ASP.NET MVC 5 - REST Web API Authorization

When a REST Web API is created to share data across multiple devices, e.g., mobile devices, desktop applications, or any website, then the authorization of REST Web API becomes a vital aspect in order to protect data sensitivity from any outside breaches.

Today, I shall demonstrate a simple mechanism to authorize a REST Web API without the complex authorization process of OWIN security layers but at the same time, benefiting from [Authorize] attribute.



The prerequisites include knowledge about the following technologies.

1. ASP.NET MVC 5.
2. C# programming.
3. REST Web API.

You can download the complete source code for this or you can follow the step by step discussion given below. The sample code is developed in Microsoft Visual Studio 2013 Ultimate.

Let's begin now.

1. Create new Web API project and name it as "WebApiAuthorization".
   
   
2. Rename "ValueController.cs" file to "WebApiController.cs".
   
   
3. Now, in "WebApiController.cs" file replace the following code.
   
   1. using System;  
   2. using System.Collections.Generic;  
   3. using System.Linq;  
   4. using System.Net;  
   5. using System.Net.Http;  
   6. using System.Web.Http;  
   7. namespace WebApiAuthorization.Controllers {  
   8.     [Authorize]  
   9.     public class WebApiController: ApiController {  
   10.         // GET api/values   
   11.         public IEnumerable < string > Get() {  
   12.             return new string[] {  
   13.                 "Hello REST API",  
   14.                 "I am Authorized"  
   15.             };  
   16.         }  
   17.         // GET api/values/5   
   18.         public string Get(int id) {  
   19.             return "Hello Authorized API with ID = " + id;  
   20.         }  
   21.         // POST api/values   
   22.         public void Post([FromBody] string value) {}  
   23.         // PUT api/values/5   
   24.         public void Put(int id, [FromBody] string value) {}  
   25.         // DELETE api/values/5   
   26.         public void Delete(int id) {}  
   27.     }  
   28. }  
   In the above code, I simply replaced some of the existing string values, nothing special is done here.
   
   
4. Now, for the authorization part, I am using HTTP Message Handlers technique, its detail can be studied here. In simple essence, this technique captures HTTP request sand responds accordingly. In order to use this technique, we need to inherit "DelegatingHandler" class and then hook its method SendAsync(...) that will process every hit to our REST Web API and verify our allocated authorization or API header key accordingly. Then, it will finally set our Principal after successful authorization. Principal will simply set our security context by containing information about the user whom we have claimed as authorized user by using Identity Based Authorization. This will allow us to utilize [Authorize] attribute for our Web API controller.
   
   So, create new folder under project root >> Resources and name it "Constants". I like my code architecture clean, so, I am using Constants in a resource file.
   
   
5. Now, create a file "Resource->Constants-> ApiInfo.resx". Open the file and place the following constants in it.
   
   
   
   Make sure that Access Modifier is set to Public. This file will contain authorization constants that I will be using to authenticate my REST Web API.
   
   
6. Now, create new folder hierarchy under project root i.e. "Helper_Code->Common".
   
   
7. Create your authorization file and name it "Helper_Code->Common->AuthorizationHeaderHandler.cs".
   
   
8. Open the file "Helper_Code->Common->AuthorizationHeaderHandler.cs" and replace it with the following piece of code.
   
   1. //-----------------------------------------------------------------------   
   2. // <copyright file="AuthorizationHeaderHandler.cs" company="None">   
   3. // Copyright (c) Allow to distribute this code.   
   4. // </copyright>   
   5. // <author>Asma Khalid</author>   
   6. //-----------------------------------------------------------------------   
   7. namespace WebApiAuthorization.Helper_Code.Common {  
   8.     using System;  
   9.     using System.Collections.Generic;  
   10.     using System.Linq;  
   11.     using System.Net.Http;  
   12.     using System.Net.Http.Headers;  
   13.     using System.Security.Claims;  
   14.     using System.Security.Principal;  
   15.     using System.Text;  
   16.     using System.Threading;  
   17.     using System.Threading.Tasks;  
   18.     using System.Web;  
   19.     using WebApiAuthorization.Resources.Constants;  
   20.     /// <summary>   
   21.     /// Authorization for web API class.   
   22.     /// </summary>   
   23.     public class AuthorizationHeaderHandler: DelegatingHandler {#  
   24.         region Send method.  
   25.         /// <summary>   
   26.         /// Send method.   
   27.         /// </summary>   
   28.         /// <param name="request">Request parameter</param>   
   29.         /// <param name="cancellationToken">Cancellation token parameter</param>   
   30.         /// <returns>Return HTTP response.</returns>   
   31.         protected override Task < HttpResponseMessage > SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) {  
   32.             // Initialization.   
   33.             IEnumerable < string > apiKeyHeaderValues = null;  
   34.             AuthenticationHeaderValue authorization = request.Headers.Authorization;  
   35.             string userName = null;  
   36.             string password = null;  
   37.             // Verification.   
   38.             if (request.Headers.TryGetValues(ApiInfo.API_KEY_HEADER, out apiKeyHeaderValues) && !string.IsNullOrEmpty(authorization.Parameter)) {  
   39.                 var apiKeyHeaderValue = apiKeyHeaderValues.First();  
   40.                 // Get the auth token   
   41.                 string authToken = authorization.Parameter;  
   42.                 // Decode the token from BASE64   
   43.                 string decodedToken = Encoding.UTF8.GetString(Convert.FromBase64String(authToken));  
   44.                 // Extract username and password from decoded token   
   45.                 userName = decodedToken.Substring(0, decodedToken.IndexOf(":"));  
   46.                 password = decodedToken.Substring(decodedToken.IndexOf(":") + 1);  
   47.                 // Verification.   
   48.                 if (apiKeyHeaderValue.Equals(ApiInfo.API_KEY_VALUE) && userName.Equals(ApiInfo.USERNAME_VALUE) && password.Equals(ApiInfo.PASSWORD_VALUE)) {  
   49.                     // Setting   
   50.                     var identity = new GenericIdentity(userName);  
   51.                     SetPrincipal(new GenericPrincipal(identity, null));  
   52.                 }  
   53.             }  
   54.             // Info.   
   55.             return base.SendAsync(request, cancellationToken);  
   56.         }#  
   57.         endregion# region Set principal method.  
   58.         /// <summary>   
   59.         /// Set principal method.   
   60.         /// </summary>   
   61.         /// <param name="principal">Principal parameter</param>   
   62.         private static void SetPrincipal(IPrincipal principal) {  
   63.             // setting.   
   64.             Thread.CurrentPrincipal = principal;  
   65.             // Verification.   
   66.             if (HttpContext.Current != null) {  
   67.                 // Setting.   
   68.                 HttpContext.Current.User = principal;  
   69.             }  
   70.         }#  
   71.         endregion  
   72.     }  
   73. }  
   In the above code, "Helper_Code->Common->AuthorizationHeaderHandler.cs" class inherits "DelegatingHandler" class. We have hooked the "SendAsync(...)" method and created a new method "SetPrincipal(...)" to set our authorization principal.
   
   Now, let’s discuss the above code chunk by chunk .i.e.
   
   In Method "SetPrincipal(...)" the following code
   
   1. // setting.   
   2. Thread.CurrentPrincipal = principal;  
   3. // Verification.   
   4. if (HttpContext.Current != null) {  
   5.     // Setting.   
   6.     HttpContext.Current.User = principal;  
   7. }  
   The above code will set our authorization principal with Identity Based Authorization model.
   
   Let’s dissect "SendAsync(...)" method step by step.
   
   1. // Verification.   
   2. if (request.Headers.TryGetValues(ApiInfo.API_KEY_HEADER, out apiKeyHeaderValues) && !string.IsNullOrEmpty(authorization.Parameter)) { ...  
   3. }  
   The above lines of code will verify whether our authorized header key and credentials are empty or not. I have used a combination of both header key and credentials to authorize my REST Web API.
   
   If the authorization is successful, then the following code will extract our authorization information from the HTTP request and store them into local variables.
   
   1. var apiKeyHeaderValue = apiKeyHeaderValues.First();  
   2. // Get the auth token   
   3. string authToken = authorization.Parameter;  
   4. // Decode the token from BASE64   
   5. string decodedToken = Encoding.UTF8.GetString(Convert.FromBase64String(authToken));  
   6. // Extract username and password from decoded token   
   7. userName = decodedToken.Substring(0, decodedToken.IndexOf(":"));  
   8. password = decodedToken.Substring(decodedToken.IndexOf(":") + 1);  
   After above code, we will verify whether the provided authorization for REST Web API hit is valid or not, with the following code.
   
   1. // Verification.   
   2. if (apiKeyHeaderValue.Equals(ApiInfo.API_KEY_VALUE) && userName.Equals(ApiInfo.USERNAME_VALUE) && password.Equals(ApiInfo.PASSWORD_VALUE)) { ...  
   3. }  
   If the hit to our REST Web API contains valid authorization credentials and header key, then we register our principal with Identity Based Authorization model.
   
   1. // Setting   
   2. var identity = new GenericIdentity(userName);   
   3. SetPrincipal(new GenericPrincipal(identity, null));   
9. Now, Open "Global.asax.cs" file and replace following code in it i.e.
   
   1. using System;    
   2. using System.Collections.Generic;    
   3. using System.Linq;    
   4. using System.Web;    
   5. using System.Web.Http;    
   6. using System.Web.Mvc;    
   7. using System.Web.Optimization;    
   8. using System.Web.Routing;    
   9. using WebApiAuthorization.Helper_Code.Common;    
   10. namespace WebApiAuthorization    
   11. {    
   12.   public class WebApiApplication : System.Web.HttpApplication    
   13.   {    
   14.     protected void Application_Start()    
   15.     {    
   16.       AreaRegistration.RegisterAllAreas();    
   17.       GlobalConfiguration.Configure(WebApiConfig.Register);    
   18.       FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);    
   19.       RouteConfig.RegisterRoutes(RouteTable.Routes);    
   20.       BundleConfig.RegisterBundles(BundleTable.Bundles);  
       
   21.  
   22.       // API authorization registration.    
   23.       GlobalConfiguration.Configuration.MessageHandlers.Add(new AuthorizationHeaderHandler());    
   24.     }    
   25.   }    
   26. }   
       
   In the above code we have registered our authorization class within global configuration.
   
   
10. Now, execute the project and use the following link in the browser to see your newly created REST Web API method in action.
    
    1. yourlink:port/api/WebApi   
    
    
    In the above snippet, you will notice that so far, our REST Web API has been authorized, therefore, we cannot directly execute the REST Web API URL in the browser.
    
    
11. Let's test out REST Web API in REST Web API client. I am using Firefox plugin i.e. "RESTED". At first, I simply try to hit the REST Web API without any authorization details and I will get the following response.
    
    
    
    
    
    
12. Now, I will provide the authorization and hit the REST Web API and will get following response i.e.

Conclusion

In this tutorial, we learned how to authorize REST Web API by using a simple technique of HTTP Message Handlers without going into the complex nature of OWIN. We also learned about principal authentication for identity claim based authorization model, which will enable the utilization of [Authorize] attribute.