Token Based Authentication Using ASP.NET Web API in AngularJS

Introduction

 
In my previous article, we saw an overview of Token-based authentication using ASP.net web API and OWIN. In this post, I will explain how to use Token based authentication in AngularJS.
 
In this post, I will build sample Single Page Application (SPA) using AngularJS and this application will do the following:
  • Allow user to login using "Admin" and "Jignesh" user ID
  • Token keep alive 30 minutes
  • Authenticated user will access certain views.
Prerequisites
 
Before reading this article, you must have some basic knowledge about AngularJS and Token-based authentication using OWIN.
 
The following are the steps to create AngularJS Token Authentication using ASP.NET Web API 2 and OWIN
 
Step 1
 
Include 3rd party libraries
 
To get started, we required to include the following libraries:
 
AngularJS
 
We can download the latest AngularJS version using the NuGet package manager.
 
PM> Install-Package angularjs
 
Preceding command includes all available AngularJS libraries including minified version. So delete script files that are not required.
 
UI Bootstrap
 
We can download the latest Bootstrap version using the NuGet package manager.
 
PM> Install-Package bootstrap -Version 3.3.5
 
Step 2
 
Organize Project Structure
 
We can use any IDE to build the web application because this web app totally decouples with backend API and it develops using HTML, AngularJS, and CSS. Here I am using Visual Studio 2013. I have created a project using the empty project template.
 
In this project structure, I have created a folder named "Modules", this contains all AngularJS application files and resources files and the "Asset" folder contains the asset of this project i.e. AngularJS libraries file, CSS files, etc.
 
 
Step 3
 
Boot Strapping Angular Application
 
Boot Strapping Angular Application means creating angular applications and modules (modules are nothing but a collection of services, directives, filters which are used by the application). Each module has a configuration block and applied to the application during this process. To do this, I have added a file called "app.js" in the root folder. This file also contains the route and interceptor.
 
Interceptor is a regular service and it allows us to capture every XHR request and we can also manipulate it before sending it to a server endpoint (web API). It also captures all response and response errors.
  1. var serviceBase = 'http://localhost:49707/';  
  2.   
  3. var app = angular.module('AngularApp', ['ngRoute''LocalStorageModule']);  
  4.   
  5. app.config(function ($routeProvider) {  
  6.   
  7.     $routeProvider.when("/home", {  
  8.         controller: "homeController",  
  9.         templateUrl: "/Modules/views/home.html"  
  10.     });  
  11.   
  12.     $routeProvider.when("/login", {  
  13.         controller: "loginController",  
  14.         templateUrl: "/Modules/views/login.html"  
  15.     });  
  16.     $routeProvider.when("/next", {  
  17.         controller: "nextController",  
  18.         templateUrl: "/Modules/views/Next.html"  
  19.     });  
  20.     $routeProvider.when("/myInfo", {  
  21.         templateUrl: "/Modules/views/Info.html"  
  22.     });  
  23.   
  24.     $routeProvider.otherwise({ redirectTo: "/home" });  
  25.   
  26. })  
  27.     .config(['$httpProvider', function ($httpProvider) {  
  28.   
  29.         $httpProvider.interceptors.push(function ($q, $rootScope, $window, $location) {  
  30.   
  31.             return {  
  32.                 request: function (config) {  
  33.   
  34.                     return config;  
  35.                 },  
  36.                 requestError: function (rejection) {  
  37.   
  38.                     return $q.reject(rejection);  
  39.                 },  
  40.                 response: function (response) {  
  41.                     if (response.status == "401") {  
  42.                         $location.path('/login');  
  43.                     }  
  44.                     //the same response/modified/or a new one need to be returned.  
  45.                     return response;  
  46.                 },  
  47.                 responseError: function (rejection) {  
  48.   
  49.                     if (rejection.status == "401") {  
  50.                         $location.path('/login');  
  51.                     }  
  52.                     return $q.reject(rejection);  
  53.                 }  
  54.             };  
  55.         });  
  56.     }]);  
Here, I have defined four views with their corresponding controllers
  • Home: It is home page. It can be also access by the anonymous users.
  • Login: It shows the login form. It can be also access by the anonymous users.
  • next: It shows after user has been logged-in.
  • myInfo: It shows my details.
Step 4
 
Add Index.html (Shell Page)
 
Single page application contains the Shell page which is a container for the application. It will contain the navigation menus which contains all the available links for the application. It also contains a reference of all the 3rd party JavaScript and CSS files which are required by the application.
  1. <!DOCTYPE html>  
  2. <html data-ng-app="AngularApp">  
  3. <head>  
  4.     <meta content="IE=edge, chrome=1" http-equiv="X-UA-Compatible" />  
  5.     <title>AngularJS - OWIN Authentication</title>  
  6.     <link href="Asset/Content/bootstrap.min.css" rel="stylesheet" />  
  7.     <link href="Asset/Content/ProjectStyle.css" rel="stylesheet" />  
  8. </head>  
  9. <body>  
  10.     <div class="navbar navbar-inverse navbar-fixed-top" role="navigation" data-ng-controller="indexController">  
  11.         <div class="container">  
  12.             <div class="collapse navbar-collapse" data-collapse="!navbarExpanded">  
  13.                 <ul class="nav navbar-nav navbar-right">  
  14.                     <li data-ng-hide="!authentication.IsAuthenticated"><a href="#">Welcome, {{authentication.userName}}</a></li>  
  15.                     <li data-ng-hide="!authentication.IsAuthenticated"><a href="#/myInfo">My Info</a></li>  
  16.                     <li data-ng-hide="!authentication.IsAuthenticated"><a href="" data-ng-click="logOut()">Logout</a></li>  
  17.                     <li data-ng-hide="authentication.IsAuthenticated"> <a href="#/login">Login</a></li>  
  18.                 </ul>  
  19.             </div>  
  20.         </div>  
  21.     </div>  
  22.     <div class="jumbotron">  
  23.         <div class="container">  
  24.             <div class="page-header text-center">  
  25.                 <h3>AngularJS Owin Authentication</h3>  
  26.             </div>  
  27.         </div>  
  28.     </div>  
  29.     <div class="container">  
  30.         <div data-ng-view="">  
  31.         </div>  
  32.     </div>  
  33.     <hr />  
  34.     <div id="footer">  
  35.         <div class="container">  
  36.             <div class="row">  
  37.                 AngularJS - OAuth Bearer Token Implementation Example   
  38.             </div>  
  39.         </div>  
  40.     </div>  
  41.     <!-- 3rd party libraries -->  
  42.     <script src="Asset/Scripts/angular.js"></script>  
  43.     <script src="Asset/Scripts/angular-route.js"></script>  
  44.     <script src="Asset/Scripts/angular-local-storage.min.js"></script>  
  45.   
  46.     <!-- Load app main script -->  
  47.     <script src="Modules/app.js"></script>  
  48.   
  49.     <!-- Load Angular services -->  
  50.     <script src="Modules/Services/loginService.js"></script>  
  51.     <script src="Modules/Services/AuthenticationService.js"></script>  
  52.     <script src="Modules/Services/AuthData.js"></script>  
  53.     <!-- Load Angular controllers -->  
  54.       
  55.     <script src="Modules/Controllers/indexController.js"></script>  
  56.     <script src="Modules/Controllers/homeController.js"></script>  
  57.     <script src="Modules/Controllers/loginController.js"></script>  
  58.     <script src="Modules/Controllers/nextController.js"></script>  
  59. </body>  
  60. </html> 
Indexcontroller.js
 
Now we need to add an index controller under the "Controller" folder which will respond to change the layout of for index page i.e. when a user is not logged in, it displays only the "login" menu, else displays welcome text and logout menu.
  1. (function () {  
  2. 'use strict';  
  3. app.controller('indexController', ['$scope''$location''authData','LoginService', function ($scope, $location, authData, loginService) {  
  4.   
  5.     $scope.logOut = function () {  
  6.         loginService.logOut();  
  7.         $location.path('/home');  
  8.     }  
  9.     $scope.authentication = authData.authenticationData;  
  10. }]);  
  11. })();  
 
Step 5: 
 
Add AngularJS Authentication Data (Factory)
 
This AngularJS service will be responsible for storing the authentication values. It contains the object called "authentication", which will store two values (IsAuthenticated and username). This object will be used to change the layout of the Index page (mainly menu option).
  1. 'use strict';  
  2. app.factory('authData', [ function () {  
  3.     var authDataFactory = {};  
  4.   
  5.     var _authentication = {  
  6.         IsAuthenticated: false,  
  7.         userName: ""  
  8.     };  
  9.     authDataFactory.authenticationData = _authentication;  
  10.   
  11.     return authDataFactory;  
  12. }]); 
Step 6:
 
Add AuthenticationService
 
This AngularJS service will be responsible for get and set token data into client windows session, remove a token from the client windows session, and set HTTP header. We have to configure the HTTP request header for the endpoint: content type as “application/x-www-form-urlencoded” and sent the data as a string, not JSON object, and also need to set Bearer token.
  1. (function () {  
  2.     'use strict';  
  3.     app.service('AuthenticationService', ['$http''$q''$window',  
  4.         function ($http, $q, $window) {  
  5.             var tokenInfo;  
  6.   
  7.             this.setTokenInfo = function (data) {  
  8.                 tokenInfo = data;  
  9.                 $window.sessionStorage["TokenInfo"] = JSON.stringify(tokenInfo);  
  10.             }  
  11.   
  12.             this.getTokenInfo = function () {  
  13.                 return tokenInfo;  
  14.             }  
  15.   
  16.             this.removeToken = function () {  
  17.                 tokenInfo = null;  
  18.                 $window.sessionStorage["TokenInfo"] = null;  
  19.             }  
  20.   
  21.             this.init = function () {  
  22.                 if ($window.sessionStorage["TokenInfo"]) {  
  23.                     tokenInfo = JSON.parse($window.sessionStorage["TokenInfo"]);  
  24.                 }  
  25.             }  
  26.   
  27.             this.setHeader = function (http) {  
  28.                 delete http.defaults.headers.common['X-Requested-With'];  
  29.                 if ((tokenInfo != undefined) && (tokenInfo.accessToken != undefined) && (tokenInfo.accessToken != null) && (tokenInfo.accessToken != "")) {  
  30.                     http.defaults.headers.common['Authorization'] = 'Bearer ' + tokenInfo.accessToken;  
  31.                     http.defaults.headers.common['Content-Type'] = 'application/x-www-form-urlencoded;charset=utf-8';  
  32.                 }  
  33.             }  
  34.        this.validateRequest = function () {  
  35.             var url = serviceBase + 'api/home';  
  36.             var deferred = $q.defer();  
  37.             $http.get(url).then(function () {  
  38.                  deferred.resolve(null);  
  39.             }, function (error) {  
  40.                     deferred.reject(error);  
  41.             });  
  42.             return deferred.promise;  
  43.         }  
  44.             this.init();  
  45.         }  
  46.     ]);  
  47. })();  
Step 7
 
Add Login service, controller and its view
 
LoginService.js
 
Login service is added under the folder “Services”. It contains the method for login and logout. The function "login" is responsible to send an HTTP request to the endpoint with user credential and the endpoint will validate the user credential and generate a token. This method also set an authorized token to the browser window session. The function "logout" is responsible to clear browser window session and redirect to the home page.
  1. function () {  
  2.     'use strict';  
  3.     app.service('LoginService', ['$http''$q''AuthenticationService''authData',  
  4.     function ($http, $q, authenticationService, authData) {  
  5.         var userInfo;  
  6.         var loginServiceURL = serviceBase + 'token';  
  7.         var deviceInfo = [];  
  8.         var deferred;  
  9.   
  10.         this.login = function (userName, password) {  
  11.             deferred = $q.defer();  
  12.             var data = "grant_type=password&username=" + userName + "&password=" + password;  
  13.             $http.post(loginServiceURL, data, {  
  14.                 headers:  
  15.                    { 'Content-Type''application/x-www-form-urlencoded' }  
  16.             }).success(function (response) {  
  17.                 var o = response;  
  18.                 userInfo = {  
  19.                     accessToken: response.access_token,  
  20.                     userName: response.userName  
  21.                 };  
  22.                 authenticationService.setTokenInfo(userInfo);  
  23.                 authData.authenticationData.IsAuthenticated = true;  
  24.                 authData.authenticationData.userName = response.userName;  
  25.                 deferred.resolve(null);  
  26.             })  
  27.             .error(function (err, status) {  
  28.                 authData.authenticationData.IsAuthenticated = false;  
  29.                 authData.authenticationData.userName = "";  
  30.                 deferred.resolve(err);  
  31.             });  
  32.             return deferred.promise;  
  33.         }  
  34.     this.logOut = function () {  
  35.          authenticationService.removeToken();  
  36.          authData.authenticationData.IsAuthenticated = false;  
  37.          authData.authenticationData.userName = "";  
  38.     }  
  39.     }  
  40.     ]);  
  41. })();  
loginController.js
 
Now I have added logincontroller.js under the folder "Controllers". Generally, the controller is simple and will contain client-side business logic. It is a bridge between service and HTML view.
 
  1. (function () {  
  2.     'use strict';  
  3.     app.controller('loginController', ['$scope''LoginService''$location', function ($scope, loginService, $location) {  
  4.   
  5.         $scope.loginData = {  
  6.             userName: "",  
  7.             password: ""  
  8.         };  
  9.   
  10.         $scope.login = function () {  
  11.             loginService.login($scope.loginData.userName, $scope.loginData.password).then(function (response) {  
  12.                 if (response != null && response.error != undefined) {  
  13.                     $scope.message = response.error_description;  
  14.                 }  
  15.                 else {  
  16.                     $location.path('/next');  
  17.                 }  
  18.             });  
  19.         }  
  20.     }]);  
  21. })();  
Logincontroller responsible to redirect authenticated users only to the "next" view else system will redirect to login page. To do this we need to write some code in controller side and catch the "401" response code at interceptor. I have defined interceptor in app.js file. AuthenticationService has method called "validateRequest", it help us to validate whether user is logged-in or not by sending request to server and server will sent "401" status code if it is unauthorized. Here I have added one example code in "nextController".
 
nextController.js
  1. (function ()   
  2. {  
  3.     'use strict';  
  4.     app.controller('nextController', ['$scope''AuthenticationService', function ($scope, authenticationService) {  
  5.         authenticationService.validateRequest();  
  6.     }]);  
  7. })();  
Login.html
 
View for the log-in is very simple. A new file named “login.html” created under the view folder.
  1. <form role="form">  
  2.     <div class="row">  
  3.         <div class="col-md-2">  
  4.                
  5.         </div>  
  6.         <div class="col-md-4">  
  7.             <h2 class="form-login-heading col-md-12">Login</h2>  
  8.             <div class="col-md-12 PaddingTop">  
  9.                 <input type="text" class="form-control" placeholder="Username" data-ng-model="loginData.userName" required autofocus>  
  10.             </div>  
  11.             <div class="col-md-12 PaddingTop">  
  12.                 <input type="password" class="form-control" placeholder="Password" data-ng-model="loginData.password" required>  
  13.             </div>  
  14.             <div class="col-md-12 PaddingTop">  
  15.                 <button class="btn btn-md btn-info btn-block" type="submit" data-ng-click="login()">Login</button>  
  16.             </div>  
  17.             <div data-ng-hide="message == ''">  
  18.                 {{message}}  
  19.             </div>  
  20.         </div>  
  21.   
  22.         <div class="col-md-2">  
  23.                
  24.         </div>  
  25.     </div>  
  26. </form>  
Step 8
 
Add the Home controller and its view
 
Lastly, I have added a home controller and its view. It has a very simple view and an empty controller which is used to display the text "Home page".
 
HomeController.js
  1. (function () {  
  2. 'use strict';  
  3. app.controller('homeController', ['$scope', function ($scope) {  
  4.      
  5. }]);  
  6. })();  
 

Summary

 
Now we have a SPA that authenticates users by using a token-based approach. Here redirection for anonymous users to the login page is done by client-side code. So it is very important to secure all server-side (web API) methods. This is not done in this article.
 
Note
 
I have tried to include all the important HTML and script code within this article. The attached code contains the whole project, please take it as reference.