How do I add basic authentication on certain API calls in an ASP.NET Core website using Identity
I have an ASP.NET Core web application that is using Identity for authentication and authorization. This allows me to register users easily in the website and it all works as expected.
However, the website also publishes a number of API endpoints that I would like to make available using basic authentication, where that basic authentication uses the same database of users/password hashes that are stored against the main website, but controlled by a specific role within Identity.
So I'd assign that role to certain users and they could access the API through basic authentication. The reason for this is that the client that accesses these API's can only use basic authentication and nothing else.
How would I go about adding basic authentication to these specific endpoints, but leave the rest of the website as is?
Solution
We can implement this feature by adding custom BasicAuthenticationHandler.
Here are the detailed steps - BasicAuthenticationHandler.cs:
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.Options;
using System.Security.Claims;
using System.Text;
using System.Text.Encodings.Web;
namespace _79547481
{
public class BasicAuthenticationHandler : AuthenticationHandler<AuthenticationSchemeOptions>
{
private readonly UserManager<IdentityUser> _userManager;
public BasicAuthenticationHandler(
IOptionsMonitor<AuthenticationSchemeOptions> options,
ILoggerFactory logger,
UrlEncoder encoder,
ISystemClock clock,
UserManager<IdentityUser> userManager)
: base(options, logger, encoder, clock)
{
_userManager = userManager;
}
protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
{
if (!Request.Headers.TryGetValue("Authorization", out var authHeader))
return AuthenticateResult.NoResult();
if (!authHeader.ToString().StartsWith("Basic ", StringComparison.OrdinalIgnoreCase))
return AuthenticateResult.NoResult();
try
{
var encodedCredentials = authHeader.ToString()["Basic ".Length..].Trim();
var decodedBytes = Convert.FromBase64String(encodedCredentials);
var decodedCredentials = Encoding.UTF8.GetString(decodedBytes);
var separatorIndex = decodedCredentials.IndexOf(':');
if (separatorIndex < 0)
return AuthenticateResult.Fail("Invalid credentials format");
var username = decodedCredentials[..separatorIndex];
var password = decodedCredentials[(separatorIndex + 1)..];
var user = await _userManager.FindByNameAsync(username);
if (user == null || !await _userManager.CheckPasswordAsync(user, password))
return AuthenticateResult.Fail("Invalid username or password");
var roles = await _userManager.GetRolesAsync(user);
if (!roles.Contains("APIRole"))
return AuthenticateResult.Fail("Access denied");
var claims = new List<Claim>
{
new(ClaimTypes.NameIdentifier, user.Id),
new(ClaimTypes.Name, user.UserName),
new(ClaimTypes.Role, "APIRole")
};
var identity = new ClaimsIdentity(claims, Scheme.Name);
var principal = new ClaimsPrincipal(identity);
return AuthenticateResult.Success(new AuthenticationTicket(principal, Scheme.Name));
}
catch
{
return AuthenticateResult.Fail("Authentication error");
}
}
}
}
Program.cs:
using Microsoft.AspNetCore.Identity;
using Microsoft.EntityFrameworkCore;
using _79547481.Data;
using _79547481;
using Microsoft.AspNetCore.Authentication;
var builder = WebApplication.CreateBuilder(args);
// Add services to the container.
var connectionString = builder.Configuration.GetConnectionString("DefaultConnection") ?? throw new InvalidOperationException("Connection string 'DefaultConnection' not found.");
builder.Services.AddDbContext<ApplicationDbContext>(options =>
options.UseSqlServer(connectionString));
builder.Services.AddDatabaseDeveloperPageExceptionFilter();
builder.Services.AddDefaultIdentity<IdentityUser>(options => options.SignIn.RequireConfirmedAccount = true)
.AddRoles<IdentityRole>() //Add this line to fix the error message `Store does not implement IUserRoleStore<TUser>.`
.AddEntityFrameworkStores<ApplicationDbContext>();
// Add BasicAuthentication
builder.Services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = IdentityConstants.ApplicationScheme;
options.DefaultChallengeScheme = IdentityConstants.ApplicationScheme;
})
.AddCookie()
.AddScheme<AuthenticationSchemeOptions, BasicAuthenticationHandler>("BasicAuthentication", null);
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("ApiAccess", policy =>
policy.RequireAuthenticatedUser()
.RequireRole("APIRole"));
});
builder.Services.AddControllersWithViews();
var app = builder.Build();
// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
app.UseMigrationsEndPoint();
}
else
{
app.UseExceptionHandler("/Home/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthorization();
app.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
app.MapRazorPages();
app.Run();
Test code in controller:
using System.Diagnostics;
using Microsoft.AspNetCore.Mvc;
using _79547481.Models;
using Microsoft.AspNetCore.Authorization;
namespace _79547481.Controllers;
[ApiController]
[Route("api/[controller]")]
public class DataController : ControllerBase
{
private readonly ILogger<DataController> _logger;
public DataController(ILogger<DataController> logger)
{
_logger = logger;
}
[HttpGet("secure")]
[Authorize(AuthenticationSchemes = "BasicAuthentication", Policy = "ApiAccess")]
public IActionResult GetSecureData()
{
return Ok(new { data = "Sensitive information" });
}
}
Test result:
- How to get Name of Authenticated user in ASP.NET Core application using Azure Active Directory
- With Microsoft.Extensions.DependencyInjection, can I resolve the type and construct an instance while providing extra constructor parameters?
- How to deserialize SignalR messages from Redis backplane
- use Systemd on ASP.NET Core 6.0 and 7.0 and 8.0
- dotnet publish doesn´t publish correct appsettings.{env.EnvironmentName}.json
- Best practice for return value for a Login method
- Configuration manager can't get connection string from app.config in ASP.NET Core
- ASP.NET Core 6.0 Minimal API / Swagger tags
- How to stop the localized Microsoft.CodeAnalysis.*.resources.dll files from getting published by ASP.NET Core?
- Where is the routing in the example of ASP.Net Core 6 WebApi?
- How do I configure Scalar to authenticate through Entra?
- Umbraco - BeginUmbracoForm posting to the wrong controller
- Request.IsAjaxRequest() alternative in MVC6
- How do I write logs from within Startup.cs?
- HTTP 400 on simple ASP.NET Core Razor page in VS 2022
- How to create a Unit Test project referencing a Web Class Library (Package)
- Images Not Appearing Asp.Net Core
- Returning a 404 from an explicitly typed ASP.NET Core API controller (not IActionResult)
- Returning custom errors via WebAPI - why does HttpResponseException return the wrong status code?
- Certain text characters missing after converting pdf to image
- How to define function that returns html in asp.net core
- Change an existing ASP.NET Core web app to target .NET Framework 4.x
- ASP.NET Core Web API Logging from a Static Class
- MSSQLLOCALDB databases aren't listed
- Why does Visual Studio tell me that the AddJsonFile() method is not defined?
- How to resolve "Deserialization of Untrusted Data" error reported by Checkmarx scan issue
- ASP.NET Core doesn't create XML comments file
- Strange behaviour between tag-helpers and Route attribute in ASP.NET Core MVC
- How to structure an ASP.NET Core dnx project with unit tests in Visual Studio Code
- The CreateAppHost task failed unexpectedly. MSB4018