a bad idea to begin with, but bear with me). Picture another website, named evilwebsite.com, that has an image element like this:

<img src="www.example.com/logout">

Just by visiting evilwebsite.com you’re logged out of example.com. This works because when the browser parses the html for evilwebsite.com and finds the img tag, it will perform a request to example.com/logout which will, for all intents and purposes, look like any other authenticated request from the point of view of example.com.

If you have a very popular website, or if your attacker has a way to target users of your website s/he can try to lure your users to a malicious website that can then perform requests to example.com as you.

Imagine if your bank website had this vulnerability. A malicious website could trigger transfers of money from your account to another account.

That’s really scary but thankfully it’s not too hard to mitigate. And we’ll even use cookies to mitigate it, here’s how.

CSRF mitigation

We’ve already seen that the browser will send the cookies it has for a website automatically. If any of those cookies is used to identify the user that cookie is usually set as an httponly cookie.

An httponly cookie is a cookie that is created using the httponly directive, for example:

Set-Cookie: AuthCookie=1Wkc5dGNtRnVaRzl0Y21GdVpHOXQ=; HttpOnly

This makes the cookie unavailable through JavaScript, i.e. if you run document.cookie that cookie won’t be visible.

It’s important that cookies that identify the user are httponly so that in case of a Cross-Site Scripting vulnerability (XSS) the attacker won’t be able to steal the auth cookie.

Now that we’ve established that we can create httponly cookies, let’s explore the fact that non-httponly are accessible via JavaScript.

Image that you’ve created a non httponly cookie with a random number, e.g. AntiForgeryCookie=42289347 and when you perform a request to the website, you read the cookie value in JavaScript and put it in a header in the request, e.g. AntiForgeryHeader: 42289347.

When handling the request in the server you check if the cookie and the header values are the same. If they aren’t, or they are missing, the request is rejected.

This breaks things from the point of view of the attacker.

When an attacker triggers requests to a website where a user is logged in to, the auth cookie and the anti-forgery cookie are both sent but the attacker has no way to access them. It’s not possible to read the anti-forgery cookie’s value and put it in the header of that request (JavaScript running in evilwebsite.com cannot access your website).

In a nutshell that’s how CSRF is mitigated.

Applying CSRF mitigations in a Web Api built using ASP.NET Core

The out of the box functionality provided in ASP.NET Core for mitigating CSRF (named anti forgery) is geared towards Razor views.

You’ve probably seen it in the form of the @Html.AntiforgeryToken() html helper in previous versions of MVC (pre Core 2.0).

When you use the @Html.AntiforgeryToken() html helper in a Razor view a cookie is created alongside a hidden form field named __RequestVerificationToken. The value of both must match or else the request is rejected.

Thankfully the anti forgery features in ASP.NET Core are configurable enough that we can use them for a Web Api.

The first thing we have to do is to register the anti forgery dependencies and configure it so that instead of expecting a form field on POST requests, it expects a header. We can pick a name for our header, for example X-XSRF-TOKEN.

Here’s how that looks like in Startup.cs‘s ConfigureServices method:

public void ConfigureServices(IServiceCollection services)
{      
    services.AddAntiforgery(options =>
    {
        options.HeaderName = "X-XSRF-TOKEN";                               
    });
    //...

Specifying a HeaderName when configuring AntiForgery causes the anti forgery validation to use the header (instead of a form field named __RequestVerificationToken) in the verification process.

You can also specify the cookie name you wish to use (e.g. options.Cookie.Name="MyAntiForgeryCookieName"). This isn’t the cookie we’ll access through JavasScript though, so there’s no real advantage in doing this.

Now, for the part of actually generating the anti forgery cookies I recommend doing that in a controller action that you call immediately after a successful login. This might seem odd, however for the sake of brevity I’ll defer the reasoning behind this choice for later in this post.

Here’s how a controller action for generating the anti forgery cookies looks like:

[ApiController]
public class AntiForgeryController : Controller
{
private IAntiforgery _antiForgery;
public AntiForgeryController(IAntiforgery antiForgery)
{
_antiForgery = antiForgery;
}

  [Route("api/antiforgery")]
  [IgnoreAntiforgeryToken]
  public IActionResult GenerateAntiForgeryTokens()
  {
      var tokens = _antiForgery.GetAndStoreTokens(HttpContext);
      Response.Cookies.Append("XSRF-REQUEST-TOKEN", tokens.RequestToken, new Microsoft.AspNetCore.Http.CookieOptions
      {
          HttpOnly = false
      });            
      return NoContent();
  }

}

First, we grab hold of the IAntiforgery service as a dependency and we use its GetAndStoreTokens method to actually generate the tokens/cookie values.

The GetAndStoreTokens method not only creates the cookie and the request tokens, it modifies the response so that the Set-Cookie statement is added to it (that’s why it needs HttpContext as an argument).

The Cookie and Request tokens are the terms used to refer to the two values that must match. The Cookie token is the one stored in the cookie and the Request token is either sent in a hidden form field __RequestVerificationToken or in a header value like we will do shortly.

You might be wondering why we need a Cookie and Request token if we only need one value to match (the value form the cookie and the value from the header) to mitigate CSRF. The reason for this is that the RequestToken contains the logged in username (HttpContext.User.Identity.Name) as well as a random value that matches the value stored in the cookie.

Here’s the discussion around this on github.

This is also the reason why I recommend using Antiforgery this way, in a separate request after the user logs in.

If we were to generate the anti forgery tokens in the response to the login request, the Request token that would be created would not contain a Username (HttpContext.User.Identity.Name isn’t set yet at that time). Any subsequent requests that requires anti forgery validation would fail. That’s because even though the value in both anti forgery tokens would match, the username in the request token (empty) would not match HttpContext.User.Identity.Name.

Going back to the code, the next line is the non-httponly cookie that we will read using JavaScript and put in the requests we perform to the server:

Response.Cookies.Append("XSRF-REQUEST-TOKEN", tokens.RequestToken, new Microsoft.AspNetCore.Http.CookieOptions{
    HttpOnly = false
});

I’ve named it XSRF-REQUEST-TOKEN. This name has no effect on any Web Api code, so you can name it whatever you like. We’ll only access its value in JavaScript.

One final note about this controller action. It’s annotated with the IgnoreAntiforgeryToken attribute. This is one of the three attributes available in ASP.NET Core for dealing with CSRF, the other two are AutoValidateAntiforgery and ValidateAntiforgery.

ValidateAntiforgery will validate every request, whereas AutoValidateAntiforgery will only perform validation for unsafe HTTP methods (methods other than GET, HEAD, OPTIONS and TRACE).

These last two attributes are usually applied as global filters. In this case I recommend that you use the ValidateAntiforgery attribute since we want all requests to be validated.

The reason for this is that if we are relying on Cookies as our means to authenticate users, and we want consumers of our api to potentially come form any origin, we need a CORS configuration that is very permissive (see Secure an ASP.NET Core Web Api using Cookies).

With such a permissive configuration it is possible to forge GET requests from another domain and steal sensitive information, therefore they should also be checked for CSRF.

Here’s how we can configure all controller actions to be checked for CSRF:

public void ConfigureServices(IServiceCollection services)
{
    //...
    services.AddMvc(options =>
    {
        options.Filters.Add(new ValidateAntiForgeryTokenAttribute());
    });
    //...

We need to annotate some controller actions with IgnoreAntiforgeryToken. Namely the one that handles the user’s login, the one we’ve seen above that handles the anti forgery tokens’ generation and any others that you might want to make available without requiring the user being authenticated.

The client

In the client we need to make a request to the endpoint where the anti forgery tokens are generated after the user has logged in successfully.

Since the example project was done in Angular, where’s how that looks like in Angular:

//...

export class AccountService {
    constructor(private httpClient: HttpClient) { }
    //...

    login(email: string, password: string) {
        return this.httpClient.post(`${environment.apiBaseUrl}/api/account/login`, {
            email,
            password
        }).pipe(
            switchMap(_ => this.httpClient.get(`${environment.apiBaseUrl}/api/antiforgery`))
        );
    }

This just performs two http request, one POST to api/account/login with the user’s credentials and a GET request to /api/antiforgery after the first request finishes successfuly.

We also need to read the cookie that is non-httponly (XSRF-REQUEST-TOKEN) and put it in a header named X-XSRF-TOKEN (that’s the name we used when configuring Antiforgery in Startup.cs) when the client performs a request.

We could do that manually for every request, but that wouldn’t be very practical. Thankfully there are ways to have it be done automatically for every request (the beforeSend function in jQuery’s $.ajax for example).

If you are using Angular there’s an out of the box module HttpClientXsrfModule for that. Unfortunately, it does not work for cross domain requests. So what we’ll do here is add an http interceptor that reads the cookie and adds its value to outgoing requests as a header. Here’s how that looks like:

import { HttpEvent, HttpHandler, HttpInterceptor, HttpRequest } from '@angular/common/http';
import { Injectable } from '@angular/core';
import { Observable } from 'rxjs';

@Injectable()
export class AddCsrfHeaderInterceptorService implements HttpInterceptor {
    intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
        var requestToken = this.getCookieValue("XSRF-REQUEST-TOKEN");
        return next.handle(req.clone({
            headers: req.headers.set("X-XSRF-TOKEN", requestToken)
        }));
    }

    private getCookieValue(cookieName: string) {
        const allCookies = decodeURIComponent(document.cookie).split("; ");
        for (let i = 0; i < allCookies.length; i++) {
            const cookie = allCookies[i];
            if (cookie.startsWith(cookieName + "=")){
                return cookie.substring(cookieName.length + 1);
            }
        }
        return "";
    }
}

An http interceptor is a normal service but needs to be registered in a module using a "multi" provider (you can have several of them), here's how that looks like:

@NgModule({
//...
providers: [
    //...
    { provide: HTTP_INTERCEPTORS, useClass: AddCsrfHeaderInterceptorService, multi: true }
]
//...

That's it, your api is now safe form CSRF attacks.

If you had some issues with the example or have questions please write them down in the comments and I'll get back to you as soon as I can.

Sign in with an External Login Provider in an Angular Application Served by ASP.NET Core

by Leave a Comment

 

Being able to sign in with an external login provider (for example Google or Facebook) is a good way to simplify the process of getting new users to your website.

Image of the word login

There’s quite a few steps required to make this happen in a “traditional” web application. As far as I know there’s no guide into how you can achieve this using a modern front-end framework such as Angular, React or Vue together with ASP.NET Core as the back-end.

That is what this blog post is about: a description of how you can have an Angular application rely on Google for authentication using ASP.NET Core as its back-end.

This is a very long blog post and I feel there are areas where it could be expanded more. Also, I had planned to describe a version using ASP.NET Identity and one without, but after more than 4000 words I decided that it would be too much. I went only with the ASP.NET Identity version. To complicate things even more, when I picked Google for the external login provider I wasn’t aware of Google Identity Platform. This blog post is still very much valid and useful, not only because this approach works for any external login provider but also because a great deal of what is described here would also be necessary when using Google Identity Platform.

You can find the github repository for the Angular and ASP.NET Core applications here. Here’s how it looks like when you run it:

Animated GIF example of the user signing in through Google into the Angular app

Angular

For the front end the goal is to have a way of detecting if the user is authenticated that does not depend on the particular external login provider used.

Although the examples in the rest of the blog post use Google, there is nothing in the Angular application that is specific or depends on Google as an external login provider (i.e. it works with any login provider).

Another goal is to detect that the user has signed out. For example if the user opens two tabs and signs out in one of them, the other tab should be able to handle this scenario gracefully.

Finally, it must be possible to initiate the process of logging in and out from the Angular application. Let’s start with this.

Login and logout

As we will be relying on ASP.NET Core as the back-end we need to “send” the user to a particular URL handled by the ASP.NET Core application. That url will initialize the process of signing in with the external login provider.

Imagine this url is https://www.mywebsite.com/account/signInWithGoogle.

If you are used to using Angular’s routing service you might think that we should use it to redirect the user to that URL. Unfortunately the router service only works with urls that are internal to the Angular application.

The solution to this is much more mundane. What we actually have to do is to change the href property in the window’s location.

The “right” way to do this in Angular is not to invoke window.location.href = .... That would work but you’d lose the ability to unit test the method that makes that call. And since that’s an important part of “doing” Angular (having testable code) here’s how you could do the same thing while not making the code harder to test:

import { Injectable, Inject } from '@angular/core';
import { DOCUMENT } from '@angular/common';

...

@Injectable()
export class LoginService {
    //...

    constructor(@Inject(DOCUMENT) private document: Document,...)

    login() {
        this.document.location.href = 'https://www.mywebsite.com/account/signInWithGoogle';
    }
}

The advantage here is that since document is injected using Angular’s dependency injection mechanism, when you are writing tests against this code you’ll be able to easily replace document with something you control (a test spy).

Regarding logout, it’s tempting to think that we could use the same approach, i.e. just call an endpoint in ASP.NET Core that takes care of logging us out and redirecting the user back to the Angular application. This is not very good practice though.

The reason it is not considered good practice is because browsers prefetch urls while you are typing them in the address bar. That means that while you are typing for example https://www.mywebsite.com/account the browser might autocomplete to https://www.mywebsite.com/account/logout as one of the options and actually try to prefetch the url, logging you out when you didn’t intend to.

Instead, make the logout endpoint respond only to POST and use Angular’s HttpClient service to perform a post request to it. For example:

import { HttpClient } from '@angular/common/http';

...

export class LoginService {
    constructor(private httpClient: HttpClient, ...) {}

    logout() {
        this.httpClient.post(`/acount/logout`).subscribe(_ => {
            //redirect the user to a page that does not require authentication
        });
    }
}

Detecting if the user is authenticated

Imagine someone sends you a link to a page in your application that requires the user to be logged in.

Ideally, your Angular application should be able to determine, while it’s starting up, if the user is already authenticated or not.

Thankfully Angular allows us to provide a function that runs when the application is initializing. We can take advantage of this to query the back-end and determine if the user is authenticated.

To specify your own initialization function you need to add it in the provider’s list in the main (AppModule) module.

Here’s how that looks in AppModule if your function is named checkIfUserIsAuthenticated and depends on the AccountService service.

import { HttpClientModule, HttpClient, ... } from '@angular/common/http';
import { APP_INITIALIZER, NgModule } from '@angular/core';
import { checkIfUserIsAuthenticated } from './check-login-intializer';
...

@NgModule({
    ...
    providers: [
        { provide: APP_INITIALIZER, useFactory: checkIfUserIsAuthenticated, multi: true, deps: [AccountService]}
    ]

Here’s how the checkIfUserIsAuthenticated function looks like:

import { AccountService } from './security.service';


export function checkIfUserIsAuthenticated(accountService: AccountService) {
    return () => accountService.updateUserAuthenticationStatus().toPromise();
}

The updateUserAuthenticationStatus method in the AccountService is performs a request to the ASP.NET Core back-end that will return true or false depending on the user being logged-in or not.

Here’s an example of how that could look like:

@Injectable({
  providedIn: 'root'
})
export class SecurityService {
  private _isUserAuthenticatedSubject = new BehaviorSubject<boolean>(false);
  isUserAuthenticated: Observable<boolean> = this._isUserAuthenticatedSubject.asObservable();

  constructor(@Inject(DOCUMENT) private document: Document, private httpClient: HttpClient) { }

  updateUserAuthenticationStatus(){
    return this.httpClient.get<boolean>(`${environment.apiUrl}/account/isAuthenticated`, {withCredentials: true}).pipe(tap(isAuthenticated => {
      this._isUserAuthenticatedSubject.next(isAuthenticated);
    }));    
  }

  ...

The service above exposes an observable named isUserAuthenticated that we can use in any component so that we can be notified about the user’s authentication status. Since this is an observable we can use it to signal that the user has signed out, which is what we are going to do next.

One note about using APP_INITIALIZER before we go there. The initializer function must return a promise (or nothing). When returning a promise, if that promise fails (is rejected) the application won’t start and you’ll be left with a blank screen. So error handling is definitely needed here if you want to provide a good user experience.

If you want more information on APP_INITIALIZER I recommend “Hook into Angular’s Initialization Process”. Also, if you’ve never seen the withCredentials option, it is only required if your ASP.NET Core back-end is in a different “origin” and therefore the request from Angular to ASP.NET Core is a CORS request. I recommend “Secure an ASP.NET Core Web Api using Cookies” if you want a detailed information about this topic.

Detecting if a user logged out

One scenario that we want to support is to detect if the user logs out (for example from a different tab) and we try to make a request expecting the user to be authenticated.

Angular provides a way to inspect each request before it is sent and the response when it is received through a type of service named Interceptor.

We can leverage this so that we can detect 401 Unauthorized responses and react appropriately.

What I did in the example project was to update an Observable (isUserAuthenticated) in an Angular service (AccountService) so that any component that might be active in the page can subscribe to this observable and react appropriately to the user becoming unauthorized.

Here’s how the interceptor looks like:

import { HttpErrorResponse, HttpHandler, HttpInterceptor, HttpRequest } from '@angular/common/http';
import { Injectable } from '@angular/core';
import { tap } from 'rxjs/operators';

import { AccountService } from './account.service';

@Injectable()
export class Interceptor401Service implements HttpInterceptor {

    constructor(private accountService: AccountService) { }

    intercept(req: HttpRequest<any>, next: HttpHandler) {

        return next.handle(req).pipe(tap(nonErrorEvent => {
        //nothing to do there
        }, (error : HttpErrorResponse) => {
        if (error.status === 401)
            this.accountService.setUserAsNotAuthenticated();
        }));
    }
}

And it needs to be added to the providers’ list in AppModule:

import { HTTP_INTERCEPTORS, ... } from '@angular/common/http';
import { Interceptor401Service } from './interceptor401.service';
...

@NgModule({
    ...
    providers: [
        ...
        { provide: HTTP_INTERCEPTORS, useClass: Interceptor401Service, multi: true },
    ]

To take advantage of this, we just need to add the AccountService as a dependency in a component and subscribe to the isUserAuthenticated observable. This is how that looks like:

import { Component, OnDestroy, OnInit } from '@angular/core';
import { Subscription } from 'rxjs';
import { AccountService } from '../account.service';


@Component({
    selector: 'app-home',
    templateUrl: './home.component.html',
    styleUrls: ['./home.component.css']
})
export class HomeComponent implements OnInit, OnDestroy {

    subscription: Subscription;

    constructor(private accountService: AccountService) { }

    ngOnInit() {
        this.subscription = this.accountService.isUserAuthenticated.subscribe(isAuthenticated => {
        if (isAuthenticated) {
            //user became authenticated
        } else {
            //user is not authenticated
        }
        });
    }

    ngOnDestroy() {
        this.subscription.unsubscribe();
    }    

...

ASP.NET Core Using Identity

To allow users to authenticate using an external login providers in ASP.NET Core we can use ASP.NET Core Identity.

ASP.NET Core Identity offers us the ability to interact with several external login providers using OAuth and to save the users in a predefined set of tables (AspNetUsers, etc). Although we won’t be exploring it here, Identity even has functionality to associate and manage several different external login providers for the same user.

Before we can proceed we need to create an “app” in Google so that we can get a ClientId and ClientSecret that we will be needing to configure Google’s authentication middleware.

Create a new Google application

You can create a new “app” by following the following link https://console.developers.google.com/projectselector/apis/library.

First step is to create a new “project”/app:

Click the create button in google's developer console

Next you need to name the project. This is how the application will be called in the Google developers’ website. In this example I’m naming it “GoogleSignInExample”:

Giving the project a name

Next step is to enable the Google+ API. You can access the search apis functionality by clicking “Library” on the left sidebar menu:

Add the Google+ API

Click enable to confirm you want to enable the API:

Click enable Google+ api

Now go to the credentials section of the project:

Go to credentials

Click create credentials and select OAuth client ID:

OAuth client id

Now configure the OAuth consent screen. This is defines what will be displayed to your users when they try to login to your application using Google.

OAuth screen configuration

Back in the credentials screen you should now select “Web Application” and specify “Authorized JavaScript Origins” and “Authorized redirect URIs”.

The origins refers to where the requests will be coming from, which will be your application. Since ASP.NET Core runs on port 5000 by default if you use the command line I used that (that’s also what the github example project uses).

The authorized redirect URIs are the locations where Google will redirect the user to when the login process finishes.

When setting up Google as an external login provider in ASP.NET Core you can specify this value (the default is signin-google). Since this is not obvious at all I’ve used a non-default (google-callback) value so I can show you how you can explicitly specify what is the redirect URI.

Authorized JavaScript Origins and authorized redirect URIs

Finally you should get your Client Id and Client Secret.

Client id and client secret

You should make note of these two values. We will be using them to configure the authentication middleware in ASP.NET Core.

Configure the Authentication middleware in ASP.NET Core

Even though the configuration for the authentication middleware is terse and at first glance seems simple, there’s a lot going on that is not obvious.

To fully comprehend how the authentication middleware works in this scenario you need to be familiar with how the middleware pipeline works, what ASP.NET Identity does when you register it in ConfigureServices, and be familiar with OAuth flows, namely the authorization code grant flow.

I’m going to assume that you know how the pipeline works and what happens when the user gets redirected to an external login provider (such as Google) and back. If you want an in-depth discussion about that (that is a little bit outdated in terms of ASP.NET Core but very much still relevant), I recommend reading External Login Providers in ASP.NET Core.

Without further ado here’s the ConfigureServices method in Startup.cs:

public void ConfigureServices(IServiceCollection services)
{
    services.AddMvc();
    services.AddCors(corsOptions =>
    {
        corsOptions.AddPolicy("fully permissive", configurePolicy => configurePolicy.AllowAnyHeader().AllowAnyMethod().AllowAnyOrigin().AllowCredentials());
    });

    services.AddDbContext<IdentityDbContext>(options =>
                options.UseSqlite("Data Source=users.sqlite",
                sqliteOptions => sqliteOptions.MigrationsAssembly("TheNameOfYourAspNetCoreProjectGoesHere")));
    services.AddIdentity<IdentityUser, IdentityRole>()
            .AddEntityFrameworkStores<IdentityDbContext>()
            .AddDefaultTokenProviders();

    services.AddAuthentication(options =>
    {
        options.DefaultSignOutScheme = IdentityConstants.ApplicationScheme;
    })
    .AddGoogle("Google", options =>
    {
        options.CallbackPath = new PathString("/google-callback");
        options.ClientId = "YourClientIdFromGoogle";
        options.ClientSecret = "YourClientSecretFromGoogle";
    });
}

The first thing being registered in ConfigureServices is Mvc and after that there’s CORS. I’ve setup CORS to be very permissive (as you might’ve noticed by how I named the policy). This might or might not be appropriate depending on how your Angular + ASP.NET Core setup is. If you want to read about different options regarding this I recommend my other post: Angular and ASP.NET Core where several deployment options are described, including ones that don’t require CORS.

Also, we will be relying on Cookies to store the user’s identity. If for some reason this doesn’t work for you check out Secure a Web Api in ASP.NET Core that describes how you can use JWT instead of Cookies. You can also refer to Secure an ASP.NET Core Web Api using Cookies if you want an in-depth example of how Cookies work in the approach we’ll be taking in this blog post.

After CORS there’s the setup of ASP.NET Core Identity. I’m not defining my own version IdentityDbContext so I have to specify that I want to create the migrations in the ASP.NET Core project (that’s the MigrationsAssembly part). The default is that the migrations are created in the assembly where the DbContext derived class is defined. As IdentityDbContext is defined in the Microsoft.AspNetCore.Identity.EntityFrameworkCore assembly that would produce an error.

I won’t spend too much time on explaining the setup of ASP.NET Core Identity other than mentioning that when you call .AddIdentity you are actually configuring the the authentication middleware (i.e. AddIdentity calls .AddAuthentication internally).

Since it is convenient to have the DefaultSignOutScheme be the the ApplicationScheme (this is the scheme that actually creates the user’s identity, i.e. sets HttpContext.User) the order you have .AddAuthentication and .AddIdentity is important. .AddAuthentication needs to be after .AddIdentity or else your custom settings will be overwritten.

If the above comment left you feeling lost I recommend spending some time reading External Login Providers in ASP.NET Core which is a little bit outdated but still is applicable to this version (2.1) of .Net Core (apart from there only being one authentication middleware now).

Finally, the configuration of Google as an external login provider. I’ve named the authentication scheme as “Google” (first parameter in .AddGoogle). This will be important later on when we want to produce a challenge to initiate the login process with Google.

You should use the ClientId, ClientSecret and CallbackPath previously defined when registering your application with Google in the Google Developer’s website.

Regarding the definition of the pipeline (Configure method) here’s how that could look like:

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }

    app.UseCors("fully permissive");

    app.UseAuthentication();           

    app.UseMvcWithDefaultRoute();
}

Initiating a sign in with Google

The way you initiate the authentication process using an external login provider such as Google is by issuing a “challenge” that targets the authentication scheme that corresponds to the external login provider.

When we configured Google as the external login provider in Startup.cs we gave it an authentication scheme name of Google (.AddGoogle("Google")). That’s the name we have to use in our challenge.

In case you are wondering why the term “challenge” is used, it’s probably because in the HTTP protocol when a 401 Unauthorized response is returned, a header named WWW-Authenticate is included. The value of that header defines which challenge the client must overcome in order to access the protected resource.

In ASP.NET challenging an authentication scheme just triggers the challenge behavior defined in the authentication handler associated with that authentication scheme. In this case that will be redirecting the user to the Google sign in page.

Here’s how that looks like in a controller action:

public class AccountController : Controller
{
    private readonly SignInManager<IdentityUser> _signInManager;
    private readonly UserManager<IdentityUser> _userManager;
    public AccountController(SignInManager<IdentityUser> signInManager, UserManager<IdentityUser> userManager)
    {
        _signInManager = signInManager;
        _userManager = userManager;
    }

    public IActionResult SignInWithGoogle()
    {
        var authenticationProperties = _signInManager.ConfigureExternalAuthenticationProperties("Google", Url.Action(nameof(HandleExternalLogin)));
        return Challenge(authenticationProperties, "Google");
    }

    ...

Part of configuring the challenge with an external login provider requires us to provide a redirect url. This is the url to where the user will be redirected to after successfully authenticating (with Google in this case). We are redirecting the user to /Account/HandleExternalLogin.

Handling a successful authentication

The first thing that happens when the “challenge” is initiated is that the user is redirected to the external login provider.

After the user successfully authenticates using the external login provider’s login page, the user gets redirected back to the application. This redirect url will be to the Callback url that is specified in the external login provider’s configuration in ASP.NET, and in the provider itself (in Google this is the “Authorized redirect URI”).

This redirect will contain a single-use code in the query string. The ASP.NET application’s authentication middleware for the external login provider will exchange that code (by making an http call to Google) for the user’s claims and sets them in an “External” cookie (this is transparent to you). You can find the authentication scheme name for this cookie in IdentityConstants.ExternalScheme.

After this, the ASP.NET Core authentication middleware for the external login provider will redirect the user to the url specified in the challenge (in our example that’s /account/handleexternallogin) and that’s the action we will be discussing in this section.

This is terribly complicated, and to make matters worse what comes next, even though it is just a few lines of code, has loads going on that is very obscure. This is however what comes out of the box if you are using ASP.NET Core Identity. I’ll do my best to explain what’s going on.

If you feel you need to get a better grasp of the process between the ASP.NET application and the external login provider have a look at External Login Providers in ASP.NET Core.

Here’s how HandleExternalLogin looks like:

public async Task<IActionResult> HandleExternalLogin()
{
    var info = await _signInManager.GetExternalLoginInfoAsync();

    var result = await _signInManager.ExternalLoginSignInAsync(info.LoginProvider, info.ProviderKey, isPersistent: false); 

    if (!result.Succeeded) //user does not exist yet
    {
        var email = info.Principal.FindFirstValue(ClaimTypes.Email);
        var newUser = new IdentityUser {
            UserName = email,
            Email = email,
            EmailConfirmed = true
        };
        var createResult = await _userManager.CreateAsync(newUser);
        if (!createResult.Succeeded)
            throw new Exception(createResult.Errors.Select(e => e.Description).Aggregate((errors, error) => $"{errors}, {error}"));

        await _userManager.AddLoginAsync(newUser, info);
        var newUserClaims = info.Principal.Claims.Append(new Claim("userId", newUser.Id));
        await _userManager.AddClaimsAsync(newUser, newUserClaims);
        await _signInManager.SignInAsync(newUser, isPersistent: false);
        await HttpContext.SignOutAsync(IdentityConstants.ExternalScheme);
    }

    return Redirect("http://localhost:4200");                        
}

The first line (_signInManager.GetExternalLoginInfoAsync()) retrieves the user information that was set by the external login provider. This information is stored in a cookie usually referred to as the external cookie whose authentication scheme name is IdentityConstants.ExternalScheme.

The return value, info, contains the LoginProvider which is just a string that is unique to the login provider (e.g. Google). It also contains another property named ProviderKey which is an unique identifier of the user in the external login provider (for Google it’s the user’s Google+ profile id). Finally it also contains a list of Claims that may vary depending of how the external login provider is configured (you might ask for additional Scopes) but usually contain at least the user’s email and name.

The next line (await _signInManager.ExternalLoginSignInAsync(...) will check if the user has previously logged in using the external login provider. If that’s the case this method will effectively sign the user in.

It does this by checking the AspNetUserLogins table using the LoginProvider and ProviderKey to find a user (from the AspNetUsers table) and retrieve all the information for that user to create an identity (AspNetUserClaims, AspNetRoles, …) for the user. It also deletes the external cookie in this scenario.

If it’s the first time the user logs in then this method just returns a “failed sign in result” and doesn’t delete the external cookie.

This is to support the Visual Studio template’s use case where the user is redirected to a new account page. In that page the user is forced to create a local account which will be associated to the external login provider. The external cookie is maintained so that the information contained in it (the external login provider’s user identity) can be used when the local account is created in the new account page.

This is a perfect example of something you would not expect since the method’s name (ExternalLoginSignInAsync) indicates a particular function (sign the user in using an external login provider) but in reality it’s doing something specific to a particular use case (catering for the needs of the default visual studio template), hence violating the principle of reasonable expectations. It’s also a bad abstraction since you need to look at the source code to fully understand what it’s doing.

The return type of SignInManager.ExternalLoginSignInAsync is SignInResult which contains a boolean property named Succeeded. If its value is true there’s nothing else to do other than redirecting the user to where the Angular application is hosted (in the example the redirect is for localhost:4200 which is the port you’d get if you start your angular app with ng serve). What happens in this scenario is that SignInManager will internally call HttpContext.AuthenticateAsync with IdentityConstants.ApplicationScheme and as mentioned previously will “sign out” of IdentityConstants.ExtrenalScheme.

If the Succeeded property is false this means that there’s no user associated with the login provider, i.e. there’s no record in AspNetUserLogins that maps the LoginProvider and ProviderKey to a local user in AspNetUsers.

If that’s the case we need to create a new user and associate him with the login provider.

First thing we do is to get the user’s email from the claims that came from Google:

var email = info.Principal.FindFirstValue(ClaimTypes.Email);

We create a new instance of IdentityUser:

var newUser = new IdentityUser {
    UserName = email,
    Email = email,
    EmailConfirmed = true
};

We create the user in the AspNetUsers table:

var createResult = await _userManager.CreateAsync(newUser);

Notice that the user will not have a password. In this example that’s not important because we only want to support logging in through the external login provider.

The createResult might indicate that the user creation failed. This might happen because the email is already being used by another user, for example. You should not let the authentication proceed if that’s the case.

If the user creation was successful we need to associate the new user with the external login provider by creating a new record in AspNetUserLogins. And we do that by calling the AddLoginAsync method in SignInManager with the newly created user and the information we got back from the external login provider:

await _userManager.AddLoginAsync(newUser, info);

Next we want to save the claims we got from the external login provider in AspNetUserClaims. And maybe add our own. In the following example a claim named “userId” is added (after _userManager.CreateAsync the newUser.Id property will be populated with the new user’s Id).

var newUserClaims = info.Principal.Claims.Append(new Claim("userId", newUser.Id));
await _userManager.AddClaimsAsync(newUser, newUserClaims);

Finally we use SignInManager to “sign the user in”:

await _signInManager.SignInAsync(newUser, isPersistent: false);

What this does internally is to call HttpContext.AuthenticateAsync on the IdentityConstants.ApplicationScheme.

And finally we need to sign out of the IdentityConstants.ExternalScheme (which contains the information received from the external login provider about the user).

await HttpContext.SignOutAsync(IdentityConstants.ExternalScheme);

Before we describe logging out a quick note about how the user’s claims is required. They are saved the first time the user logs in and then those claims’ values are re-used. The login provider’s claims are basically ignored from there on.

This kind of makes sense if you think that you can have several external login providers associated with the same user account, and in the end it’s that account in your ASP.NET Core website that is the source of truth about your user.

That also means that if you change your claims in your external login provider after creating a local account, those changes will not be visible in the ASP.NET Core website.

You can however manually manage this by using UserManager‘s methods to handle claims (RemoveClaimAsync, RemoveClaimsAsync, AddClaimAsync and AddClaimsAsync).

Handling logout

The action of logging out is actually the simplest. It just needs to guarantee that the main authentication cookie from the IdentityConstants.ApplicationScheme (usually named .AspNetCore.Identity.Application) gets removed.

To do this we’ll use SignInManager‘s SignOutAsync method. This method actually signs out of all the authentication schemes that are automatically configured for you when you call ServiceCollection.AddIdentity... in Startup.cs.

After calling logging out you should redirect the user to a page that doesn’t require the user to be authenticated. In this example we are redirecting the user to the default url you get when you host an Angular application using ng serve --open.

Here’s an example of the Logout action method:

public async Task<IActionResult> Logout() 
{
    await _signInManager.SignOutAsync();
    return Redirect("http://localhost:4200");
}

That’s it. These steps should be enough that you can tailor this example to your particular needs. Let me know your thoughts in the comments below.

Secure an ASP.NET Core Web Api using Cookies

by 3 Comments

There’s this frequent notion that you need to use tokens to secure a web api and you can’t use cookies.

That’s not the case. You can do authentication and authorization in a Web Api using cookies the same way you would for a normal web application, and doing so has the added advantage that cookies are easier to setup than for example JWT tokens. There are just a few things you need to be aware.

This blog post is about how you can secure an ASP.NET Core Web Api using cookies (if you are looking for how to secure a Web Api using JWT tokens check out Secure a Web Api in ASP.NET Core and Refresh Tokens in ASP.NET Core Web Api).

A padlock suggesting ASP.NET Web Api Security

Configuration required to make cookies work in a Web Api

If one of the clients of your Web Api is a web application (e.g. an Angular app)
and the Web Api and the Angular application are running in different domains (most common scenario) using cookies will not work without some extra configuration.

This might be the reason why using JWT tokens seems to be what people default to. If you try to setup your authentication the same way you would a traditional web application (e.g. an ASP.NET MVC web app) and then perform AJAX requests for logging in and out you’ll soon discover that they seem to do nothing.

For example, when you try to login to your web api using jQuery:

$.post('https://yourdomain.com/api/account/login', "username=theUsername&password=thePassword")

Your response won’t show any error. If you inspect the response it will even have the Set-Cookie header but the cookie will seemingly be ignored by the browser.

To add to the confusion you might even have CORS configured correctly for your Web Api and still see this behavior.

Turns out that you have to do some work in the client as well. The next sections describe what you need to do, both in terms of the server configuration and also the client.

You can find an example project here that is nothing more than the ASP.NET default template with authentication set to Individual User accounts stripped out of all the UI and adapted to be consumed as a Web Api. The sample project also contains an Angular application that consumes the Web Api.

Server side configuration

What you need to do server-side is to configure ASP.NET’s cookie authentication middleware and also setup CORS so that your Web Api “declares” it accepts requests from the domain where your client is hosted.

To setup the cookie middleware you have to setup the authentication middleware in your Startup.csConfigurateServices method:

public void ConfigureServices(IServiceCollection services)
{
    //...
    services.AddAuthentication(options => { 
        options.DefaultScheme = "Cookies"; 
    }).AddCookie("Cookies", options => {
        options.Cookie.Name = "auth_cookie";
        options.Cookie.SameSite = SameSiteMode.None;
        options.Events = new CookieAuthenticationEvents
        {                          
            OnRedirectToLogin = redirectContext =>
            {
                redirectContext.HttpContext.Response.StatusCode = 401;
                return Task.CompletedTask;
            }
        };                
    });

Here I’m naming the cookie authentication scheme as “Cookies” (that’s AddCookie‘s first parameters). We’ll have to reference this name later when implementing the login endpoint.

I’m also naming the cookie that will be created as auth_cookie (options.Cookie.Name = "auth_cookie"). If the consumer of your Web Api is a web client (for example an Angular application) you don’t have to deal with the name of the cookie. However, if you are writing a C# client using HttpClient you might need to read and store the value of the cookie manually. Having an explicit name is easier to remember than the default name, which is .AspNet. + authentication scheme name (in this case that would be .AspNet.Cookies).

Regarding SameSiteMode I’m setting it to None. SameSite is used when setting the Cookie (it controls an attribute with the same name in the Set-Cookie header). It’s values are Strict and Lax. Strict means that the cookie will only be sent by the browser for requests that originate from the domain of the cookie. With this value the browser won’t even send the cookie if you have a website that has a link to yours.

With Lax the browser will send the cookie for requests that originate in the cookie’s domain and cross-origin requests that don’t have side effects (i.e. will be sent with a GET but not with a POST). A cross-origin request is a request that is sent from a url different than the destination url (for most browsers even having different ports, e.g.: localhost:8080 to localhost:8081) will make a request be considered cross-origin.

If you set it to SameSiteMode.None as we did, the samesite attribute isn’t included. That has the consequence of the browser sending the cookie along for all requests, which is what we want.

As an aside, if you need to debug problems with cookies prefer Firefox’s developer tools to Chrome’s. Chrome will not show you the Set-Cookie header if it’s not for the domain where the request originated (checked version 67.0.3396.99).

Finally, I’m redefining what happens when the authentication fails. Usually the cookie middleware produces a 302 redirect response to a login page. Since we are building a Web Api we want to send the client a 401 Unauthorized response instead. That’s what the custom OnRedirectToLogin will do.

When using ASP.NET Core Identity (which is what the demo project uses) this configuration is a little bit different. You won’t have to worry about naming the cookie authentication scheme since ASP.NET Core Identity provides a default value. Also, the redefinition of what happens on the OnRedirectToLogin is a little bit different (but similar enough that it shouldn’t be a problem to understand after seeing this one).

That’s it for the authentication middleware, but still on the ConfigureServices method we also need to add CORS. Just add this line:

services.AddCors();

Finally, in Startup.csConfigure method add the authentication and CORS middleware to the pipeline (before the MVC pipeline):

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    //...
    app.UseCors(policy =>
    {
        policy.AllowAnyHeader();
        policy.AllowAnyMethod();
        policy.AllowAnyOrigin();
        policy.AllowCredentials();
    });

    app.UseAuthentication();
    //...
    app.UseMvc();

Our CORS configuration does not put any restriction on the potential clients of the Web Api. Of particular importance here is the AllowCredentials option. Without it, the browser will ignore the response to any requests that are sent with Cookies (see the Access-Control-Allow-Credentials section in MDN’s documentation on CORS).

Login and Logout actions

The Login and Logout actions are similar to what you would have for a normal MVC application. The only difference here is that we won’t return any content in the responses, just responses with the appropriate status code.

Here’s an example of how the Login method could look like:

[HttpPost]
public async Task<IActionResult> Login(string username, string password)
{
    if (!IsValidUsernameAndPasswod(username, password))
        return BadRequest();

    var user = GetUserFromUsername(username);

    var claimsIdentity = new ClaimsIdentity(new[]
    {
        new Claim(ClaimTypes.Name, user.Username),
        //...
    }, "Cookies");

    var claimsPrincipal = new ClaimsPrincipal(claimsIdentity);
    await Request.HttpContext.SignInAsync("Cookies", claimsPrincipal);

    return NoContent();
}

Notice that we are referencing the “Cookies” authentication scheme we’ve defined in Startup.cs.

The Logout method could look like this:

[HttpPost]
public async Task<IActionResult> Logout()
{
    await HttpContext.SignOutAsync();
    return NoContent();
}

In the demo project we rely on ASP.NET Core Identity which provides the UserManager and SignInManager classes that provide identical functionality of what is described above.

The Client

When consuming a Web Api that uses cookies using a browser client you need to be aware of some quirks. Namely of the behavior of XMLHttpRequest and the Fetch Api. If your client is not running in a browser (e.g. a C# application), apart from having to know how to save/restore cookies, there are no hurdles.

There are two ways to perform AJAX requests in the browser. Using XMLHttpRequest or using the Fetch Api. Even if you are using some library or framework (e.g. jQuery or Angular) it’s one of these two that is being used.

When you perform a request using any of these options and the response contains a Set-Cookie header it will be ignored silently. And the documentation on this is not very clear, for example in XMLHttpRequest’s MDN documentation:

XMLHttpRequest.withCredentials

Is a Boolean that indicates whether or not cross-site Access-Control requests should be made using credentials such as cookies or authorization headers.

withCredentials is the flag you need to set to true so that cookies aren’t ignored when they are set by a response (Set-Cookie header) and it is also the flag that you need to have so that cookies are sent in requests.

If you dig into the MDN documentation this is described this way:

In addition, this flag is also used to indicate when cookies are to be ignored in the response … XMLHttpRequest from a different domain cannot set cookie values for their own domain unless withCredentials is set to true before making the request…

There you go, that flag serves two different purposes. Reminds me of this tweet:

 

Since it’s most likely you will not be making requests with XMLHttpRequest manually I’ll abstain from including an example for it here and include instead one for jQuery, another for Angular and another with the Fetch Api.

JQuery

For jQuery you can perform a request with withCredentials set to true this way:

$.ajax({
    url: 'http://yourdomain.com/api/account/login?username=theUsername&password=thePassword', 
    method: 'POST', 
    xhrFields: {
        withCredentials: true
    }
});

Every request needs to have the withCredentials flag.

Doing this with with $.ajax can get tedious fast. Thankfully you can just use $.ajaxSetup and set it there:

$.ajaxSetup({xhrFields: {withCredentials: true}});

Now every subsequent request you perform with jQuery ($.get, $.post, etc) will be done with the withCredentials flag set to true.

Angular

With Angular you can specify options on each call using HttpClient from @angular/common/http, for example:

this.httpClient.post<any>(`http://yourdomain.com/api/account/login?username=theUsername&password=thePassword`, {}, {
  withCredentials: true 
}).subscribe(....

Or, more conveniently, you can create an HttpInterceptor that will add that option to every request for you:

import { Injectable } from '@angular/core';
import { HttpInterceptor, HttpEvent, HttpRequest, HttpHandler } from '@angular/common/http';
import { Observable } from 'rxjs/Observable';

@Injectable()
export class AddWithCredentialsInterceptorService implements HttpInterceptor {
    intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
        return next.handle(req.clone({
            withCredentials: true
        }));
    }
}

Fetch Api

If you are using the more modern Fetch API you need to add the property credentials with value include with every request that might result in a response that creates cookies or requests for which cookie are to be sent with.

Here’s an example of a post request:

fetch('http://yourdomain.com/api/account/login?username=theUsername&password=thePassword', {
    method: 'POST',
    credentials: 'include'
}).then...

.Net Client

To create a .Net Client you’d use HttpClient.

HttpClient will take care of storing the cookie when a response sends it and it will send it for your when you perform a request. You just need to keep the HttpClient instance after you log in, which is the recommended way of doing it anyway.

Here’s how you could login and then perform an authenticated request:

var client = new HttpClient();
var loginResponse = await client.PostAsync("http://yourdomain.com/api/account/login?username=theUsername&password=thePassword", null);
if (!loginResponse.IsSuccessStatusCode){
    //handle unsuccessful login
}                        

var response = await client.GetAsync("http://yourdomain.com/api/anEndpointThatRequiresASignedInUser/");

One thing you might want to do is to save the authentication cookie and restore it later.

Imagine a scenario where your user closes your application and you want to support the user being able to return later an not having to log in.

It is possible to do this with HttpClient, but you need to initialize it a little differently:

CookieContainer cookieContainer = new CookieContainer();
HttpClientHandler handler = new HttpClientHandler
{
    CookieContainer = cookieContainer
};
handler.CookieContainer = cookieContainer;
var client = new HttpClient(handler);

var loginResponse = await client.PostAsync("http://yourdomain.com/api/account/login?username=theUsername&password=thePassword", null);
if (!loginResponse.IsSuccessStatusCode){
    //handle unsuccessful login
}

var authCookie = cookieContainer.GetCookies(new Uri("http://yourdomain.com")).Cast<Cookie>().Single(cookie => cookie.Name == "auth_cookie");

//Save authCookie.ToString() somewhere
//authCookie.ToString() -> auth_cookie=CfDJ8J0_eoL4pK5Hq8bJZ8e1XIXFsDk7xDzvER3g70....

To restore a cookie after creating the CookieContainer you can call the SetCookies method on it:

cookieContainer.SetCookies(new Uri("http://yourdomain.com"), "auth_cookie=CfDJ8J0_eoL4pK5Hq8bJZ8e1XIXFsDk7xDzvER3g70...");

Conclusion

Event though this is a long post, setting up cookies in you Web Api is not that hard. You just need to keep a few things in mind.

Namely, you need to make sure that your cookie is not being generated with a samesite attribute. To do this you should check the Set-Header header that comes in the login response.

Do this using Firefox instead of Chrome’s developer tools. Chrome (at least the version I’m running 67.0.3396.99) does not display the Set-Cookie header if it’s for a different domain than the one from where the request was performed.

The next thing you have to make sure is that you’ve configured CORS correctly. Of particular importance is making sure you have AllowsCredentials in your CORS policy.

Finally, if you are running a web client, make sure you have the withCredentials flag set to true on every request or credentials: 'include' for the Fetch Api.

 

Refresh Tokens in ASP.NET Core Web Api

by 1 Comment

 

One thing that comes to mind when using access tokens to secure a web api is what do you do when the token expires?

Do you ask the user for credentials again? That’s not really a good option.

This blog post is about using refresh tokens to solve this problem. Specifically in ASP.NET Core Web Apis with JWT tokens.

Image of a refreshing drink as a metaphor for a refresh token

First, is this really a big deal? Why don’t we just set a long expiration date in the access tokens? For example, a month or even a year?

Because if we do that and someone manages to get hold of that token they can use it for a month, or a year. Even if you change your password.

That’s because a server will trust a token if it’s signature is valid, and the only way to invalidate it is to change the key that was used to sign it, and that has the consequence of invalidating everyone else’s tokens.

Not really an option then. That leads us to the idea of using refresh tokens.

How does a refresh token work then?

Imagine that when you get an access token you also get another one-time-use token: the refresh token. The app stores the refresh token and leaves it alone.

Every time your app sends a request to the server it sends the access token in it (Authorization: Bearer TokenGoesHere) so that the server knows who you are. There will come a time where the token will expire and the server will let you know of this somehow.

When this happens your app sends the expired token and the refresh token and gets back a new token and refresh token. Rinse, repeat.

If something fishy happens the refresh token can be revoked which means that when the app tries to use it to get a new access token, that request will be rejected and the user will have to enter credentials to be able to log in again.

To make this last point clear, imagine that the app stores the location (e.g. Dublin, Ireland) of the request when a refresh token is created. If user can access this information, and if there’s some login from a place that the user doesn’t recognize, the user can revoke the refresh token so that when the access token expires whoever is using it won’t be able to continue to use the app. This is why it’s probably a good idea to have the access tokens be short lived (i.e be valid for a couple of minutes).

To use refresh tokens we need to be able to do:

  • Create access tokens (we will use JWT here)
  • Generate, save, retrieve and revoke refresh tokens (server-side)
  • Exchange an expired JWT token and refresh token for a new JWT token and refresh token (i.e. refresh a JWT token)
  • Use ASP.NET authentication middleware to authenticate a user with JWT tokens
  • Have a way to signal that the access token expired to the app (optional)
  • When the token expires have the client transparently acquire a new token

If you need information on these topics individually, continue on. If you want to see all this working together, you can find a demo project here.

Create JWT Access Tokens

If you want a more thorough description of how to use JWT with ASP.NET Core I recommend Secure a Web Api in ASP.NET Core. Here’s a summary.

First you need to add the System.IdentityModel.Tokens.Jwt package:

$ dotnet add package System.IdentityModel.Tokens.Jwt

To create a new JWT token:

private string GenerateToken(IEnumerable<Claim> claims)
{
    var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("the server key used to sign the JWT token is here, use more than 16 chars"));

    var jwt = new JwtSecurityToken(issuer: "Blinkingcaret",
        audience: "Everyone",
        claims: claims, //the user's claims, for example new Claim[] { new Claim(ClaimTypes.Name, "The username"), //... 
        notBefore: DateTime.UtcNow,
        expires: DateTime.UtcNow.AddMinutes(5),
        signingCredentials: new SigningCredentials(key, SecurityAlgorithms.HmacSha256)
    );    

    return new JwtSecurityTokenHandler().WriteToken(jwt); //the method is called WriteToken but returns a string
}

Here we are creating a new jwt token with an expiration date of 5 minutes signed using HmacSha256.

Generate, save, retrieve and revoke refresh tokens

The refresh tokens must be unique and it shouldn’t be possible (or it must be very hard) to guess them.

It might seem that a simple GUID satisfies this criteria. Unfortunately the process of generating GUIDs is not random. That means that given a few guids you can easily guess the next one.

Thankfully, there’s a secure random number generator in ASP.NET Core that we can use to generate a string that is unique and even given a few of them it’s very hard to predict how the next one will be:

using System.Security.Cryptography;

//...

public string GenerateRefreshToken()
{
    var randomNumber = new byte[32];
    using (var rng = RandomNumberGenerator.Create()){
        rng.GetBytes(randomNumber);
        return Convert.ToBase64String(randomNumber);
    }
}

Here we are generating a 32 byte long random number and converting it to base64 so that we can use it as a string. There are no guidelines regarding the length other than it should lead to an unique and hard to guess token. I picked 32 but even 16 should be ok.

We will need to generate refresh tokens when we first generate a JWT token and when we “refresh” an expired token.

Every time we generate a new refresh token we should save in a way that it’s linked to the user for which the access token was issued.

The simplest version of this is just to have an extra column for the refresh token in the user’s table. This has the consequence of only allowing the user to be logged-in in one location (there’s only 1 refresh token valid per user at a time).

Alternatively, you can maintain several refresh tokens per user and save the geographical location, time, etc from the request that originated them so that you can provide the user with activity reports.

Also, it is probably a good idea to make the refresh tokens expire, for example after a few days (you’d have to save an expiration date together with the refresh token).

One thing you must not forget to do is to remove a refresh token when it is used in a refresh operation so that it cannot be used more than once.

Exchange an expired JWT and refresh token for a new JWT token and refresh token (i.e. refresh a JWT token)

To get a new access token from an expired one we need to be able to access the claims inside the token even though the token is expired.

When you use the ASP.NET Core authentication middleware for authenticating the user using JWT it will return a 401 response to an expired token.

We need to create a controller action that allows anonymous users and that takes the JWT and refresh tokens.

In that controller action we need to manually validate the expired access token (there’s an option to ignore the token lifetime) and extract all the information about the user contained in it.

We can then use the user information to retrieve the stored refresh token. We can then compare the stored refresh token with the one that was sent in the request.

If all is good we create new JWT and refresh tokens, save the new refresh token, discard the old and send the new JWT and refresh tokens to the client.

Here’s how you can retrieve the user information in the form of a ClaimsPrincipal from the expired JWT token:

private ClaimsPrincipal GetPrincipalFromExpiredToken(string token)
{
    var tokenValidationParameters = new TokenValidationParameters
    {
        ValidateAudience = false, //you might want to validate the audience and issuer depending on your use case
        ValidateIssuer = false,
        ValidateIssuerSigningKey = true,
        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("the server key used to sign the JWT token is here, use more than 16 chars")),
        ValidateLifetime = false //here we are saying that we don't care about the token's expiration date
    };

    var tokenHandler = new JwtSecurityTokenHandler();
    SecurityToken securityToken;
    var principal = tokenHandler.ValidateToken(token, tokenValidationParameters, out securityToken);
    var jwtSecurityToken = securityToken as JwtSecurityToken;
    if (jwtSecurityToken == null || !jwtSecurityToken.Header.Alg.Equals(SecurityAlgorithms.HmacSha256, StringComparison.InvariantCultureIgnoreCase))
        throw new SecurityTokenException("Invalid token");

    return principal;
}

The noteworthy parts in the above snippet are that we are using ValidateLifeTime = false in the TokenValidationParameters so that the expired token is considered valid. Also, we are checking that the algorithm used to sign the token is the one we expect (HmacSha256 in this example).

The reason for this is that in theory someone could create a JWT token and set the signing algorithm to “none”. The JWT token would be valid (even if unsigned). This way using a valid refresh token it would be possible to exchange a fake token for a real JWT token.

Now we just need the controller action (it should be a POST since it has side effects and also the tokens are too long for query string parameters):

[HttpPost]
public IActionResult Refresh(string token, string refreshToken)
{                   
    var principal = GetPrincipalFromExpiredToken(token);
    var username = principal.Identity.Name;
    var savedRefreshToken = GetRefreshToken(username); //retrieve the refresh token from a data store
    if (savedRefreshToken != refreshToken)
        throw new SecurityTokenException("Invalid refresh token");

    var newJwtToken = GenerateToken(principal.Claims);
    var newRefreshToken = GenerateRefreshToken();
    DeleteRefreshToken(username, refreshToken);
    SaveRefreshToken(username, newRefreshToken);

    return new ObjectResult(new {
        token = newJwtToken,
        refreshToken = newRefreshToken
    });
}

There are a few assumptions in the snippet above. There’s the retrieving, saving and deleting that I’ve omitted, and also there’s the assumption that there’s only one refresh token per user which is the simplest scenario.

Use the ASP.NET Core authentication middleware to authenticate a user using a JWT token

We need to configure ASP.NET Core’s middleware pipeline so that if a request comes in with a valid Authorization: Bearer JWT_TOKEN header the user is “signed in”.

If you want a more in-depth discussion about how to setup JWT in particular in ASP.NET Core have a look at Secure a Web Api in ASP.NET Core.

After version 2.0 of ASP.NET Core we add a single authentication middleware to the pipeline and we configure it in Startup.csConfigureServices:

public void ConfigureServices(IServiceCollection services)
{
    services.AddMvc();
    //...

    services.AddAuthentication(options =>
    {
        options.DefaultAuthenticateScheme = "bearer";
        options.DefaultChallengeScheme = "bearer";
    }).AddJwtBearer("bearer", options =>
    {
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateAudience = false,
            ValidateIssuer = false,
            ValidateIssuerSigningKey = true,
            IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("the server key used to sign the JWT token is here, use more than 16 chars")),
            ValidateLifetime = true,
            ClockSkew = TimeSpan.Zero //the default for this setting is 5 minutes
        };
        options.Events = new JwtBearerEvents
        {
            OnAuthenticationFailed = context =>
            {
                if (context.Exception.GetType() == typeof(SecurityTokenExpiredException))
                {
                    context.Response.Headers.Add("Token-Expired", "true");
                }
                return Task.CompletedTask;
            }
        };
    });
}

Of note in the snippet above is the handling of the OnAuthenticationFailed event. It will add a Token-Expired header to the response when a request comes in with an expired token. The client can use this information to decide to use the refresh token. However, we can just have the client try to use the refresh token when it gets a 401 response. We’ll rely on the Token-Expired header being in the response for the rest of this blog post.

Now we just need to add the Authentication middleware to the pipeline:

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }

    app.UseAuthentication();
    //...

The client

The goal here is to build an api client that can realize when a token has expired and take the appropriate actions to get a new token, and do all of this transparently.

When a request fails because of an expired access token, a new request should be sent to a refresh endpoint with the access and refresh tokens. After that request completes and the client gets the new tokens, the original request should be repeated.

The implementation for this will depend on which type of client you are using. Here we will describe a possible JavaScript client. We’ll be relying on the response to a request with an expired token having a header named "Token-Expired". We’ll be using fetch to perform requests to the web api.

async function fetchWithCredentials(url, options) {
    var jwtToken = getJwtToken();
    options = options || {};
    options.headers = options.headers || {};
    options.headers['Authorization'] = 'Bearer ' + jwtToken;
    var response = await fetch(url, options);
    if (response.ok) { //all is good, return the response
        return response;
    }

    if (response.status === 401 && response.headers.has('Token-Expired')) {
        var refreshToken = getRefreshToken();

        var refreshResponse = await refresh(jwtToken, refreshToken);
        if (!refreshResponse.ok) {
            return response; //failed to refresh so return original 401 response
        }
        var jsonRefreshResponse = await refreshResponse.json(); //read the json with the new tokens

        saveJwtToken(jsonRefreshResponse.token);
        saveRefreshToken(jsonRefreshResponse.refreshToken);
        return await fetchWithCredentials(url, options); //repeat the original request
    } else { //status is not 401 and/or there's no Token-Expired header
        return response; //return the original 401 response
    }
}

In the snippet above there’s getJwtToken, getRefreshToken, saveJwtToken and saveRefreshToken. In a browser these would use the browser’s localStorage to save and retrieve the tokens, for example:

function getJwtToken() {
    return localStorage.getItem('token');
}

function getRefreshToken() {
    return localStorage.getItem('refreshToken');
}

function saveJwtToken(token) {
    localStorage.setItem('token', token);
}

function saveRefreshToken(refreshToken) {
    localStorage.setItem('refreshToken', refreshToken);
}

There also the refresh function. This function performs a POST request to the api endpoint for refreshing tokens, for example if that endpoint is at /token/refresh:

async function refresh(jwtToken, refreshToken) {
    return fetch('token/refresh', {
        method: 'POST',
        body: `token=${encodeURIComponent(jwtToken)}&refreshToken=${encodeURIComponent(getRefreshToken())}`,
        headers: {
            'Content-Type': 'application/x-www-form-urlencoded'
        }
    });
}

This is how using this client would look like if you were trying it out in the chrome developer tools console:

Console output showing the use of the fetchWithCredentials function

Output from the chrome developer tools network tab

One thing to note here is the 401 that shows up in red in the console. That happens when the request fails because of the expired token.

If seeing the “error” (error in quotes because it’s a valid status code and appropriate in this case) is something you’d like to avoid, you can access the token’s expiration date in JavaScript and refresh it before it expires.

A JWT token has 3 parts separated by a a “.”. The second part contains the user’s claims, and in there there’s a claim named exp which contains the unix time stamp of when the token expires. This is how you can get a JavaScript date object with the expiration date for a JWT token:

var claims = JSON.parse(atob(token.split('.')[1]));
var expirationDate = new Date(claims.exp*1000); //unix timestamp is in seconds, javascript in milliseconds

Checking the expiration date feels convoluted so I don’t recommend doing it (also dealing with timezones is probably a problem). I decided to mention this because it’s something that is interesting to know and that makes it very clear that what you put in a JWT token is not secret, it just can’t be tampered with without making the token invalid.

Hope you’ve found this post interesting. If so drop a line in the comments.

Angular and ASP.NET Core

by Leave a Comment

 

The Angular CLI provides a way to develop front-end applications using angular that hides a lot of details. For example there’s no requirement to understand how Webpack or SystemJS work.

In fact, if you don’t know a little bit about Webpack, which is what is used to build the latest version of Angular applications, the CLI almost looks like magic. You just need to do a ng new and ng serve --open and you have a working Angular application open in your web browser.

The fact that the CLI hides all the plumbing might lead to questions like: “How do I use Angular with ASP.NET Core?”.

Angular and ASP.NET Core logos

I hope that by the end of this blog post it will be clear to you how you can answer that question (and not only with ASP.NET Core, with whichever technology you want to use your Angular app with).

You see, an angular app is an app in and of itself, it does need to be “served” somehow by a web server.

When you compile an angular application you are producing a set of JavaScript, CSS and one index.html file. That’s it.

The default folder where those “artifacts” get copied to is yourApplicationFolder/dist. You can check it out by going to your Angular application and doing an ng build.

Go on, I’ll wait.

When you do ng serve --open you are actually using a stand-alone web server (webpack-dev-server) to serve that index.html file in the dist folder.

The rest of this blog post will describe several approaches that you can take for using Angular with ASP.NET Core. The first is to have ASP.NET Core serve the Angular files.

The second approach is to have Angular and ASP.NET Core as different applications. There’s an example of how to achieve this using Nginx where both Angular and ASP.NET Core are served using port 80 and in IIS where each application is served from its own port.

The final part of the post describes a setup that I consider ideal where you can use Angular’s ng serve during development.

This post is quite long but the sections are fairly independent. If your are only interested in the last section and you are using Windows I recommend also reading the section on how to configure Angular in IIS.

Using ASP.NET Core to serve the Angular application

It can be argued that serving an Angular application “within” ASP.NET Core is wasteful in terms of resources. In the end the Angular application is just a set of static files, there’s no need to have the request for those files go through the ASP.NET Core middleware pipeline.

There might be some good reasons for doing it though, also there’s no harm in knowing how to do it and since it seems to be a common approach, being familiar with it might be useful.

One important thing to know in order to understand how we can serve an ASP.NET Core and Angular application together is to understand how a request is processed in ASP.NET Core.

When you run an ASP.NET Core application your request goes through a “pipeline” of middlewares. Every time a request comes in it goes through the middlewares in the order they are defined, and then in reverse order.

Every middleware has an opportunity to change the request or response two times, once before the other middlewares have been executed, and then after the other middlewares have executed. This allows for a middleware at the top of the pipeline to handle for example, a 401 response set by a middleware further down in the pipeline.

An example of this are the authentication middlewares that change a 401 response to a 302 redirect to a login page.

You can find the definition of this pipeline on the Startup.cs file, in the Configure method. For example, here’s the pipeline that you get when you do a dotnet new mvc:

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseExceptionHandler("/Home/Error");
    }

    app.UseStaticFiles();

    app.UseMvc(routes =>
    {
        routes.MapRoute(
            name: "default",
            template: "{controller=Home}/{action=Index}/{id?}");
    });
}

Every time a request comes in to this ASP.NET Core application it can go through at most three middlewares. First the DeveloperExceptionPage/ExceptionHandler middleware depending if the ASP.NET Core application is running in development mode or not. Then the StaticFiles middleware and then finally the Mvc middleware.

The middleware that is key here is StaticFiles. This is the middleware that serves files contained in the wwwroot folder, i.e. if a request comes in for index.html and there’s an index.html file at wwwroot/index.html then that file is sent to the client. StaticFiles middleware won’t call the middlewares below it after this (in this case it would be Mvc).

You can probably already see how this could work with an Angular application. Just put it under wwwroot.

That’s absolutely correct, however there’s a detail about StaticFiles that is important to know. StaticFiles won’t try to do any guesses for you, i.e. if your request is for /, StaticFiles won’t look for /index.html. It will just assume that this request isn’t supposed to be handled by it and it will call the next middleware in the pipeline, in this case Mvc.

For this approach to work you need another middleware named DefaultFiles which must come before StaticFiles in the pipeline:

//...
app.UseDefaultFiles();
app.UseStaticFiles();
//...

DefaultFiles will cause cause StaticFiles to look for index.html if the url ends with /.

Now the only thing left to do is to configure your Angular CLI to compile to your ASP.NET Core application’s wwwroot folder.

If you look in your Angular’s application folder you’ll find a .angular-cli.json file. In that file look for the outDir property:

...
"apps": [
{
    ...
    "outDir": "dist",
...

Change it from “dist” to the path of your ASP.NET Core’s wwwroot folder. Run ng build in your Angular application and now if you run your ASP.NET Core web application you should see your Angular application in the browser.

A nice development workflow is to run the Angular CLI build in watch mode: In a console window do ng build --watch or ng build -w if you want to save a few key strokes, and leave it running. Now every time you make a change in your Angular application you can just refresh the browser and see the change (you also need to have your ASP.NET Core application running).

There is one thing missing from this approach, though. Deep-linking support, i.e. if your Angular application uses routing and you send a user a url with a valid Angular route (e.g http://yourapplication.com/products/5) the receiving user won’t be able to open it. Trying to get to that route will result in a 404 Not Found response.

That’s because the request will go all the way through your ASP.NET Core application’s pipeline and when it reaches the MVC middleware it won’t know what to do with it and will set the response’s status code to 404 Page Not Found.

What we can do is at the top of the pipeline we look for a 404 response that is about to be sent and change its path to our Angular application’s index.html file (that way what gets served is the Angular application which will know what to do with the url in terms of routing). After this we make the request go through the pipeline again:

//add this at the start of Configure
app.Use(async (HttpContext context, Func<Task> next) =>
{
    await next.Invoke();

    if (context.Response.StatusCode == 404)
    {
        context.Request.Path = new PathString("/index.html");
        await next.Invoke();
    }
});

That fixes deep links but introduces a new problem. What if your web api (that you’ve implemented in your ASP.NET Core application) needs to send a 404 response. That’s something more than reasonable to do. Instead of a 404, the service call will receive a 200 response with index.html.

The solution here is to look at the url and decide if it’s intended for the web api or an Angular route. Usually a call to the web api will have /api in the url. That’s a simple test to perform and it will solve this problem. Here’s the revised version of a custom middleware that solves this problem:

//add this at the start of Configure
app.Use(async (HttpContext context, Func<Task> next) =>
{
    await next.Invoke();

    if (context.Response.StatusCode == 404 && !context.Request.Path.Value.Contains("/api")))
    {
        context.Request.Path = new PathString("/index.html");
        await next.Invoke();
    }
});

One last note about this approach. I’ve seen examples where the Angular application is in the same Visual Studio solution as the ASP.NET application. Visual Studio (not VS Code) will try to compile the typescript files. If you are using ng build -w you’ll want Visual Studio to leave your Typescript files alone. To do that open your project’s .csproj and add in any PropertyGroup:

<TypescriptCompileBlocked>true</TypescriptCompileBlocked>

Nginx

Nginx is a web server that can act as a reverse proxy for ASP.NET Core applications and which is also very good at serving static content.

The setup for having an Angular application work with ASP.NET Core is much simpler in Nginx. You just need a configuration similar to this:

server {
    listen 80;        

    location / {
        root /pathToYourAngularApplication/dist;
        index index.html;
        try_files $uri $uri/ /index.html;
    }

    location /api/ {
        proxy_pass http://localhost:5000;
    }
}

This is how a typical Nginx configuration file looks like. If you are not familiar with Nginx and ASP.NET Core I recommend my blog post: HTTPS in ASP.NET Core from Scratch. It has a section with instructions on how to install and setup websites using Nginx.

This configuration allows us to have both the Angular and ASP.NET Core application on port 80. Let’s look at the important parts in it.

The listen 80 statement establishes that Nginx will respond to requests coming in on port 80.

The location blocks are where we are going to define how our two applications will be served (Angular and ASP.NET). Each time a request comes in, Nginx will look at the URL and try to find the location block that best matches it. In this case the location blocks urls act like a “prefix match”, i.e., the first block will match every URL (every url that starts with a /). The second location block matches URLs that start with /api/.

Nginx picks the most “specific” location block, so even though a request for /api/users would match both location blocks, since the second one (/api/) is more specific, it will be the one that would be used to handle the request.

In the first location block (/):

root /pathToYourAngularApplication/dist sets the path where static content will be looked for as the location where your compiled Angular application files are (dist is the CLI’s default output folder).

index index.html specifies which file should be served for URLs that end in /.

try_files $uri $uri/ /index.html can be read this way: check if there’s a file that matches the normalized URL (e.g. http://www.yourwebsite.com/assets/image.jpg -> /assets/image.jpg), if that file does not exist try the normalized URL plus a / (e.g. http://www.yourwebsite.com/documents -> /documents/ -> /documents/index.html because of the index rule). If all of that fails serve the file /index.html.

Serving /index.html if no match is found is what enables us to use deep linking. For example a URL such as http://www.yourwebsite.com/documents with no math in the file system will be served with the Angular application’s index.html. Index.html will load all the necessary files for the Angular application to run, specifically the routing module. The routing module will then look at the url, and according to the routes defined in the angular app will decide which component to load.

Finally, the last location block. It instructs Nginx to forward the requests that start with /api/ to a webserver that is listening on port 5000 on localhost. That will be your ASP.NET Core’s application.

One note about the Nginx’s syntax for proxy_pass. It matters a lot if the URL for the application has a / at the end or not. The url in proxy_pass is treated differently if it has what is described in Nginx’s documentation as a “optional URI” (optional URI isn’t a great name, since in the end a URL is a URI).

An example of a URL with an optional URI is: http://localhost:5000/optionalURI/. If the location’s path is /api/, then a request for http://yourwebsite.com/api/users will be forwarded to your ASP.NET Core’s application as http://localhost:5000/optionalURI/users.

That’s why not adding the / at the end in proxy_pass is so important, because if you do (e.g.: proxy_pass http://localhost:5000/;) it falls into the “optional URI” category (it will be interpreted as an empty optional URI), and a request for http://yourwebsite.com/api/users will be seen in your ASP.NET Core’s application as a request for http://localhost:5000/users.

If you don’t add the / at the end (e.g.: proxy_pass http://localhost:5000;) then a request for http://yourwebsite.com/api/users will be seen in the ASP.NET Core application as a request for http://localhost:5000/api/users which is probably what you want.

If you need a more complete example that explains how you can make this work outside a development-time scenario (i.e. have your ASP.NET Core application auto start and remain online even if there’s an exception) check out HTTPS in ASP.NET Core from Scratch where there’s an example describing how you can use Supervisor to keep the ASP.NET application running even in the event of errors (by auto restarting it).

IIS

With IIS it becomes very cumbersome to have a configuration similar to what we can do with Nginx where both the Angular and ASP.NET Core applications are served on port 80.

To understand why it makes it easier if we understand the IIS concepts of Website and Application. When you create a website you define (among other settings) the port (e.g. 80) where it will be served from. A website can then have several applications “inside” it, all of which will share the website configuration (and therefore be served on the same port).

We could for example put our Angular application inside the “Default Web Site” and the ASP.NET Core one as an IIS Application under it, and call it for example “api”.

If the “Default Web Site” responds at http://localhost, then the ASP.NET Core application could be at http://localhost/api. Which seems to be exactly what we want. However, the requests for http://localhost/api would be seen in ASP.NET Core without the api in the url.

As far as I know there’s no way to change this behavior.

This means your ASP.NET Core application will behave differently when running inside IIS vs when executed directly (either in Visual Studio or with dotnet run).

To make matters worse an ASP.NET Core application needs to be published (dotnet publish) for it to work in IIS. It’s not like a non-Core ASP.NET application where you can just point an IIS Application to the folder that contains the ASP.NET application’s files .

So when using IIS the reasonable options are to either have ASP.NET Core serve the angular application as it was described in the first section of this article or have two separate Websites.

Lets walk-though the process of creating two separate websites. First a website for the Angular project and then for ASP.NET Core.

Angular in IIS

We’ll be adding a Website named MyNgWebSite on port 80. That means that if you have a “Default Web Site”, which in all likelihood you’ll have, you need to stop it or change its bindings since the default for it is port 80.

But before we get there we need to create an application pool for our Angular application. Right click on Application Pools in IIS Manager:

Right click on application pools

The Application Pool for an Angular application does not require Managed Code (we only need to serve static files). We should choose “No Managed Code” in the .NET CLR Version:

No Managed Code application pool

We can now add a new IIS web site and set the new application pool we created as its application pool:

Add new web site

Configure website

The physical path should be set to where your Angular project is being compiled to, usually this is the dist folder.

If you were to try to access http://localhost right now (and assuming that you stopped the “Default Web Site” or used a different port than 80) you would get a permissions error. That’s because when you create an application pool a “virtual” user is created. That user is a local user and must have permissions to access the folder that contains the files you are trying to serve.

That user’s name is IIS AppPool\ApplicationPoolName, in this example it’s IIS AppPool\ApplicationPoolForAngular.

Go to the folder that contains the compiled Angular project, right click on it and select properties, go to the security tab, click edit, then add and finally add the application pool user:

Configure permissions for the folder

We should now be able to access your Angular application if you go to http://localhost.

We still need to do one more thing though. Enable deep-linking support.

If you have routes in your Angular application these won’t work if someone tries to access them from “outside” the Angular app. What this means is that if navigating to http://localhost/documents is valid inside the Angular application and you send that url to someone else, when that someone else clicks the link they will be greeted with a 404 page from IIS.

That’s because there is no documents folder nor index file inside it for IIS to serve. We need to tell IIS that it must serve the file index.html when someone tries to access a URL that does not exists.

We are going to use the same mechanism used for having a custom 404 page, but instead of a 404 page we’ll serve the Angular application.

To achieve this we need to create a web.config file and put it in the src folder of the Angular application with this inside:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <httpErrors errorMode="Custom" existingResponse="Replace">
            <remove statusCode="404"/>
            <error statusCode="404" responseMode="ExecuteURL" path="/index.html"/>
        </httpErrors>
    </system.webServer>
</configuration>

A very quick explanation of what’s going on. We are using httpErrors with an errorMode="Custom" and existingResponse="Replace". This instructs IIS to replace the default error pages with the one we are about to specify.

remove statusCode="404" will remove any custom settings for 404 pages if they already exist.

error statusCode="404" responseMode="ExecuteURL" path="/index.html" will configure IIS to execute the /index.html url if there’s a 404 error. This will effectively serve your Angular application and won’t change the URL seen by the client.

Now we need to edit the .angular-cli.json file so that web.config gets copied to the output folder as an asset when the application is compiled. The assets section is under “app”, here’s an example:

{
"$schema": "./node_modules/@angular/cli/lib/config/schema.json",
"project": {
    "name": "your-app"
},
"apps": [
    {
    "root": "src",
    "outDir": "dist",
    "assets": [
        "assets",
        "favicon.ico", 
        "web.config"
    ],
    "index": "index.html",
...

ASP.NET Core in IIS

The process for the configuring an ASP.NET Core application in IIS is similar, although we need to select a different port.

But before you start you need to make sure you have the ASP.NET Core Module for IIS installed. It might already be installed if you installed the .Net Core SDK, however the best way to make sure is to go to IIS Manager and see if it’s in the modules’ list:

Module list with AspNetCoreModule

If you don’t have it you can find more information about it here and a direct link to download it here.

This module takes care of starting and keeping an ASP.NET Core application running.

Before we create the website in IIS we need the published version of the ASP.NET Core application. You can do that in the command line with dotnet publish or, in full Visual Studio, right click on the project and select Publish, then click publish to folder.

Create a new Website and point it to the ASP.NET Core project published folder, give it a different port number (for example 8080) and create an Application Pool for it.

An application pool for an ASP.NET Core application is also unmanaged (No Managed Code). Although this might seem odd, it’s because IIS is actually just acting as a reverse proxy.

Before we’re able to run the ASP.NET Project using IIS we need to changed the published folder’s permissions so that the Application Pool user can access it. If you don’t you’ll get this moderately unhelpful error message:

HTTP Error 500.19 – Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.

IIS permissions error

If you look at the Config Error section you’ll see “Cannot read configuration file due to insufficient permissions”, which pretty much says it all.

Go to the published folder and add the application pool user to the list of users with permissions over that folder.

Your ASP.NET Core application should now be available on the port you’ve selected when you created the website in IIS. However, if you try to call it from the Angular application you’ll get this error “Failed to load … No ‘Access-Control-Allow-Origin’ header is present on the requested resource…”. Here’s an example of how that would look like in the developer tools console tab:

Failed CORS request

That’s because even though both our our Angular and ASP.NET Core applications are on the same domain, they are in different ports, and that’s enough to qualify the request as a Cross Origin Resource Sharing (CORS) request in all browsers except IE.

We need to enable CORS on the ASP.NET Core application. To do that we need to add the package Microsoft.AspNetCore.Cors and in ConfigureServices(IServiceCollection services... method in Startup.cs add services.AddCors():

public void ConfigureServices(IServiceCollection services)
{
    //...
    services.AddCors();
    //...
}

And in the Configure method we need to create a “policy” that says that we are expecting requests from http://localhost. We should do that before the MVC middleware:

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    //...
    app.UseCors(builder => builder.WithOrigins("http://localhost"));
    app.UseMvc();
}

You should be good to go. Your Angular and ASP.NET Core should both be working now.

Platform Agnostic Development Setup

Both Angular and ASP.NET Core applications provide ways to detect if they are running in development or production mode. That can be leveraged to create a setup that works both in Linux, Windows or Mac.

The easiest way to run an Angular application is to use run ng serve. That spins up a webpack development server that serves the Angular application on port 4200 by default.

This also has the advantage of having hot module replacing, which means you can see your changes to the Angular application as soon as you make then without even having to refresh the browser.

So ideally we want to run the Angular application this way.

For the ASP.NET Core application we want to run it without having to publish it which you would have to if it is being served by IIS.

This is the ideal development scenario, ng serve for Angular and dotnet run or running the ASP.NET Core from Visual Studio without having to publish it.

In this ideal scenario when developing we could have the Angular application running on port 4200 (through ng serve) and the ASP.NET Core application running on port 5000. When in production the Angular application would typically be served from port 80 and the ASP.NET Core application for port 8080 for example (or from a different server on port 80).

On the ASP.NET Core side of things we’d have to configure CORS to accept requests from port 4200 when in development and from port 80 when in production. In Startup.cs that would look like this:

public void ConfigureServices(IServiceCollection services)
{
    services.AddCors();
    //...        
}

// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    //...
    if (env.IsDevelopment())
    {
        //...
        app.UseCors(builder => builder.WithOrigins("http://localhost:4200"));
    }else 
    {
        app.UseCors(builder => builder.WithOrigins("http://localhost"));
    }

    app.UseMvc();
}

That takes care of the ASP.NET Core application.

For Angular we need to leverage the environemnt.ts and environemnt.prod.ts files. You can find then under a folder name environemnts under the src folder on an Angular project.

What you put on environment.ts will be available when you run in development mode (the default) and the values in environment.prod.ts will be used when in production. To compile the Angular project with the environment set to production use the --env=prod flag (e.g. ng build --env=prod).

Here’s a simple example of how the environment files could be configured to support our hypothetical scenario, environment.ts:

export const environment = {
    production: false,
    apiBaseUrl: "http://localhost:4200/"
};

environment.prod.ts:

export const environment = {
    production: true,
    apiBaseUrl: "http://localhost/"
};

In your Angular services, to get to the environment values you just need to import the environment (always environment and not environment.prod):

import { Injectable } from '@angular/core';
import { HttpClient } from '@angular/common/http';
import { environment } from '../environments/environment';

@Injectable()
export class MyServiceService {

    constructor(private httpClient: HttpClient) { }

    getStuff(){
        return this.httpClient.get(`${environment.apiBaseUrl}/api/suff`);
    }  
}

This approach would work even if you host on Nginx or IIS so probably the best option if you need/want to support having developers using different platforms of if you just want to compare performance between them.

Secure a Web Api in ASP.NET Core

by Leave a Comment

There are a few resources that you can find that teach how to secure an ASP.NET Core web application. I’ve written a few, for example ASP.NET Core Identity From Scratch, External Login Providers in ASP.NET Core and Facebook Authentiation with ASP.NET Core.

For web apis using ASP.NET Core it’s a little bit harder to find information. That’s what this blog post is about.

Image of secure data

In this blog post I’ll explain how you can use Json Web Tokens (JWT) to secure a Web Api in ASP.NET Core. There’s a demo project in github that you can use to follow along.

The most common way to keep track of a signed in user in a web application is to use cookies.

The normal flow is: the user clicks login, goes to a login page and after entering valid credentials the response that is sent to the user’s browser contains a Set-Cookie header that contains encrypted information.

Every time a cookie is set for a domain, e.g. blinkingcaret.com, on every subsequent request for that domain the browser will include the cookie automatically.

On the server that cookie is decrypted and its contents are used to create the user’s identity.

This process works very well if the client is a browser, it’s a different story when we the client is a mobile app.

JWT

What we can use instead of a cookie is a token. A token also represents the user, but when we use it we don’t rely on the browser’s built-in mechanism to deal with cookies.

We have to explicitly ask for a token, store it ourselves somewhere, and then manually send it with every request. There are some ways to make this as painless as possible and I’ll discuss some of them later in this the post.

The token format I’ll be talking about here is JWT. JWT stands for Json Web Token.

A JWT token has the following format: base64-encoded-header.base64-encoded-payload.signature.

An example of a header is
{
“alg”: “HS265”,
“typ”: “JWT”
}

The payload contains a list of claims, for example:

{
    "name": "Rui",
    "admin": true
}

Finally the signature is created by taking: “base64(header).base64(payload)” and cryptographically signing it using the algorithm specified in the header. For example HMAC-SHA256. The signing part involves using a secret that is only known at the server.

Here’s how a real JWT looks like:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIjoicnVpIiwic3ViIjoidGVzdCIsIm5iZiI6MTUwMzYxNDU4NSwiZXhwIjoxNTA2MDMzNzg1LCJpc3MiOiJibGlua2luZ2NhcmV0IHN0cyIsImF1ZCI6ImJsaW5raW5nY2FyZXQgYXBwIn0.F7PFoYcQXez3zV98BFKLpyON6d_1p-6IAeihZRSv0VM

It is important to be aware that the information contained in the JWT is not encrypted. To get the payload you just need to base64-decode it. You can even do that from your developer tools console (for example in chrome). Use the atob method and pass the payload as an argument. You’ll see that you’ll get JSON back.

The signature guarantees that if someone tries to replace the payload, the token becomes invalid. For someone to be successful in replacing the payload and producing a valid token they would need to know the secret used in the signature, and that secret never goes to the client.

This is something to have in mind when you decide what to put in the payload.

Using JWT in ASP.NET Core

To use JWT in ASP.NET Core we need to know how to manually create JWT tokens, how to validate them and how to create an endpoint so that the client app can request them.

How to create a JWT token

First you need to install the package System.IdentityModel.Tokens.Jwt:

$ dotnet add package System.IdentityModel.Tokens.Jwt

Now we need to create a secret key. We are going to use a symmetric key, here’s how we can do that:

var secretKey = new SymmetricSecurityKey(Endoding.UTF8.GetBytes("a secret that needs to be at least 16 characters long"));

Our token will contain a set of claims. So lets create them:

var claims = new Claim[] {
    new Claim(ClaimTypes.Name, "John"),
    new Claim(JwtRegisteredClaimNames.Email, "[email protected]")
}

I’ve used both ClaimTypes (from System.Security.Claims) and JwtRegisteredClaimNames (from System.IdentityModel.Tokens.Jwt) to highlight that JwtRegisteredClaimNames contains the claims that are listed in the JWT RFC. You should use those as much as possible if you are planning to use the produced tokens with different frameworks for compatibility reasons. However, there are some claim types that enable certain functionalities in ASP.NET. For example ClaimTypes.Name is the default claim type for the user’s name (User.Identity.Name). Another example is ClaimTypes.Role that will be checked if you use the Roles property in an Authorize attribute (e.g. [Authorize(Roles="Administrator")]).

After creating the list of claims we want to encode in the token we can create the token itself, here’s how we can do it:

var token = new JwtSecurityToken(
    issuer: "your app",
    audience: "the client of your app",
    claims: claims,
    notBefore: DateTime.Now,
    expires: DateTime.Now.AddDays(28),
    signingCredentials: new SigningCredentials(key, SecurityAlgorithms.HmacSha256)
);

There are a few concepts here that I didn’t mention before, namely the issuer, audience and expiration dates.

The issuer represents the entity that generates the tokens, in this case it will be the ASP.NET Core web application. The audience is who the tokens are intended to, i.e. the client application. This issuer and the audience are important if your are relying on a third party to create the tokens (not the case here). You can validate both the issuer and the audience when you validate the token.

The notBefore and expires define after what point in time the token can be used and until when it is valid, respectively.

Finally in the signingCredentials you specify which security key and what algorithm to use to create the signature. In the example we used HMAC-SHA256.

If you don’t care about the issuer and audience (which are optional in the JWT specification), you can use the simpler constructor overload of JwtSecurityToken that expects a JwtSecurityHeader and JwtSecurityPayload. You’ll have to manually add the expires and notBefore claims yourself to the payload, for example:

var claims = new Claim[] {
    new Claim(ClaimTypes.Name, "John"),
    new Claims(JwtRegisteredClaimNames.Email, "[email protected]"),
    new Claim(JwtRegisteredClaimNames.Exp, $"{new DateTimeOffset(DateTime.Now.AddDays(1)).ToUnixTimeSeconds()}"),
    new Claim(JwtRegisteredClaimNames.Nbf, $"{new DateTimeOffset(DateTime.Now).ToUnixTimeSeconds()}")        
}

var token = new JwtSecurityToken(new JwtHeader(new SigningCredentials(key, SecurityAlgorithms.HmacSha256)), new JwtPayload(claims));

Note that the Exp (expires) and Nbf (notBefore) claims’ value is a string with Unix time. The easiest way to convert a DateTime to that format is using DateTimeOffset.

After creating an instance of JwtSecurityToken, the way to actually generate the token is to call the WriteToken method of an instance of JwtSecurityTokenHandler and pass the JwtSecurityToken as a parameter:

string jwtToken = new JwtSecurityTokenHandler().WriteToken(token);

Creating an endpoint to get the token

Now that we know how to create our JWT tokens we need a way to enable the client to get them. The easiest way to do that is to create a web api controller action that expects a post request, for example, this would work:

public class TokenController : Controller
{
    [Route("/token")]
    [HttpPost]        
    public IActionResult Create(string username, string password)
    {
        if (IsValidUserAndPasswordCombination(username, password))
            return new ObjectResult(GenerateToken(username));
        return BadRequest();
    }
//...

Where in IsValidUserAndPasswordCombination you can use, for example ASP.NET Identity to validate the user’s credentials (if you need a resource for how to setup ASP.NET Identity check ASP.NET Identity Core From Scratch).

GenerateToken is the process we just described in the previous section.

Validating the token and “signing in” the user

Now that we have a way to issue tokens we need a way to validate them. We’ll be using ASP.NET Core’s authentication middleware and configure it to accept JWT tokens.

Add the Microsoft.AspNetCore.Authentication.JwtBearer NuGet package to your project.

$ dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer

Next open Startup.cs and update the ConfigureServices method:

public void ConfigureServices(IServiceCollection services)
{
    //...
    services.AddAuthentication(options => {
        options.DefaultAuthenticateScheme = "JwtBearer";
        options.DefaultChallengeScheme = "JwtBearer";            
    })
    .AddJwtBearer("JwtBearer", jwtBearerOptions =>
    {                        
        jwtBearerOptions.TokenValidationParameters = new TokenValidationParameters
        {                            
            ValidateIssuerSigningKey = true,
            IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("your secret goes here")),

            ValidateIssuer = true,
            ValidIssuer = "The name of the issuer",

            ValidateAudience = true,
            ValidAudience = "The name of the audience",

            ValidateLifetime = true, //validate the expiration and not before values in the token

            ClockSkew = TimeSpan.FromMinutes(5) //5 minute tolerance for the expiration date
        };
    });
}

If you are not familiar with ASP.NET Core’s authentication middleware I recommend reading External Login Providers in ASP.NET Core. Even though it’s about enabling signing in through Google, Facebook, etc it provides a detailed explanation of how authentication middleware works.

Also, be aware that this is the new ASP.NET Core 2.0 syntax where authentication is fully configured via the ConfigureServices method, however the concepts are the same.

More importantly in this example is the TokenValidationParameters class. It’s the class you have to instantiate to configure how the token should be validated.

In Startup.cs you need to update the Configure method and add the authentication middleware:

    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
        //...
        app.UseAuthentication(); //needs to be up in the pipeline, before MVC
        //...
        app.UseMvc(ConfigureRoutes);
    //..

Client

The web api client can be a desktop app, mobile or even a browser. The example I’ll be describing is that of a web application that signs in, saves the token and then uses it to perform authenticated requests. You can find a working example here.

First, to sign in you need to send a POST request to “/token” (or wherever you’ve setup the web api endpoint to generate the token) with a username and password. You can easily do that with jQuery:

$.post("/token", $.param({username: "the username", password: "the password"})).done(function(token){
    //save the token in local storage
    localStorage.setItem("token", token);
    //...
}).fail(handleError);

If all goes well with the POST you get the JWT back and you can save it somewhere, usually in local storage in the case of a web application. On mobile it depends on the platform you are using but they all have facilities that allow you to save the token (e.g. Android’s SharedPreferences).

For the authentication middleware in the previous section to accept a JWT token and transform it in a User that you can then access in your controller action the request must have an Authorization header. The value of the header should be “Bearer ” followed by the JWT token, for example:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1l...

Although you can “manually” add the Authorization header to every request, there’s usually ways to do that automatically. For example in jQuery there’s an event that you can use that runs before every request where you can check if you have a saved token, and if that’s the case, add the Authorization header to the request:

$.ajaxSetup({
    beforeSend: function(xhr) {
        if (localStorage.getItem("token") !== null) {
            xhr.setRequestHeader('Authorization', 'Bearer ' + localStorage.getItem("token"));                      
        }
    }
});

There are similar mechanisms if you are using other frameworks, for example Angular has HttpInterceptors.

Finally, to logout you just need to remove the token from local storage:

localStorage.removeItem("token")

One thing to be aware of is that if the client performs an action that requires the user to be authenticated and there’s no (valid) Authorization header in the request, the server will respond to that request with a response with status code 401. The response will also have a WWW-Authenticate:Bearer header. If you receive a response like this you can notify the user that authentication is required.