OAuth authentication with individual user accounts on ASP.NET Core 2.2

Piero De Tomi
May 13, 2019 · 4 min read

In this article I’ll walk you through the configuration of an ASP.NET Core 2.2 application that supports OAuth authentication with individual user accounts on SQL Server (through EntityFramework Core).

If you’re in a hurry…

… you can go directly to the GitHub repository containing the final project, ready to use.

What you’ll need

Here’s a short list of what you’ll need to follow through this article:

  • Visual Studio: I’m currently using the 2017 Community version, but also Visual Studio 2019 should be fine
  • SQL Server: the Express edition will be fine
  • Postman: we’ll use this tool to test our final configuration. You can use any other tool that allows you to make HTTP requests

Project creation

Create a new ASP.NET Core 2.2 Web Application with the “Individual User Accounts” option selected in the “Change Authentication” menu.

Also choose to “Store user accounts in-app”: we’ll switch to SQL Server in a while.

Switch from “in-app” database to SQL Server

Look at your project structure, locate and open the appsettings.json configuration file and change the connection string named DefaultConnection in order to point to an existing (empty) SQL Server database.

Now you need to apply the schema to your empty database, in order to have the tables required for the authentication to work.

Open the Package Manager Console and execute the Update-Database command: your database should now have the following tables:

Before moving to the next part, let’s create a demo user account and test the authentication.

Launch the application, navigate to the /Identity/Account/Register page and register a new user account: I used demo@domain.com as username and Password_123 as password.

OpenIddict installation

To configure OAuth we’ll use the OpenIddict library.
Open the NuGet Package Manager and install the following packages:

  • OpenIddict — version 2.0.0
  • OpenIddict.EntityFrameworkCore — version 2.0.0

Now we’ll add a simple API controller that you’ll use later to test the authentication.

Sample API Controller

Create a new folder called Controllers and add a new file SampleController.cs to it.

The controller will have the following code:

Startup configuration

Following the instructions provided in the official repository of OpenIddict, change the content of the Startup.cs file as follows:

Token Endpoint implementation

In our configuration we specified the /auth/token path as our token endpoint, but the application doesn’t have this endpoint yet.

Inside the Controllers folder add a new file called AuthController.cs, with the following content:

Final test

Open Postman and create a new request with the following configuration:

The request body should be configured as follows (using your username and password values):

Execute the request and obtain the access_token:

At this point you can use the access token to setup a request to your /api/sample protected endpoint, specifying the access token as Bearer Token:

If you did everything correctly, you’ll receive the following response:


I created a GitHub repository with the project used in this article, feel free to download the code and use it as a starting point for your application (just remember to have SSL enabled on your project settings, otherwise the code won’t work properly).

I hope this article will help you to get up and running quickly — that’s the goal.

Piero De Tomi

Written by

Scrivo di ciò che mi appassiona, prevalentemente in materia IT. Mi trovi anche su https://pierodetomi.com

More From Medium

Related reads

Related reads

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade