Indiko.Blocks.Security.Authentication.ASPNetCore 2.1.2

Indiko.Blocks.Security.Authentication.ASPNetCore

JWT Bearer authentication implementation for ASP.NET Core APIs with token generation and validation.

Overview

This package provides complete JWT (JSON Web Token) authentication for ASP.NET Core applications, including token generation, validation, and SignalR hub support.

Features

• JWT Bearer Authentication: Standard JWT token authentication
• Token Generation: Built-in token provider
• Token Validation: Automatic token validation middleware
• SignalR Support: Query string token support for SignalR hubs
• Configurable Validation: Control issuer, audience, lifetime validation
• Development Mode: Relaxed HTTPS requirements in development
• Comprehensive Logging: Detailed authentication event logging

Installation

dotnet add package Indiko.Blocks.Security.Authentication.ASPNetCore

Configuration

appsettings.json

{
  "AspNetCoreAuthenticationOptions": {
    "Enabled": true,
    "Secret": "your-256-bit-secret-key-minimum-32-characters",
    "Issuer": "https://api.example.com",
    "Audience": "api.example.com",
    "ValidateIssuer": true,
    "ValidateAudience": true,
    "ValidateLifetime": true,
    "ValidateIssuerSigningKey": true,
    "TokenExpirationMinutes": 60,
    "RefreshTokenExpirationDays": 7,
    "SignalRHubPath": "/hubs"
  }
}

Quick Start

// Authentication is auto-configured via block system
// Just ensure appsettings.json has the configuration above

Token Generation

Using ITokenProvider

[ApiController]
[Route("api/[controller]")]
public class AuthController : ControllerBase
{
    private readonly ITokenProvider _tokenProvider;
    private readonly IUserService _userService;

    public AuthController(ITokenProvider tokenProvider, IUserService userService)
    {
        _tokenProvider = tokenProvider;
        _userService = userService;
    }

    [HttpPost("login")]
    [AllowAnonymous]
    public async Task<IActionResult> Login([FromBody] LoginRequest request)
    {
        // Validate credentials
        var user = await _userService.ValidateCredentialsAsync(
            request.Username, 
            request.Password);

        if (user == null)
            return Unauthorized(new { message = "Invalid credentials" });

        // Create identity user
        var identityUser = new IdentityUser
        {
            UserId = user.Id.ToString(),
            Username = user.Username,
            Email = user.Email,
            Roles = new[] { "User", "Admin" }
        };

        // Generate tokens
        var tokenResponse = await _tokenProvider.GetToken(identityUser);

        return Ok(new
        {
            access_token = tokenResponse.AccessToken,
            token_type = "Bearer",
            expires_in = 3600,
            refresh_token = tokenResponse.RefreshToken
        });
    }
}

With Custom Claims

[HttpPost("login-with-claims")]
public async Task<IActionResult> LoginWithClaims([FromBody] LoginRequest request)
{
    var user = await _userService.ValidateCredentialsAsync(request.Username, request.Password);
    if (user == null) return Unauthorized();

    var identityUser = new IdentityUser
    {
        UserId = user.Id.ToString(),
        Username = user.Username,
        Email = user.Email,
        Roles = user.Roles.ToArray()
    };

    var customClaims = new Dictionary<string, string>
    {
        { "tenant_id", user.TenantId.ToString() },
        { "subscription_tier", user.SubscriptionTier },
        { "permissions", string.Join(",", user.Permissions) }
    };

    var tokenResponse = await _tokenProvider.GetToken(identityUser, customClaims);
    return Ok(tokenResponse);
}

Protected Endpoints

Require Authentication

[ApiController]
[Route("api/[controller]")]
[Authorize]  // Requires valid JWT token
public class UsersController : ControllerBase
{
    [HttpGet]
    public IActionResult GetUsers()
    {
        return Ok(users);
    }

    [HttpGet("me")]
    public IActionResult GetCurrentUser()
    {
        var userId = User.FindFirst(ClaimTypes.NameIdentifier)?.Value;
        var username = User.FindFirst(ClaimTypes.Name)?.Value;
        var email = User.FindFirst(ClaimTypes.Email)?.Value;

        return Ok(new { userId, username, email });
    }
}

Role-Based Authorization

[Authorize(Roles = "Admin")]
[HttpDelete("{id}")]
public IActionResult DeleteUser(Guid id)
{
    // Only admins can delete
    return NoContent();
}

[Authorize(Roles = "Admin,Moderator")]
[HttpPut("{id}/ban")]
public IActionResult BanUser(Guid id)
{
    // Admins or Moderators can ban
    return NoContent();
}

Policy-Based Authorization

// In Startup.cs
services.AddAuthorization(options =>
{
    options.AddPolicy("RequireAdminRole", policy =>
        policy.RequireRole("Admin"));

    options.AddPolicy("RequirePremium", policy =>
        policy.RequireClaim("subscription_tier", "Premium", "Enterprise"));

    options.AddPolicy("MinimumAge", policy =>
        policy.Requirements.Add(new MinimumAgeRequirement(18)));
});

// In Controller
[Authorize(Policy = "RequirePremium")]
[HttpGet("premium-content")]
public IActionResult GetPremiumContent()
{
    return Ok(premiumContent);
}

SignalR Hub Authentication

The block automatically supports SignalR hub authentication via query strings:

// Client-side JavaScript
const connection = new signalR.HubConnectionBuilder()
    .withUrl("/hubs/chat", {
        accessTokenFactory: () => localStorage.getItem("access_token")
    })
    .build();

await connection.start();

Secured Hub

[Authorize]
public class ChatHub : Hub
{
    public override async Task OnConnectedAsync()
    {
        var username = Context.User?.Identity?.Name;
        Console.WriteLine($"{username} connected");
        await base.OnConnectedAsync();
    }

    public async Task SendMessage(string message)
    {
        var username = Context.User?.Identity?.Name;
        await Clients.All.SendAsync("ReceiveMessage", username, message);
    }
}

Token Validation

Tokens are automatically validated on every request to protected endpoints:

1. Signature: Verified using the secret key
2. Expiration: Checked if ValidateLifetime is true
3. Issuer: Validated if ValidateIssuer is true
4. Audience: Validated if ValidateAudience is true

Manual Validation

public class TokenValidator
{
    private readonly AspNetCoreAuthenticationOptions _options;

    public bool ValidateToken(string token, out ClaimsPrincipal principal)
    {
        var tokenHandler = new JwtSecurityTokenHandler();
        principal = null;

        try
        {
            var validationParameters = new TokenValidationParameters
            {
                ValidateIssuer = _options.ValidateIssuer,
                ValidateAudience = _options.ValidateAudience,
                ValidateLifetime = _options.ValidateLifetime,
                ValidIssuer = _options.Issuer,
                ValidAudience = _options.Audience,
                IssuerSigningKey = new SymmetricSecurityKey(
                    Encoding.UTF8.GetBytes(_options.Secret))
            };

            principal = tokenHandler.ValidateToken(token, validationParameters, out _);
            return true;
        }
        catch
        {
            return false;
        }
    }
}

Client Usage

JavaScript/TypeScript

// Login
const response = await fetch('/api/auth/login', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ username: 'user', password: 'pass' })
});

const { access_token } = await response.json();
localStorage.setItem('access_token', access_token);

// Protected request
const data = await fetch('/api/users', {
    headers: {
        'Authorization': `Bearer ${localStorage.getItem('access_token')}`
    }
});

C# HttpClient

var client = new HttpClient();
client.DefaultRequestHeaders.Authorization = 
    new AuthenticationHeaderValue("Bearer", accessToken);

var response = await client.GetAsync("https://api.example.com/api/users");

Refresh Tokens

[HttpPost("refresh")]
public async Task<IActionResult> RefreshToken([FromBody] RefreshTokenRequest request)
{
    // Validate refresh token
    var storedToken = await _tokenRepository.GetByTokenAsync(request.RefreshToken);
    if (storedToken == null || storedToken.IsExpired)
        return Unauthorized(new { message = "Invalid refresh token" });

    // Get user
    var user = await _userService.GetByIdAsync(storedToken.UserId);

    var identityUser = new IdentityUser
    {
        UserId = user.Id.ToString(),
        Username = user.Username,
        Email = user.Email,
        Roles = user.Roles.ToArray()
    };

    // Generate new tokens
    var tokenResponse = await _tokenProvider.GetToken(identityUser);

    // Revoke old refresh token
    await _tokenRepository.RevokeAsync(request.RefreshToken);

    return Ok(tokenResponse);
}

Event Logging

The block logs detailed authentication events:

• OnMessageReceived: Token received from request
• OnTokenValidated: Token successfully validated
• OnAuthenticationFailed: Authentication failure
• OnChallenge: Authentication challenge issued
• OnForbidden: Access denied

Best Practices

1. Strong Secrets: Use 256-bit (32+ characters) secret keys
2. HTTPS: Always use HTTPS in production
3. Short Expiration: Keep access token expiration short (15-60 minutes)
4. Refresh Tokens: Implement refresh token flow
5. Secure Storage: Don't log or expose secret keys
6. Environment-Specific: Different secrets per environment

Target Framework

• .NET 10

Dependencies

• Indiko.Blocks.Security.Authentication.Abstractions
• Microsoft.AspNetCore.Authentication.JwtBearer
• System.IdentityModel.Tokens.Jwt

License

See LICENSE file in the repository root.

Related Packages

• Indiko.Blocks.Security.Authentication.Abstractions - Authentication abstractions
• Indiko.Blocks.Security.AuthenticationProvider.Blazor - Blazor authentication
• Indiko.Hosting.Web - Web API hosting