Setting up ApiKey-based Authentication | ASP.NET Core 5 REST API Tutorial 24

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everybody I'm Nick and I'm going to show you how you can start using API key basis indication your REST API or any API for that matter in good core so those of you have been following the series for a while you might have seen that we're using JWT based indication to authenticate and authorize our users API key is a bit different in this scenario we'll be using a static key across the whole API or maybe a key pair type of thing we want to authenticate and I say type of thing because usually you'd use those keys to let other services integrate with your API an example would be the github API where you might get a developer key for this API and then you give that key on every request so github knows it to you but that doesn't change you don't need to enter user name or password it's just static API key in the example I will show now I will use a single API key for everybody but if you wanted to have one for service you're allowing to integrate with you then you can just simply do that I'll explain how simple it is there are many ways to do that and there are many locations for the key it can go in the header it can go in the query as a parameter it can go it can be in the authorization in so many places for my example I'll just create a new header the API key header and I would get it from there but you can put it wherever you want and nobody would be the wiser well with some exceptions but you get the point so we've seen before how we can use claims and policies to do something like that and probably the most examples you'll find online are using those but I'm more about simplicity you know we can do this in a very very very simple approach so what I'm gonna do is I'm gonna go to the phrases folder we have and we're gonna say create a class and I'm gonna name this class API key of attribute and I'm gonna create that class and I want this class to extend the attribute class and also the I async action filter interface and we cannot be forced to implement the missing members so what do we get here let me just explain to you what this is first this will be an attribute so we'll be able to do something like this to decorate our Toller oral method in the controller to add the API key authentication what is the I action filter do well it adds this method and this method if you add the attribute on the controller or the member then automatically the call will go through this as if it was a middleware it is a middleware is a filter so if I delete this throw new and I turned this into an async then I can do a weight next which is this action execution delegate and what this means is that this is now part of my sorry that's not after that's before and that is after and what this is is that this before it goes on our controller as a middleware the call will come here and then I'll invoke next then it goes to the controller and then coming back it will go on the after section in this in our we don't care about the after section of the call we only care about before because we want to catch the API key so in here we go all our logic to validate the request so what I'm gonna do is I'm gonna go into the API the app settings sorry and I will create a new setting called API key and I'm gonna put my key here so this is my secret key and that's here and I'm gonna leave it there and now through the context the action executing context I can actually get the incoming request I've got you just that I'm gonna say HTTP context request and I want a header the API key header and let me just put that into a constant here so private constant string API key header name just to clean it up a little bit and with that here I can now do try get value and this will try to find this API key header in the headers so I have to say API key hit your name here and then I will get the value out if it exists so API key or maybe better name is potential API key because it might not exist and this try will only be true if this exist so if the header doesn't exist we want to return and authorized so I'm gonna say if this does not exist then context dot result equals new unauthorized result so return a 401 and then we return here and we return and we never invoke the next MIDI where which is the controller in this case because we don't want to go to the controller because we say hey you don't have the API can you require it so let's go back at this point another thing I do is to get the actual API key because now this has a value and I need to validate it somehow so you can get any service you through the HTTP context we cannot use a constructor here because we will be required to provide this service when we use the attribute and it would not work this makes the stability of this a bit harder but we will make a unit testing video and I will show you how you can unit test this in the future is not complicated at all so I'm going to say var configuration and I will get the configuration from the TI container so HTTP context dot request services these are the services we have in the container and then get required service and I'm gonna get the I configuration service and what I'm going to do is you can say API key equals configuration dot get value and string and that's the header name which is also the name of the setting here in fact I've just changed this because this can change and they don't represent the same thing you can have a nested configuration in there so let's say it here and now I have a key so all I need to do to validate it is if the API key equals potential API again I want to say it does not equal the potential API key then I can return an authorized else go to the next which is the controller and that is all we need to do to add the API key based authentication it's literally just that in this now if you want to do you know user query string parameter you can very much do the same thing where you just get Qwest and you get the query string collection and then you say API key from the query string and you validate that this way it's it's very simple very straightforward so now we have this we don't actually even object we don't actually even need to register anything we can simply just use it so I'm gonna go ahead and make a just a test throw away controller so I'm gonna call it secret controller and again this is a controller that not a user would use but another service integrating with you potentially a login service a health check what we're gonna see later metric collection many things that you might want to use this with another thing I want to do before I show you that is I want to restrict the attribute usage so we can use the things called attribute yeah at with usage attribute which says that this attribute is valid on and I want to use it in a class and also when I use it on the method now if this attribute is used on the class every method in this controller so every endpoint will require this type of authentication authorization however if I used on a method only that method ie only that endpoint will need it for now I'm just gonna put it here as an API key off and this needs to be controlled there base yeah so I'm gonna create an HTTP GET I'm gonna give it a name just secret and I'm gonna say that this is a public I action result get secret that's not how you spend secret still not how you spell secret yeah perfect and all I'm gonna do is I'm going to return okay I have no secrets and that's it so now everything in this controller will require this type of authorization let's go ahead and see this in practice I'm going to use a postman for this so here we go let's make a new tab and that is the URL of our API so let me just run it quickly so it's running and if I just call this endpoint you will see that 401 another now let's go on the headers and just add the API key header but give it a false value because the real key is my secret key here but if I just put some random stuff you can see that it's still 401 and I can just debug through that to show you what's happening if I just click send yep you can see that we have the contacts we have a request and I can step through the code and you'll see that configuration is getting my real key which is my secret key it's comparing it to the potential key which is that random nonsense and it's returning and authorized so let's actually return the real key and see what happens I just paste it here and say send sure enough the real request response is coming back I have no secrets and it goes to the controller so simple as that throughout the API key authorization authentication it's it's very straightforward that's all I had for you for today leave a like if you like this video subscribe for more content like this and i'll see you in the next video keep coding you

Info

Channel: Nick Chapsas

Views: 71,976

Rating: undefined out of 5

Keywords: Elfocrash, elfo, coding, asp.net, .netcore, dot net, core, C#, how to code, tutorial, asp.net core, javascript, js, 2.2, csharp, rest, rest api, development, lesson, software engineering, dev, microsoft, microsoft mvp, .net core, nick chapsas, chapsas, asp.net core 3, api key authentication, apikey auth, authorization, api key auth .net core, for beginners, .net 5, dotnet 5, dotnet, .net

Id: Zo3T_See7iI

Channel Id: undefined

Length: 10min 4sec (604 seconds)

Published: Mon Aug 26 2019