Token Based Authentication Using ASP.NET Web API in AngularJS

Introduction

In my previous article, we saw an overview of Token based authentication using ASP.net web API and OWIN. In this post, I will explain how to use Token based authentication in AngularJS.

In this post, I will build sample Single Page Application (SPA) using AngularJS and this application will do the following:

  • Allow user to login using "Admin" and "Jignesh" user ID
  • Token keep alive 30 minutes
  • Authenticated user will access the certain views.

Prerequisites

Before reading this article, you must have some basic knowledge about AngularJS and Token base authentication using OWIN.

The following are the steps to create AngularJS Token Authentication using ASP.NET Web API 2 and OWIN

Step 1

Include 3rd party libraries

To get started, we required to include the following libraries:

AngularJS

We can download the latest AngularJS version using NuGet package manager.

PM> Install-Package angularjs


Preceding command includes all available AngularJS libraries including minified version. So delete script files which are not required.

UI Bootstrap

We can download the latest Bootstrap version using NuGet package manager.

PM> Install-Package bootstrap -Version 3.3.5

Step 2

Organize Project Structure


We can use any IDE to build the web application because this web app totally decouples with backend API and it develops using HTML, AngularJS, and CSS. Here I am using Visual Studio 2013. I have created project using empty project template.

In this project structure, I have created a folder named "Modules", this contains all AngularJS application files and resources files and "Asset" folder contains the asset of this project i.e. AngularJS libraries file, CSS files, etc.



Step 3

Boot Strapping Angular Application

Boot Strapping Angular Application means creating angular application and modules (modules are nothing but collection of services, directives, filters which are used by the application). Each module has configuration block and applied to the application during this process. To do this, I have added a file called "app.js" in the root folder. This file also contains the route and interceptor.

Interceptor is a regular service and it allows us to capture every XHR request and we can also manipulate it before sending it to server end point (web API). It also captures all response and response error.

  1. var serviceBase = 'http://localhost:49707/';  
  2.   
  3. var app = angular.module('AngularApp', ['ngRoute''LocalStorageModule']);  
  4.   
  5. app.config(function ($routeProvider) {  
  6.   
  7.     $routeProvider.when("/home", {  
  8.         controller: "homeController",  
  9.         templateUrl: "/Modules/views/home.html"  
  10.     });  
  11.   
  12.     $routeProvider.when("/login", {  
  13.         controller: "loginController",  
  14.         templateUrl: "/Modules/views/login.html"  
  15.     });  
  16.     $routeProvider.when("/next", {  
  17.         controller: "nextController",  
  18.         templateUrl: "/Modules/views/Next.html"  
  19.     });  
  20.     $routeProvider.when("/myInfo", {  
  21.         templateUrl: "/Modules/views/Info.html"  
  22.     });  
  23.   
  24.     $routeProvider.otherwise({ redirectTo: "/home" });  
  25.   
  26. })  
  27.     .config(['$httpProvider', function ($httpProvider) {  
  28.   
  29.         $httpProvider.interceptors.push(function ($q, $rootScope, $window, $location) {  
  30.   
  31.             return {  
  32.                 request: function (config) {  
  33.   
  34.                     return config;  
  35.                 },  
  36.                 requestError: function (rejection) {  
  37.   
  38.                     return $q.reject(rejection);  
  39.                 },  
  40.                 response: function (response) {  
  41.                     if (response.status == "401") {  
  42.                         $location.path('/login');  
  43.                     }  
  44.                     //the same response/modified/or a new one need to be returned.  
  45.                     return response;  
  46.                 },  
  47.                 responseError: function (rejection) {  
  48.   
  49.                     if (rejection.status == "401") {  
  50.                         $location.path('/login');  
  51.                     }  
  52.                     return $q.reject(rejection);  
  53.                 }  
  54.             };  
  55.         });  
  56.     }]);  
Here, I have defined four views with their corresponding controllers
  • Home: It is home page. It can be also access by the anonymous users.
  • Login: It shows the login form. It can be also access by the anonymous users.
  • next: It shows after user has been logged-in.
  • myInfo: It shows my details.

Step 4

Add Index.html (Shell Page)

Single page application contains the Shell page which is container for the application. It will contain the navigation menus which contains all the available links for the application. It also contains reference of all the 3rd party JavaScript and CSS files which are required by the application.

  1. <!DOCTYPE html>  
  2. <html data-ng-app="AngularApp">  
  3. <head>  
  4.     <meta content="IE=edge, chrome=1" http-equiv="X-UA-Compatible" />  
  5.     <title>AngularJS - OWIN Authentication</title>  
  6.     <link href="Asset/Content/bootstrap.min.css" rel="stylesheet" />  
  7.     <link href="Asset/Content/ProjectStyle.css" rel="stylesheet" />  
  8. </head>  
  9. <body>  
  10.     <div class="navbar navbar-inverse navbar-fixed-top" role="navigation" data-ng-controller="indexController">  
  11.         <div class="container">  
  12.             <div class="collapse navbar-collapse" data-collapse="!navbarExpanded">  
  13.                 <ul class="nav navbar-nav navbar-right">  
  14.                     <li data-ng-hide="!authentication.IsAuthenticated"><a href="#">Welcome, {{authentication.userName}}</a></li>  
  15.                     <li data-ng-hide="!authentication.IsAuthenticated"><a href="#/myInfo">My Info</a></li>  
  16.                     <li data-ng-hide="!authentication.IsAuthenticated"><a href="" data-ng-click="logOut()">Logout</a></li>  
  17.                     <li data-ng-hide="authentication.IsAuthenticated"> <a href="#/login">Login</a></li>  
  18.                 </ul>  
  19.             </div>  
  20.         </div>  
  21.     </div>  
  22.     <div class="jumbotron">  
  23.         <div class="container">  
  24.             <div class="page-header text-center">  
  25.                 <h3>AngularJS Owin Authentication</h3>  
  26.             </div>  
  27.         </div>  
  28.     </div>  
  29.     <div class="container">  
  30.         <div data-ng-view="">  
  31.         </div>  
  32.     </div>  
  33.     <hr />  
  34.     <div id="footer">  
  35.         <div class="container">  
  36.             <div class="row">  
  37.                 AngularJS - OAuth Bearer Token Implementation Example   
  38.             </div>  
  39.         </div>  
  40.     </div>  
  41.     <!-- 3rd party libraries -->  
  42.     <script src="Asset/Scripts/angular.js"></script>  
  43.     <script src="Asset/Scripts/angular-route.js"></script>  
  44.     <script src="Asset/Scripts/angular-local-storage.min.js"></script>  
  45.   
  46.     <!-- Load app main script -->  
  47.     <script src="Modules/app.js"></script>  
  48.   
  49.     <!-- Load Angular services -->  
  50.     <script src="Modules/Services/loginService.js"></script>  
  51.     <script src="Modules/Services/AuthenticationService.js"></script>  
  52.     <script src="Modules/Services/AuthData.js"></script>  
  53.     <!-- Load Angular controllers -->  
  54.       
  55.     <script src="Modules/Controllers/indexController.js"></script>  
  56.     <script src="Modules/Controllers/homeController.js"></script>  
  57.     <script src="Modules/Controllers/loginController.js"></script>  
  58.     <script src="Modules/Controllers/nextController.js"></script>  
  59. </body>  
  60. </html> 
Indexcontroller.js

Now we need to add index controller under "Controller" folder which will responsible to change the layout of for index page i.e. when user is not logged-in, it displays only "login" menu, else displays welcome text and logout menu.
  1. (function () {  
  2. 'use strict';  
  3. app.controller('indexController', ['$scope''$location''authData','LoginService', function ($scope, $location, authData, loginService) {  
  4.   
  5.     $scope.logOut = function () {  
  6.         loginService.logOut();  
  7.         $location.path('/home');  
  8.     }  
  9.     $scope.authentication = authData.authenticationData;  
  10. }]);  
  11. })();  


Step 5:

Add AngularJS Authentication Data (Factory)
 
This AngularJS service will be responsible for storing the authentication values. It contains the object called "authentication", which will store two values (IsAuthenticated and username). This object will be used to change the layout of the Index page (mainly menu option).
  1. 'use strict';  
  2. app.factory('authData', [ function () {  
  3.     var authDataFactory = {};  
  4.   
  5.     var _authentication = {  
  6.         IsAuthenticated: false,  
  7.         userName: ""  
  8.     };  
  9.     authDataFactory.authenticationData = _authentication;  
  10.   
  11.     return authDataFactory;  
  12. }]); 
Step 6:

Add AuthenticationService

This AngularJS service will be responsible for get and set token data in to client windows session, remove token from the client windows session and set http header. We have to configure the http request header for the end point: content type as “application/x-www-form-urlencoded” and sent the data as string not JSON object and also need to set Bearer token.
  1. (function () {  
  2.     'use strict';  
  3.     app.service('AuthenticationService', ['$http''$q''$window',  
  4.         function ($http, $q, $window) {  
  5.             var tokenInfo;  
  6.   
  7.             this.setTokenInfo = function (data) {  
  8.                 tokenInfo = data;  
  9.                 $window.sessionStorage["TokenInfo"] = JSON.stringify(tokenInfo);  
  10.             }  
  11.   
  12.             this.getTokenInfo = function () {  
  13.                 return tokenInfo;  
  14.             }  
  15.   
  16.             this.removeToken = function () {  
  17.                 tokenInfo = null;  
  18.                 $window.sessionStorage["TokenInfo"] = null;  
  19.             }  
  20.   
  21.             this.init = function () {  
  22.                 if ($window.sessionStorage["TokenInfo"]) {  
  23.                     tokenInfo = JSON.parse($window.sessionStorage["TokenInfo"]);  
  24.                 }  
  25.             }  
  26.   
  27.             this.setHeader = function (http) {  
  28.                 delete http.defaults.headers.common['X-Requested-With'];  
  29.                 if ((tokenInfo != undefined) && (tokenInfo.accessToken != undefined) && (tokenInfo.accessToken != null) && (tokenInfo.accessToken != "")) {  
  30.                     http.defaults.headers.common['Authorization'] = 'Bearer ' + tokenInfo.accessToken;  
  31.                     http.defaults.headers.common['Content-Type'] = 'application/x-www-form-urlencoded;charset=utf-8';  
  32.                 }  
  33.             }  
  34.        this.validateRequest = function () {  
  35.             var url = serviceBase + 'api/home';  
  36.             var deferred = $q.defer();  
  37.             $http.get(url).then(function () {  
  38.                  deferred.resolve(null);  
  39.             }, function (error) {  
  40.                     deferred.reject(error);  
  41.             });  
  42.             return deferred.promise;  
  43.         }  
  44.             this.init();  
  45.         }  
  46.     ]);  
  47. })();  
Step 7

Add Login service, controller and its view

LoginService.js

Login service is added under the folder “Services”. It contains the method for login and logout. The function "login" is responsible to send HTTP request to the end point with user credential and end point will validate the user credential and generate token. This method also set authorized token to browser window session. The function "logout" is responsible to clear browser window session and redirect to home page.
  1. function () {  
  2.     'use strict';  
  3.     app.service('LoginService', ['$http''$q''AuthenticationService''authData',  
  4.     function ($http, $q, authenticationService, authData) {  
  5.         var userInfo;  
  6.         var loginServiceURL = serviceBase + 'token';  
  7.         var deviceInfo = [];  
  8.         var deferred;  
  9.   
  10.         this.login = function (userName, password) {  
  11.             deferred = $q.defer();  
  12.             var data = "grant_type=password&username=" + userName + "&password=" + password;  
  13.             $http.post(loginServiceURL, data, {  
  14.                 headers:  
  15.                    { 'Content-Type''application/x-www-form-urlencoded' }  
  16.             }).success(function (response) {  
  17.                 var o = response;  
  18.                 userInfo = {  
  19.                     accessToken: response.access_token,  
  20.                     userName: response.userName  
  21.                 };  
  22.                 authenticationService.setTokenInfo(userInfo);  
  23.                 authData.authenticationData.IsAuthenticated = true;  
  24.                 authData.authenticationData.userName = response.userName;  
  25.                 deferred.resolve(null);  
  26.             })  
  27.             .error(function (err, status) {  
  28.                 authData.authenticationData.IsAuthenticated = false;  
  29.                 authData.authenticationData.userName = "";  
  30.                 deferred.resolve(err);  
  31.             });  
  32.             return deferred.promise;  
  33.         }  
  34.     this.logOut = function () {  
  35.          authenticationService.removeToken();  
  36.          authData.authenticationData.IsAuthenticated = false;  
  37.          authData.authenticationData.userName = "";  
  38.     }  
  39.     }  
  40.     ]);  
  41. })();  
loginController.js

Now I have added logincontroller.js under the folder "Controllers". Generally controller is simple and will contain the client side business logic. It is a bridge between service and HTML view.


  1. (function () {  
  2.     'use strict';  
  3.     app.controller('loginController', ['$scope''LoginService''$location', function ($scope, loginService, $location) {  
  4.   
  5.         $scope.loginData = {  
  6.             userName: "",  
  7.             password: ""  
  8.         };  
  9.   
  10.         $scope.login = function () {  
  11.             loginService.login($scope.loginData.userName, $scope.loginData.password).then(function (response) {  
  12.                 if (response != null && response.error != undefined) {  
  13.                     $scope.message = response.error_description;  
  14.                 }  
  15.                 else {  
  16.                     $location.path('/next');  
  17.                 }  
  18.             });  
  19.         }  
  20.     }]);  
  21. })();  
Logincontroller responsible to redirect authenticated users only to the "next" view else system will redirect to login page. To do this we need to write some code in controller side and catch the "401" response code at interceptor. I have defined interceptor in app.js file. AuthenticationService has method called "validateRequest", it help us to validate whether user is logged-in or not by sending request to server and server will sent "401" status code if it is unauthorized. Here I have added one example code in "nextController".

nextController.js
  1. (function ()   
  2. {  
  3.     'use strict';  
  4.     app.controller('nextController', ['$scope''AuthenticationService', function ($scope, authenticationService) {  
  5.         authenticationService.validateRequest();  
  6.     }]);  
  7. })();  
Login.html

View for the log-in is very simple. A new file named “login.html” created under the view folder.
  1. <form role="form">  
  2.     <div class="row">  
  3.         <div class="col-md-2">  
  4.                
  5.         </div>  
  6.         <div class="col-md-4">  
  7.             <h2 class="form-login-heading col-md-12">Login</h2>  
  8.             <div class="col-md-12 PaddingTop">  
  9.                 <input type="text" class="form-control" placeholder="Username" data-ng-model="loginData.userName" required autofocus>  
  10.             </div>  
  11.             <div class="col-md-12 PaddingTop">  
  12.                 <input type="password" class="form-control" placeholder="Password" data-ng-model="loginData.password" required>  
  13.             </div>  
  14.             <div class="col-md-12 PaddingTop">  
  15.                 <button class="btn btn-md btn-info btn-block" type="submit" data-ng-click="login()">Login</button>  
  16.             </div>  
  17.             <div data-ng-hide="message == ''">  
  18.                 {{message}}  
  19.             </div>  
  20.         </div>  
  21.   
  22.         <div class="col-md-2">  
  23.                
  24.         </div>  
  25.     </div>  
  26. </form>  
Step 8

Add Home controller and its view

Lastly, I have added home controller and its view. It has very simple view and empty controller which is used to display text "Home page".

HomeController.js
  1. (function () {  
  2. 'use strict';  
  3. app.controller('homeController', ['$scope', function ($scope) {  
  4.      
  5. }]);  
  6. })();  


Summary

Now we have SPA which authenticates users by using token based approach. Here redirection for anonymous users to the login page is done by client side code. So it is very important to secure all server side (web API) methods. This is not done in this article.

Note

I have tried to include all important html and script code within this article. Attached code contain whole project, please take it as reference.