Welcome to today’s blog.
In today’s blog I will show how to configure a custom OAuth authorization custom identity Web API service within Azure to authenticate access to custom Web APIs using JWT (JSON Web Tokens).
In previous blog posts I have covered various topics on OAuth, JWT, Web APIs and Azure and how they are interrelated. During this post I will provide links to these so that you can gain a greater perspective on those areas.
The authentication of a Web API is important when we use a web client application such as an Angular SPA based application. The client application can either be hosted on premises or as an Azure cloud PaaS Application Service. In one of my recent previous post I showed how to deploy an Angular application to Azure App Services.
The diagram below depicts the connection between an Angular App hosted in Azure, that connects to an Azure App Service Web API identity service that uses the JWT token to login to an Azure App Service hosted Angular App, then use the same token to authenticate access to an Azure App Service Web API:
I will go through the tasks to achieve authentication between APIs hosted within Azure App Services. These are:
- Deploying an Identity Service Web API to Azure.
- Configuring your Identity service Web API to access SQL data.
- Registering users using the Azure Identity service Web API.
- Testing user access to custom Azure Web API methods using Swagger UI.
We will start with Task 1.
In this task we deploy an Identity Service Web API written in ASP .NET Core.
I will not go into the details on how to implement an identity service that uses OAuth and JWT.
Ensure your Web API runs locally and the methods you wish to test are visible within Swagger UI:
The steps are similar when we are deploying a Web API application to Azure. See my blog on how to deploy Web API applications to Azure.
I will show the most significant steps and screens in the walkthrough:
Create a Web App Service. Below is an example Azure App Service that will host our Web API:
Once the Web API has been created within Azure, we are ready to publish our local on-premises Web API to Azure.
To publish to an Azure App Service from Visual Studio, run the project Publish.. option.
Select the New Profile… link.
In Pick a publish target, choose Select Existing and Create Profile.
In the App Service selection screen, choose the Resource Group, then the existing Web App Service API that you wish to deploy to.
Back in the publish screen, select Configure.
In the Connection configuration screen select Validate Connection.
In the Settings configuration screen expand Databases, then select Use this connection at runtime.
Enter the database connection string you have copied from the Azure database properties within the Azure Portal.
Next, publish the application. After a few minutes, the application will have deployed to Azure and will automatically run in the default browser as shown:
Next, in your Azure SQL database, check that the ASP.NET Core identity API tables are defined in the schema:
We next test the secure API against our JWT tokens that we will generated from our identity API service.
First, we will need to create a user that we wish to test our authentication to the Web API.
The API for registering our user is:
Open the Web API for our identity service.
The Swagger definition will open:
Enter a new user username and password. Execute the API.
Next, add a new role for the new user using the identity API method:
When the API has been executed, open a connection to the Azure SQL database using SSMS and run the following queries to confirm the new user and role data have been created:
SELECT * FROM [dbo].[AspNetUsers]
SELECT * FROM [dbo].[AspNetUserRoles]
I will next show how to test API security using JWT tokens. One of my previous blog posts that shows how to secure Web API applications using JWT tokens will be helpful.
We next use the identity API method to generate a JWT token from our user credentials:
When the user is authenticated using our token method, the response body will contain the JSON Web Token (JWT):
Next, we copy the generated token.
Note: If you do not see a valid token generated in the response then you can check the log files within the Kudu services in the App Service for the cause.
An obvious problem might be not making the password strong enough:
Hosting environment: Production Content root path: D:\home\site\wwwroot Now listening on: http://localhost:28313 Application started. Press Ctrl+C to shut down. warn: Microsoft.AspNetCore.Identity.UserManager User xxxx-xxxx-xxxx-xxxx-xxxx password validation failed: PasswordRequiresNonAlphanumeric;PasswordRequiresUpper. warn: Microsoft.AspNetCore.Identity.UserManager User xxxx-xxxx-xxxx-xxxx-xxxx validation failed: PasswordRequiresNonAlphanumeric
Open the Book Catalog API (our custom Web API):
Select the method
from the Swagger definitions.
Notice the method has a padlock icon on the same line as the URL.
Click on the padlock icon.
An authorisation dialog will show.
In the dialog, paste in the token you generated from the identity service token call.
The token must be pasted in the format:
Once authorized, the Logout button will be visible:
Now click Execute to run the secured Web API method.
Confirm if the Response body shows valid data and the response code is 200:
Now try logging out of the authorization dialog.
Return to the API method and try re-running it as shown:
Without a valid JWT token, you will expect to see a 401 error.
As you can see, once we have implemented a protected Web API, the implementation of an Azure protected Web API using PaaS environment is quite straightforward. Once we introduce Azure AD and the Microsoft Identity Platform as a means of securing our applications, the authentication and deployment becomes a little more complex. That will be discussed in a future blog down the track.
In a future blog, I will combine our experience of identity services and JWT authorization to provision authentication for Angular apps hosted in Azure.
That is all for today’s post.
I hope you found this post useful and informative.