Implementing API Key Authentication in ASP.NET Core

Подписаться 297 тыс.

Просмотров 73 тыс.

50% 1

Check out my courses: dometrain.com
Become a Patreon and get source code access: / nickchapsas
Hello everybody I'm Nick and in this video I will show you all the approaches you can use to add API Key based authentication in you ASP.NET Core APIs. I will cover a generic approach and then Controller and Minimal API specific approaches and also show you how you can add Open API support for Swagger.
Workshops: bit.ly/nickworkshops
Don't forget to comment, like and subscribe :)
Social Media:
Follow me on GitHub: bit.ly/ChapsasGitHub
Follow me on Twitter: bit.ly/ChapsasTwitter
Connect on LinkedIn: bit.ly/ChapsasLinkedIn
Keep coding merch: keepcoding.shop
#csharp #dotnet

Опубликовано:

8 фев 2023

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 136

@NathanWienand Год назад

Hi Nick I love your videos so very much! *Hint* You probably already know this, but rather than using the Generate Guid tool (which means moving hand to mouse etc.) you can just type "nguid [tab]" and Rider will allow you to insert a new guid and even select the version without dashes. :) Keep up the great work mate!

@nickchapsas Год назад

I DIDNT KNOW THAT OH MY GOD THATS SO COOL!!!

@ivcbusinesssystems6613 Год назад

Wait... WHAT??? I need to try Rider ASAP!

@ArnoldNelisse Год назад

This also works with JetBrains Resharper in Visual Studio.

@victor_pogor Год назад

Thanks, didn't know about this 😉

@michalkowalik89 Год назад

@@nickchapsas `!apiKey.Equals(expectedApiKey)`. This is prone to timing-attack. Secrets should be compared in constant time.

@facephonesy Год назад

I love your videos, you are so professional, but i would really love and appreciate if you make a small app, that shows us how yo implement all the best practices you teach us, I mean I learn tbd concept from you, and I always go and implement it in my projects, but sometimes I get lost in the implementation. If you can just do a todo list api, with all the consepts, like rest API rules, versioning, SOLID, services, mapping, results, responses. Thank you very much for the great content 🙏

@juliansegura5507 Год назад

That would be a GREAT COURSE and I would totally buy it

@ivandrofly Год назад

Yes

@kebabfoto Год назад

@@juliansegura5507same

@ashleygahl3638 Год назад

Agree... would be the best course ever

@MaiconLLoti Год назад

i always copy/paste some example from the internet and i never stop to think how it works because the explanation is almost always just technical terms and blah blah hard to understand your explanation is without a doubt simple, objective and easy to understand, thank you very much

@johnsitka 10 месяцев назад

Great help, exactly what I needed. Thanks tons. Since adopting Blazor Server then finding Minimal API's I can now build Api's without MVC "and" secure them. I remember first hearing of WebSocket so many years ago, throw in Entra, Microsoft Graph, and Application Proxy we now have flying cars for the enterprise.

@margosdesarian Год назад

Hi Nick, i love your videos - and this is one is especially great. In this short video you have explained so many things in a clear and concise way. Its great!!

@RonyFayyad 7 месяцев назад

This is exactly what I was lookinf for to use in my current project. Well done on providing such great content; clean, concise and easy to follow.

@onmico Год назад

Great video Nick, as always! A tip to others: the same principal can be used to enforce client certificate based auth, minus the Swagger UI integration. This way, you can easily enforce different types of auth on different scopes within the same API.

@stephenmiller1396 Год назад

Id love to see example of storing multiple API Keys in database and comparing the header key to those in the database. I have a scenario where I will have multiple clients using the API and would like to have a different API Key to give them access to their own data. Great video !

@ryanobray1 Год назад

I would love to see examples using OAuth 2 Client Credentials flow (using an IDP service like Okta or Auth0) where the APIs accept a valid bearer token.

@MeerHussainAbrar Месяц назад

Thank you Nick! This video greatly helped me. You covered all aspects, including the Swagger which I was struggling with. Thank you 🙏

@juliansegura5507 Год назад

I finally can understand this concept to it's fullest. Thanx for the great content

@carstenberggreen7509 Год назад

Tak! Brilliant video! Covers all my thoughts and questions about API Keys in one video!

@jeffnikelson5824 Год назад

one of your best videos so far 👌🏻

@linhvuquach 4 месяца назад

Extremely interested in the way you presented and covered different approaches. Thanks bro

@aarongregory1806 Год назад

Awesome video as always Nick!

@ecitahpi385 Год назад

the longest app. 18 minutes in my life :D thank you for the explanation!

@voliansky Год назад

Thanks for the awesome video. Would be very interesting to see JWT Bearer auth with refresh tokens as well.

@rafekemmis3097 Год назад

Agreed. Would be nice to see best approaches to implement OIDC or just oauth.

@thibaudgallanddemanneville174 Год назад

There already is a video from Nick about it here ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-M6AkbBaDGJE.html

@justingerber8077 Год назад

Yeah! And how would you protect against a replay attack? Or is it even necessary to worry about this?

@kaymeister634 Год назад

Great video! Thanks a lot for your efforts, Nick! You're great

@Lazzerman42 Год назад

Fantastic! Thank you! Clear and precise! Very Good!

@mohdz8374 5 месяцев назад

You saved me hours of training, Thank you very much for your hard work

@nanvlad Год назад

This video is a gem!

@alejomunoz12 3 месяца назад

This help me a lot, very well explained. Thank you !

@TheJohndward01 Год назад

Amazing video! I always learn so much from your content 😎👍

@bolajibello8917 Год назад

Great job as always. Thanks dude

@OlleHellman Год назад

Thank you for the simple to follow exampesl!

@SilasPeters Год назад

This was exactly what I needed. Now maze makes way more sense!

@Skillamu 11 месяцев назад

Very good and detailed explination on this topic, great video!

@barry-deanmartin988 5 месяцев назад

Awesome video, thanks. very useful & just what I was looking for.

@19balazs86 Год назад

Hi Nick, thanks for the video, good content as usual! You mentioned the attribute usage and DI issue. ApiKeyAuthFilter class can be as it is but creating a new attribute, makes it work. public class ApiKeyAuthFilterAttribute : ServiceFilterAttribute { public ApiKeyAuthFilterAttribute() : base(typeof(ApiKeyAuthFilter)) { } } services.AddScoped();

@amandasanti8203 10 месяцев назад

To get around the dependency injection problem you can create a custom attribute that extends from TypeFilterAttribute, which then passes typeof(MyFilter) to the base constructor. From there the system will allow you to use DI in your filter.

@stefano_schmidt 9 месяцев назад

public class FooAttribute : TypeFilterAttribute { public FooAttribute() : base(typeof(FooFilter)) { } private class FooFilter : IActionFilter { private readonly IConfiguration _config; public FooFilter(IConfiguration config) // inject anything here { _config = config; } public void OnActionExecuting(ActionExecutingContext context) { ... } public void OnActionExecuted(ActionExecutedContext context) { ... } } } And now you can apply [FooAttribute] to anything and have, for example, IActionFilter with Dependency Injection

@adR9990 Год назад

Love your work!

@BK-19 Год назад

Nick You are .Net Rockstar! Thank you!

@shehansamarasinghe3497 9 месяцев назад

Great video. Superb content. Thank you !!!

@lucasdiasfrota 2 дня назад

a lot of good tips =) Thanks Nick!

@takeshi_taro Год назад

To get rid of [ServiceFilter(typeof(...)] thing you can derive from ServiceFilterAttribute and provide default ctor with :base (typeof(ApiKeyAuthFilterImpl)). Then you can use your filter directly (ApiKeyAuthFilterImpl is actual implementation of filter, must be registered in DI container)

@nickchapsas Год назад

Good suggestion! For the longest time I thought the attribute was sealed, but you are right, it isn't!

@cagrikolsuz7727 Год назад

That's great explanation. Thanks.

@jerryjeremy4038 Год назад

Thanks Nick, i need this

@AegirAexx Год назад

Brilliant, thanks!

@MatteoTrapani Год назад

Hi Nick! First of all thank you very much for your videos! They are soooo interesting and you actually taught me a lot since when I started following you :D I have a question about this approach: why yoi didn't mention the AuthenticationHandler approach?

@salvcri Год назад

Always great!!!!

@stripfood Год назад

thank you we love you

@miatribe Год назад

Great video! thank you.

@OgamerRato Месяц назад

Helped a loot, thank you. Gona subscribe to your channel. Nice work!

@alirezaarttam3344 Год назад

Thanks ❤

@oyedeoluwafunbi9635 Год назад

Great Video!!!!!!!!

@hueseyinguendogan8541 Год назад

Great!

@jephrennaicker4584 Год назад

broooo,! so cool!

@bogdanb904 Год назад

You could also have a class extending ServiceFilterAttribute so you can have DI in you Authorization Filter.

@Any1SL Год назад

Would love a video on building a throttle mechanism where its not waiting in memory but in a queue or database

@rguere Год назад

excelente video

@GachiMayhem Год назад

Great video! Thank you very much, Nick! Could you please tell us about cases where 2 authentication schemes are used at the same time, for example ApiKey together with JWT. For example a case where I have 2 clients for my API, a web app and a mobile app. How to properly design the api in such a case?

@mertboii3 Год назад

thanks

@TheAproeX Год назад

damn nice timing, Milan Jovanovixc released video on the same topic few days ago :D

@nickchapsas Год назад

Oh did he? Nice! I don't follow him so I wouldn't know, I plan my videos weeks in advance.

@nebomusic2024 Год назад

This was awesome, thanks Nick! Just wondering, is there a reason for not using the IMiddleware interface when implementing the ApiKeyAuthMiddleware class?

@antoniobuyukliev923 10 месяцев назад

Hi Nick, appreciate the work you do. One question about the filter of the minimal api. If we have another middleware the request stops first in it and then into the filter?

@sunilanthony17 Год назад

Nick, at times I just think you're reading my mind. I was just building this out for work and needed a refresh because I haven't done it in a while.

@yoanashih761 Год назад

Thanks Nick. Is JWT token a good choice if I want to use dynamic key approach or there are some other better ways to do so?

@veracsthedefiled Год назад

I was hoping to use api keys with Identity framework, I recall seeing your .NET core 2 & 3 playlist, and in comments section there you said we can look up the API key to find which user it belongs to, while that can work I think it will conflict with JWT auth since its configured as a filter, and [Authorize] attributes won't work with API keys, and as well as I think looking up the DB on every request is expensive.

@cdarrigo Год назад

Please do a video on task ConfigureAwait(). It's so confusing

@MusicaX79 Год назад

This breaks swagger documentation.

@blackpaw29 10 месяцев назад

Thank you, very interesting and easy to implement with your clear details. Looks appropriate for a use case I have. Couple of questions 😁 - Can you safely mix auth schemes, i.e I have a multi-tenant minimal api that users authenticate to via Azure B2C oauth2, but I need to add a simple API key access for a few endpoints, for service apps to use. I could use client credentials flow or application api's, but there's the problem of distributing/revoking api keys and I want to issue them dynamically depending on the tenant the service apps belong to. - Can you restrict access to a SignalR server using these? - Swagger - can it handle multiple auth schemes?

@blackpaw29 10 месяцев назад

To answer part of my own question - yup, Swagger UI can handle multiple auth types, you get the option to choose which one when Autherising. Works the best. And you can mix auth schemes.

@thibaudgallanddemanneville174 Год назад

Thanks Nick for the video, awesome as usual ! What is your thought about `AddScheme` and `AuthenticationHandler` ? or the `AddAuthorization` and `AddPolicy` ?

@nickchapsas Год назад

It's a bit of a more convoluted approach which is why I prefer the ones that I show in the video. They are way more straightfoward.

@thibaudgallanddemanneville174 Год назад

I agree with you, I had a hard time implementing them ^^

@benjaminboyle3295 Год назад

Hi Nick, I had to add mixed authorization: Bearer header as well as ApiKey header. I did it using the methods mentioned in the comment above. I have source code if you wanna see it. I was actually hoping this video would show us a better way of adding mixed authorization. Thank you as always, amazing work.

@benjaminboyle3295 Год назад

AND then I had to mix in jwt/bearer authorization for signalR in the query string instead of header :)

@nickchapsas Год назад

@@benjaminboyle3295 This video is exclusive to API Key authentication as the name implies. I've covered mixed auth in the past. It might be something I re-visit in the future

@adilbangush5014 Год назад

what is the best practice for custom error to display ( custom description , custom error-code ) in minimal API despite just use 401.

@yogeshkajala4170 Год назад

Hi Nick, that is very nice. Just a quick thought about how can I separate consumers(apps), like I want to have separate api key for each app trying to use api. Quick thought is to include app name along with key, I grab the app name and check the key. Any batter way?

@daa82 Год назад

Can you make a video on best ways to do data authorization? i.e. how do I make sure user x has only access to New York weather?

@microtech2448 10 месяцев назад

Hi, can you come up with a vidwo where you can demonstrate how to Authorize same endpoint using either inbuilt jwt bearer or api key at the same time? So,how we can add custom authentication along with inbuilt authentication schemes and regiater at startup. Thanks

@Rider0fBuffalo Год назад

@11:20 can the Configuration not be injected here using the [FromServices] attribute on the IConfiguration contstuctor parameter? Or are Service Filters not built the same way Actions/Controllers are?

@majmicky Год назад

Hi Nick Amazing video, I have a question about minimal api swagger authorize button option How to pass different keys with the same button I have bearer token some set of endpoint allowed with one token and other set of endpoints use another type of token. How can we address it so Authorise button worked Thank you

@DemoBytom Год назад

What is a good place to store secrets (like API keys etc) for on-premise services, hosted on IIS, that don't have access to any cloud solutions, like Azure/AWS key vaults?

@kirylkorzun3568 Год назад

Briefly: any separate server within your org network, data center, etc but you have to provide security, access control, physical security,etc Hope it will help! :)

@RusWatcher Год назад

have you found somewhere the answer? can you share this?

@tonykidv2 Год назад

is it possible to use [AllowAnonymous] annotation to bypass the middleware?

@ArnonDanon Год назад

Great video as usal, how would you go about rotating the key to thw customer, or even provide an new one securly, is there a solution already created for it?

@synysterdemon Год назад

Personnally, I would turn that `ApiKey` setting to `ApiKeys` as an array, so when you want to rotate, you add the new API key, then you replace the old one in all the places it is used and at the end, you come back and remove the old API key from your service, invalidating it.

@nickchapsas Год назад

There is actually yeah. You can use something aws secrets manage which supports rotation and versioning so both keys are supported from a single variable. I talk about that in my free aws course

@ArnonDanon Год назад

@@nickchapsas guess i still havent got to this part at the course yet ... great courses both aws and the Integration tests by the way 👏🏽👏🏽👏🏽

@johnanderson350 Год назад

I wonder is it possible the have the Authorization Filter attribute on the class level, but then override that with another Authorization Filter at the method level. That was by default the methods are safe, unless otherwise indicated. I know you can set Filter orders but they still both get fired.

@alef.carlos Год назад

Thats awesome! But what about implemeting an AuthenticationHandler for ApiKey scheme and then register that in AuthenticationBuilder ? I think AuthenticationHandler is the best option.

@nickchapsas Год назад

It’s the most convoluted option for something that can be as simple as shown in the video. I don’t like that approach for this use case

@feefifofum6383 Год назад

You mentioned at the start about extending this to handle dynamic keys and rate limiting. How and where would you handle rate limiting per key? Love your work.

@nickchapsas Год назад

There is actually a new rate limiting feature now built into ASP .NET Core. You can use the API key as the rate limit key and it's basically done.

@Livinghighandwise Год назад

In your example, once the APIKeyMiddleware - public async Task method runs, and authentication is successful, it doesn't redirect to my Homecontroller in order to run the my Post method and continue with the request. How do I get it to direct to my post request in my Homecontroller?

@andrewholloway-breward213 Год назад

Should these techniques work in the same way for Azure function triggered by HTTP or is this completely different?

@andrewholloway-breward213 Год назад

Ignore that it looks like a whole minefield of complexity with Azure functions!

@parcanapp1193 Год назад

Are you a factory that makes videos? I only now finished watching your previous one.

@JacobDuenke Год назад

Am I crazy? I’ve always found the swagger ui has the lock icons mixed up. Why would the lock be LOCKED when the api is unlocked and authorized for use??

@oM1naE Год назад

Is there a specific reason to not implement IMiddleware interface?

@diamondkingdiamond6289 3 месяца назад

But wouldn't that make a timing attack possible because you are just comparing the two strings without doing any hashing.

@bizneslupa3629 Год назад

can you give us the book name or tutorial where did you learn this all?

@dasmaffin1633 Год назад

So if I have an app that connects to thousands of users authentication is something I dont need, did I get that right?

@pbreslinltd Год назад

Nick, I purchased your zero to hero minimal API course... the discord link is broken.... is that a mistake or did you shut it down?

@nickchapsas Год назад

The Discord server is being restructured so for now no new people can join. It will be relaunched and all course owners will be notified.

@funkykoval78 Год назад

does this solution intentionaly do not work? so you need to become patreon to see it works? or am I missing something. ''ApiKeyAuthMiddleware" is a type, which is not valid in the given context is what I get