Why Securing Your Web API Matters?
APIs are often the backbone of modern apps, especially in microservice and cloud-based architectures. If left unsecured, your API is vulnerable to attacks like data leaks, unauthorized access, and impersonation.
That’s where JWT (JSON Web Tokens), OAuth 2.0, and ASP.NET Core Identity come into play, providing a complete toolkit to authenticate and authorize users safely.
Overview of Key Security Concepts
| Term |
What It Means |
| Authentication |
Verifying who the user is (e.g., login) |
| Authorization |
Controlling what the user can do (e.g., access certain endpoints) |
| JWT |
A secure, compact token used to carry claims about the user |
| OAuth 2.0 |
An open standard for delegated authorization |
| ASP.NET Core Identity |
Framework for managing users, roles, and credentials |
1. JWT Authentication in ASP.NET Core Web API
JWT (JSON Web Token) is the most common way to secure APIs in a stateless way.
Step-by-Step: Add JWT Authentication
Step 1. Add Required NuGet Packages.
dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer
Step 2. Configure JWT Authentication in Program.cs.
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = "yourapp.com",
ValidAudience = "yourapp.com",
IssuerSigningKey = new SymmetricSecurityKey(
Encoding.UTF8.GetBytes("super_secret_key_12345"))
};
});
builder.Services.AddAuthorization();
var app = builder.Build();
app.UseAuthentication();
app.UseAuthorization();
Step 3. Secure Your Endpoints.
[Authorize]
[HttpGet("secure-data")]
public IActionResult GetSecureData()
{
return Ok("You are authorized!");
}
Step 4. Issue a JWT Token on Login.
[HttpPost("login")]
public IActionResult Login([FromBody] LoginModel login)
{
// Dummy check
if (login.Username == "admin" && login.Password == "password")
{
var claims = new[]
{
new Claim(ClaimTypes.Name, login.Username)
};
var key = new SymmetricSecurityKey(
Encoding.UTF8.GetBytes("super_secret_key_12345"));
var creds = new SigningCredentials(
key, SecurityAlgorithms.HmacSha256);
var token = new JwtSecurityToken(
issuer: "yourapp.com",
audience: "yourapp.com",
claims: claims,
expires: DateTime.Now.AddMinutes(30),
signingCredentials: creds);
return Ok(new
{
token = new JwtSecurityTokenHandler().WriteToken(token)
});
}
return Unauthorized();
}
2. OAuth 2.0 Authorization
OAuth 2.0 is an authorization framework used to grant access to third-party apps without sharing passwords. It’s used widely in login with Google, Facebook, Microsoft, etc.
Common OAuth Scenarios
- Sign in users via Google/Facebook.
- Authorize access to external services (like GitHub API).
- Delegate API access using access tokens.
Add OAuth2 to Your Web API
You usually combine OAuth2 with an Identity Provider like.
- Azure Active Directory
- Auth0
- IdentityServer
- Google/Facebook
Example: Add Google Authentication.
builder.Services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = GoogleDefaults.AuthenticationScheme;
})
.AddCookie()
.AddGoogle(GoogleDefaults.AuthenticationScheme, options =>
{
options.ClientId = "your-google-client-id";
options.ClientSecret = "your-google-client-secret";
});
3. ASP.NET Core Identity
ASP.NET Core Identity is a full user management system that supports:
- Registration
- Login/Logout
- Password management
- Role-based authorization
Install Identity
dotnet add package Microsoft.AspNetCore.Identity.EntityFrameworkCore
Configure Identity in Program.cs
builder.Services.AddDbContext<ApplicationDbContext>(options =>
options.UseSqlServer(builder.Configuration.GetConnectionString("DefaultConnection")));
builder.Services.AddIdentity<IdentityUser, IdentityRole>()
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders();
Secure an Endpoint with Role
[Authorize(Roles = "Admin")]
[HttpGet("admin-only")]
public IActionResult GetAdminData()
{
return Ok("You are an Admin!");
}
Combine Identity + JWT for Token-Based User Management
You can extend Identity to generate JWT tokens after login instead of using cookies.
Example: Identity Login Returning JWT
[HttpPost("token")]
public async Task<IActionResult> Token([FromBody] LoginModel model)
{
var user = await userManager.FindByNameAsync(model.Username);
if (user != null && await userManager.CheckPasswordAsync(user, model.Password))
{
var tokenHandler = new JwtSecurityTokenHandler();
var key = Encoding.ASCII.GetBytes("your_super_secret_key");
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.Name, user.UserName),
}),
Expires = DateTime.UtcNow.AddHours(1),
SigningCredentials = new SigningCredentials(
new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
};
var token = tokenHandler.CreateToken(tokenDescriptor);
return Ok(new { token = tokenHandler.WriteToken(token) });
}
return Unauthorized();
}
Extra Security Best Practices
| Best Practice |
Why It Matters |
| 🔐 Use HTTPS |
Encrypts traffic between client and server |
| 🧂 Hash & salt passwords |
Prevents password leaks if DB is compromised |
| ⌛ Set token expiration |
Reduces the risk of stolen tokens |
| 🔁 Rotate keys regularly |
Improves security hygiene |
| 🧾 Use claims & roles properly |
Enforces fine-grained authorization |
| 🚪 Logout (Token revocation) |
Invalidate sessions when needed |
Summary
| Feature |
Use When... |
| JWT |
You need stateless, fast, token-based auth |
| OAuth2 |
You allow third-party logins or services |
| Identity |
You manage your user accounts and roles |
Conclusion
Securing your .NET Web API isn’t optional; it’s essential. Whether you use JWT for stateless APIs, OAuth2 for third-party authorization, or ASP.NET Core Identity for user management, the key is to combine them wisely based on your app’s needs.