Identity Provider for API Security Mechanism

 

Many times, we encounter the question of how a Web API can be secured?

  

The obvious answer is authentication and authorization, blah, blah, blah. However, to meet organization demands and for better management of security checkpoints, it is better to have a centralized security system, which is used to route the flow of access to multiple applications and a single entry point for traffic can be quickly seen (Ex: SSO)

 

We already have multiple social networks (Gmail, Linkedin, Twitter, Facebook, etc.) that support authentication mechanisms by creating a token as an IDP(Identity Provider) on our behalf.

 

You can understand the basic terminology from the articles below:

• Understanding Concepts - OpenId, OAuth And SAML
• Register Identity Provider For New OAuth Application

The process of authentication and authorization can be done in many ways:

• Create your own JWT token utility and consume it.
• Use an existing OpenId Connect (https://openid.net/connect/)
• Nowadays, with many trusted IDPs (Identity Provider) Ex: Google, Facebook, Microsoft
• IDPs for Corporate, such as Azure AD, LDAP, Gsuite
• A trusted third party, Ex: (Okta(https://login.okta.com/signin/register/), Shibboleth(https://www.shibboleth.net/), Auth0 (https://auth0.com/signup) etc…)

This is what we will achieve in this post:

1. Create a Web API, and access it using Postman.
2. Authorize the API which will restrict its access.
3. A Valid Token and its authenticity is done using Auth (third party). The beauty is that we are not bothered/concerned for extra code creation, as it will be done by the 3rd party). For a trial, you can create an account in okta/Auth0
4. We can append the newly created token and to protect our data.

 

Create a free account in Auth0 (https://auth0.com/signup) (Note: the below credentials will not work for you)

 

 

 

 

Go to APIs > Create API >

 

 

Goto Applications > You will see automatically that an API relevant application is created by default (here you can get an application-specific [client_id, client_secret]) which is used to get a refreshed token every time.

 

 

 

Create a simple API which returns [HTTPGET] a list of book data in .NET Core. (Code file attached)

 

 

Run it on CMD and test it using POSTMAN, with & without the Authorize attribute

 

 

Integrate the below lines of code that we received from Auth itself:

 

 

Now, to get a list of books, we need a token, as this is an authorize API now. To fetch a token hit API, in case you want to know how, this is available on the Auth site itself.

 

Inside the [Quick Start] tab, you will get the code for almost all commonly-used languages. I am using C#.

 

Now go to last tab [Test]. The idea here is to get the parameters on which we can create a token on demand. Otherwise, you can use the token here, as shown, since it’s been created with your specific ClientId and Secrets.

 

Now append this token and fetch the data. It should work fine. The IDP (third party) is authenticating for us via the authority/audiences we have given in the startup.cs file in .NET Core.

 

 

This is it. We handed over the token/authentication-related work to Auth0 and will proceed with our other business logic work.

 

This was quick, wasn't it?

 

This is a personal experience I am sharing. You can also look for a free open-source solution. Generally, at the organization level, companies opt for third party integration by paying for them.

 

That's all folks...Happy Coding :)