Access Web API Protected by Your Own Authentication Server

Discuss how to access a web API application that is protected by a central authentication server and requires JWT token authentication.

Shawn Shi
Geek Culture
4 min readFeb 20, 2023

--

Diagram by author. Icons from flaticon.com.

How to get access to a web API protected by an authentication server?

In the last episode, our web API asked for protection from the mighty authority and was given a royal name called Farmland Web API. Now we have a client (a merchant) who wants to access the web API (or, buy grains from the farmland), how does the merchant get access? Again, let’s imagine the merchant can talk as well…

  1. Merchant says: “Mighty authority, can you grant me access to the farmland please?”
  2. Authentication server says: “Okay. I will give you a badge, which is your ID, and also give you a secret code. You must keep the code safe. Every time you need to visit the farm land, you must bring your badge and your secret code to me, so I can give you a ticket to visit the farmland. Remember, the ticket will only be valid for 24 hours.”
  3. Merchant comes back a month later and says: “Might authority, here is my ID badge and my secret code, can I get a ticket to the farmland?”
  4. Authentication server says: “Okay. Here you go, a day pass!”
  5. Merchant happily visits the farmland with a day pass and get some grains and wheat.

Background

In the previous article, we discussed how a farmland can request to get protected by the mighty authority, i.e., how a web API can get protected by an authentication server. This means the farmland web API now requires valid JWT token issued by the mighty authentication server, otherwise, it will just shut the gate with a big 401 Authorized stamp.

The farmland web API’s purpose is to serve legitimate merchants. How does a merchant request access to the farmland??

Goal

Let’s discuss how to setup a client (i.e. merchant) so that it may access the farmland web API. Once the client is setup, we will discuss how exactly the client can access the farmland API.

Getting Started

Let’s start with a barebone console application called “MerchantConsoleAppClient”, which can be created using ASP.NET Core Console App template. We will take the following two steps to help the merchant visit the farmland:

  1. Register the merchant with the mighty authentication server
  2. Teach the merchant how to request for a ticket (i.e., access token) to visit the farmland web API

Step 1 — Register the merchant with the mighty authentication server

Following the conversation above, the authentication server says “I will give you a badge, which is your ID, and also give you a secret code.”. Let’s see how that is done in code. The authentication server will configure a new client as the merchant:

  • Give it a client ID, which is the ID badge in the conversation above.
  • Give it a client secret, which is the secret code in the conversation above.
  • Grant the merchant access to the farmland web API.
public static IEnumerable<Client> ClientsToSeed =>
new Client[]
{
// Merchant
new Client
{
// The ID badge
ClientId = "merchant",
ClientName = "Merchant Client",
// Defines the merchant has to use client credentials flow
AllowedGrantTypes = GrantTypes.ClientCredentials,
// Secret code
ClientSecrets = { new Secret("511536EF-F270-4058-80CA-1C89C192F69A".Sha256()) },

AllowedScopes = {
// Grant access to the farmland web API
FarmlandWebApi
}
}
};

This client will be added to the configuration data store. See the seeding workflow in IdentityServerConfigurationDbSeeder.cs. For simplicity, we will skip how the seeding method is called at application startup in development environment.

Step 2 — Teach the merchant how to request for a ticket (i.e., access token) to visit the farmland web API

The merchant has to do three things:

  • Figure out how he can navigate around, see lines 5–13 below
  • Provide the ID badge and secret, in exchange for a ticket to the farmland, see lines 15-24 below.
  • Present the ticket to the farmland guard and get in, see lines 35–49 below.

That’s it! Now we have a new player in town, the merchant! If more merchant need to do business with the farmland web API, we just repeat the steps above to add the new merchant. The mighty authority might choose a different flow for the merchant to authenticate and retrieve farmland tickets, but the idea is the same!

The sample code in this article is hosted in a GitHub project. Feel free to check it out! Many thanks for reading!

Related resources:

This is part of a series of articles discussing how to build a centralized authentication server using ASP.NET Core. Other articles can be found here:

  1. Single Sign-On (SSO) Simplified: Understanding How SSO Works in Plain English
  2. Build Your Own Authentication Server for Single Sign-On (SSO) in ASP.NET Core
  3. REST API for User Management in Authentication Server for Single Sign-On
  4. REST API for User Management in Authentication Server for Single Sign-On (2)
  5. Protect Web API using Your Own Authentication Server
  6. Access Web API Protected by Your Own Authentication Server

--

--

Shawn Shi
Geek Culture

Senior Software Engineer at Microsoft. Ex-Machine Learning Engineer. When I am not building applications, I am playing with my kids or outside rock climbing!