Bit of Technology

  • Archive
  • About Me
    • Advertise
    • Disclaimer
  • Speaking
  • Contact

ASP.NET Identity 2.1 with ASP.NET Web API 2.2 (Accounts Management) – Part 1

January 21, 2015 By Taiseer Joudeh 248 Comments

Asp Net Identity

ASP.NET Identity 2.1 is the latest membership and identity management framework provided by Microsoft, this membership system can be plugged to any ASP.NET framework such as Web API, MVC, Web Forms, etc…

In this tutorial we’ll cover how to integrate ASP.NET Identity system with ASP.NET Web API , so we can build a secure HTTP service which acts as back-end for SPA front-end built using AngularJS, I’ll try to cover in a simple way different ASP.NET Identity 2.1 features such as: Accounts managements, roles management, email confirmations, change password, roles based authorization, claims based authorization, brute force protection, etc…

The AngularJS front-end application will use bearer token based authentication using Json Web Tokens (JWTs) format and should support roles based authorization and contains the basic features of any membership system. The SPA is not ready yet but hopefully it will sit on top of our HTTP service without the need to come again and modify the ASP.NET Web API logic.

I will follow step by step approach and I’ll start from scratch without using any VS 2013 templates so we’ll have better understanding of how the ASP.NET Identity 2.1 framework talks with ASP.NET Web API framework.

The source code for this tutorial is available on GitHub.

I broke down this series into multiple posts which I’ll be posting gradually, posts are:

  • Configure ASP.NET Identity with ASP.NET Web API (Accounts Management) – (This Post)
  • ASP.NET Identity 2.1 Accounts Confirmation, and Password/User Policy Configuration – Part 2
  • Implement OAuth JSON Web Tokens Authentication in ASP.NET Web API and Identity 2.1 – Part 3
  • ASP.NET Identity Role Based Authorization with ASP.NET Web API – Part 4
  • ASP.NET Web API Claims Authorization with ASP.NET Identity 2.1 – Part 5
  • AngularJS Authentication and Authorization with ASP.NET Web API and Identity – Part 6

Configure ASP.NET Identity 2.1 with ASP.NET Web API 2.2 (Accounts Management)

Setting up the ASP.NET Identity 2.1

Step 1: Create the Web API Project

In this tutorial I’m using Visual Studio 2013 and .Net framework 4.5, now create an empty solution and name it “AspNetIdentity” then add new ASP.NET Web application named “AspNetIdentity.WebApi”, we will select an empty template with no core dependencies at all, it will be as as the image below:

WebApiNewProject

Step 2: Install the needed NuGet Packages:

We’ll install all those NuGet packages to setup our Owin server and configure ASP.NET Web API to be hosted within an Owin server, as well we will install packages needed for ASP.NET Identity 2.1, if you would like to know more about the use of each package and what is the Owin server, please check this post.

MS DOS
1
2
3
4
5
6
Install-Package Microsoft.AspNet.Identity.Owin -Version 2.1.0
Install-Package Microsoft.AspNet.Identity.EntityFramework -Version 2.1.0
Install-Package Microsoft.Owin.Host.SystemWeb -Version 3.0.0
Install-Package Microsoft.AspNet.WebApi.Owin -Version 5.2.2
Install-Package Microsoft.Owin.Security.OAuth -Version 3.0.0
Install-Package Microsoft.Owin.Cors -Version 3.0.0

 Step 3: Add Application user class and Application Database Context:

Now we want to define our first custom entity framework class which is the “ApplicationUser” class, this class will represents a user wants to register in our membership system, as well we want to extend the default class in order to add application specific data properties for the user, data properties such as: First Name, Last Name, Level, JoinDate. Those properties will be converted to columns in table “AspNetUsers” as we’ll see on the next steps.

So to do this we need to create new class named “ApplicationUser” and derive from “Microsoft.AspNet.Identity.EntityFramework.IdentityUser” class.

Note: If you do not want to add any extra properties to this class, then there is no need to extend the default implementation and derive from “IdentityUser” class.

To do so add new folder named “Infrastructure” to our project then add new class named “ApplicationUser” and paste the code below:

C#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
    public class ApplicationUser : IdentityUser
    {
        [Required]
        [MaxLength(100)]
        public string FirstName { get; set; }
 
        [Required]
        [MaxLength(100)]
        public string LastName { get; set; }
 
        [Required]
        public byte Level { get; set; }
 
        [Required]
        public DateTime JoinDate { get; set; }
 
    }

Now we need to add Database context class which will be responsible to communicate with our database, so add new class and name it “ApplicationDbContext” under folder “Infrastructure” then paste the code snippet below:

C#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
    public class ApplicationDbContext : IdentityDbContext<ApplicationUser>
    {
        public ApplicationDbContext()
            : base("DefaultConnection", throwIfV1Schema: false)
        {
            Configuration.ProxyCreationEnabled = false;
            Configuration.LazyLoadingEnabled = false;
        }
 
        public static ApplicationDbContext Create()
        {
            return new ApplicationDbContext();
        }
 
    }

As you can see this class inherits from “IdentityDbContext” class, you can think about this class as special version of the traditional “DbContext” Class, it will provide all of the entity framework code-first mapping and DbSet properties needed to manage the identity tables in SQL Server, this default constructor takes the connection string name “DefaultConnection” as an argument, this connection string will be used point to the right server and database name to connect to.

The static method “Create” will be called from our Owin Startup class, more about this later.

Lastly we need to add a connection string which points to the database that will be created using code first approach, so open “Web.config” file and paste the connection string below:

XHTML
1
2
3
  <connectionStrings>
    <add name="DefaultConnection" connectionString="Data Source=.\sqlexpress;Initial Catalog=AspNetIdentity;Integrated Security=SSPI;" providerName="System.Data.SqlClient" />
  </connectionStrings>

Step 4: Create the Database and Enable DB migrations:

Now we want to enable EF code first migration feature which configures the code first to update the database schema instead of dropping and re-creating the database with each change on EF entities, to do so we need to open NuGet Package Manager Console and type the following commands:

MS DOS
1
2
enable-migrations
add-migration InitialCreate

The “enable-migrations” command creates a “Migrations” folder in the “AspNetIdentity.WebApi” project, and it creates a file named “Configuration”, this file contains method named “Seed” which is used to allow us to insert or update test/initial data after code first creates or updates the database. This method is called when the database is created for the first time and every time the database schema is updated after a data model change.

Migrations

As well the “add-migration InitialCreate” command generates the code that creates the database from scratch. This code is also in the “Migrations” folder, in the file named “<timestamp>_InitialCreate.cs“. The “Up” method of the “InitialCreate” class creates the database tables that correspond to the data model entity sets, and the “Down” method deletes them. So in our case if you opened this class “201501171041277_InitialCreate” you will see the extended data properties we added in the “ApplicationUser” class in method “Up”.

Now back to the “Seed” method in class “Configuration”, open the class and replace the Seed method code with the code below:

C#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
        protected override void Seed(AspNetIdentity.WebApi.Infrastructure.ApplicationDbContext context)
        {
            //  This method will be called after migrating to the latest version.
 
            var manager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(new ApplicationDbContext()));
 
            var user = new ApplicationUser()
            {
                UserName = "SuperPowerUser",
                Email = "taiseer.joudeh@mymail.com",
                EmailConfirmed = true,
                FirstName = "Taiseer",
                LastName = "Joudeh",
                Level = 1,
                JoinDate = DateTime.Now.AddYears(-3)
            };
 
            manager.Create(user, "MySuperP@ssword!");
        }

This code basically creates a user once the database is created.

Now we are ready to trigger the event which will create the database on our SQL server based on the connection string we specified earlier, so open NuGet Package Manager Console and type the command:

MS DOS
1
update-database

The “update-database” command runs the “Up” method in the “Configuration” file and creates the database and then it runs the “Seed” method to populate the database and insert a user.

If all is fine, navigate to your SQL server instance and the database along with the additional fields in table “AspNetUsers” should be created as the image below:

AspNetIdentityDB

Step 5: Add the User Manager Class:

The User Manager class will be responsible to manage instances of the user class, the class will derive from “UserManager<T>”  where T will represent our “ApplicationUser” class, once it derives from the “ApplicationUser” class a set of methods will be available, those methods will facilitate managing users in our Identity system, some of the exposed methods we’ll use from the “UserManager” during this tutorial are:

Method NameUsage
FindByIdAsync(id)Find user object based on its unique identifier
UsersReturns an enumeration of the users
FindByNameAsync(Username)Find user based on its Username
CreateAsync(User, PasswordCreates a new user with a password
GenerateEmailConfirmationTokenAsync(Id)Generate email confirmation token which is used in email confimration
SendEmailAsync(Id, Subject, Body)Send confirmation email to the newly registered user
ConfirmEmailAsync(Id, token)Confirm the user email based on the received token
ChangePasswordAsync(Id, OldPassword, NewPassword)Change user password
DeleteAsync(User)Delete user
IsInRole(Username, Rolename)Check if a user belongs to certain Role
AddToRoleAsync(Username, RoleName)Assign user to a specific Role
RemoveFromRoleAsync(Username, RoleNameRemove user from specific Role

Now to implement the “UserManager” class, add new file named “ApplicationUserManager” under folder “Infrastructure” and paste the code below:

C#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
    public class ApplicationUserManager : UserManager<ApplicationUser>
    {
        public ApplicationUserManager(IUserStore<ApplicationUser> store)
            : base(store)
        {
        }
 
        public static ApplicationUserManager Create(IdentityFactoryOptions<ApplicationUserManager> options, IOwinContext context)
        {
            var appDbContext = context.Get<ApplicationDbContext>();
            var appUserManager = new ApplicationUserManager(new UserStore<ApplicationUser>(appDbContext));
 
            return appUserManager;
        }
    }

As you notice from the code above the static method “Create” will be responsible to return an instance of the “ApplicationUserManager” class named “appUserManager”, the constructor of the “ApplicationUserManager” expects to receive an instance from the “UserStore”, as well the UserStore instance construct expects to receive an instance from our “ApplicationDbContext” defined earlier, currently we are reading this instance from the Owin context, but we didn’t add it yet to the Owin context, so let’s jump to the next step to add it.

Note: In the coming post we’ll apply different changes to the “ApplicationUserManager” class such as configuring email service, setting user and password polices.

Step 6: Add Owin “Startup” Class

Now we’ll add the Owin “Startup” class which will be fired once our server starts. The “Configuration” method accepts parameter of type “IAppBuilder” this parameter will be supplied by the host at run-time. This “app” parameter is an interface which will be used to compose the application for our Owin server, so add new file named “Startup” to the root of the project and paste the code below:

C#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
   public class Startup
    {
 
        public void Configuration(IAppBuilder app)
        {
            HttpConfiguration httpConfig = new HttpConfiguration();
 
            ConfigureOAuthTokenGeneration(app);
 
            ConfigureWebApi(httpConfig);
 
            app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
 
            app.UseWebApi(httpConfig);
 
        }
 
        private void ConfigureOAuthTokenGeneration(IAppBuilder app)
        {
            // Configure the db context and user manager to use a single instance per request
            app.CreatePerOwinContext(ApplicationDbContext.Create);
            app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
 
    // Plugin the OAuth bearer JSON Web Token tokens generation and Consumption will be here
 
        }
 
        private void ConfigureWebApi(HttpConfiguration config)
        {
            config.MapHttpAttributeRoutes();
 
            var jsonFormatter = config.Formatters.OfType<JsonMediaTypeFormatter>().First();
            jsonFormatter.SerializerSettings.ContractResolver = new CamelCasePropertyNamesContractResolver();
        }
    }

What worth noting here is how we are creating a fresh instance from the “ApplicationDbContext” and “ApplicationUserManager” for each request and set it in the Owin context using the extension method “CreatePerOwinContext”. Both objects (ApplicationDbContext and AplicationUserManager) will be available during the entire life of the request.

Note: I didn’t plug any kind of authentication here, we’ll visit this class again and add JWT Authentication in the next post, for now we’ll be fine accepting any request from any anonymous users.

Define Web API Controllers and Methods

Step 7: Create the “Accounts” Controller:

Now we’ll add our first controller named “AccountsController” which will be responsible to manage user accounts in our Identity system, to do so add new folder named “Controllers” then add new class named “AccountsController” and paste the code below:

C#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
[RoutePrefix("api/accounts")]
public class AccountsController : BaseApiController
{
 
[Route("users")]
public IHttpActionResult GetUsers()
{
return Ok(this.AppUserManager.Users.ToList().Select(u => this.TheModelFactory.Create(u)));
}
 
[Route("user/{id:guid}", Name = "GetUserById")]
public async Task<IHttpActionResult> GetUser(string Id)
{
var user = await this.AppUserManager.FindByIdAsync(Id);
 
if (user != null)
{
return Ok(this.TheModelFactory.Create(user));
}
 
return NotFound();
 
}
 
[Route("user/{username}")]
public async Task<IHttpActionResult> GetUserByName(string username)
{
var user = await this.AppUserManager.FindByNameAsync(username);
 
if (user != null)
{
return Ok(this.TheModelFactory.Create(user));
}
 
return NotFound();
 
}
}

What we have implemented above is the following:

  • Our “AccountsController” inherits from base controller named “BaseApiController”, this base controller is not created yet, but it contains methods that will be reused among different controllers we’ll add during this tutorial, the methods which comes from “BaseApiController” are: “AppUserManager”, “TheModelFactory”, and “GetErrorResult”, we’ll see the implementation for this class in the next step.
  • We have added 3 methods/actions so far in the “AccountsController”:
    • Method “GetUsers” will be responsible to return all the registered users in our system by calling the enumeration “Users” coming from “ApplicationUserManager” class.
    • Method “GetUser” will be responsible to return single user by providing it is unique identifier and calling the method “FindByIdAsync” coming from “ApplicationUserManager” class.
    • Method “GetUserByName” will be responsible to return single user by providing it is username and calling the method “FindByNameAsync” coming from “ApplicationUserManager” class.
    • The three methods send the user object to class named “TheModelFactory”, we’ll see in the next step the benefit of using this pattern to shape the object graph returned and how it will protect us from leaking any sensitive information about the user identity.
  • Note: All methods can be accessed by any anonymous user, for now we are fine with this, but we’ll manage the access control for each method and who are the authorized identities that can perform those actions in the coming posts.

Step 8: Create the “BaseApiController” Controller:

As we stated before, this “BaseApiController” will act as a base class which other Web API controllers will inherit from, for now it will contain three basic methods, so add new class named “BaseApiController” under folder “Controllers” and paste the code below:

C#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
    public class BaseApiController : ApiController
    {
 
        private ModelFactory _modelFactory;
        private ApplicationUserManager _AppUserManager = null;
 
        protected ApplicationUserManager AppUserManager
        {
            get
            {
                return _AppUserManager ?? Request.GetOwinContext().GetUserManager<ApplicationUserManager>();
            }
        }
 
        public BaseApiController()
        {
        }
 
        protected ModelFactory TheModelFactory
        {
            get
            {
                if (_modelFactory == null)
                {
                    _modelFactory = new ModelFactory(this.Request, this.AppUserManager);
                }
                return _modelFactory;
            }
        }
 
        protected IHttpActionResult GetErrorResult(IdentityResult result)
        {
            if (result == null)
            {
                return InternalServerError();
            }
 
            if (!result.Succeeded)
            {
                if (result.Errors != null)
                {
                    foreach (string error in result.Errors)
                    {
                        ModelState.AddModelError("", error);
                    }
                }
 
                if (ModelState.IsValid)
                {
                    // No ModelState errors are available to send, so just return an empty BadRequest.
                    return BadRequest();
                }
 
                return BadRequest(ModelState);
            }
 
            return null;
        }
    }

What we have implemented above is the following:

  • We have added read only property named “AppUserManager” which gets the instance of the “ApplicationUserManager” we already set in the “Startup” class, this instance will be initialized and ready to invoked.
  • We have added another read only property named “TheModelFactory” which returns an instance of “ModelFactory” class, this factory pattern will help us in shaping and controlling the response returned to the client, so we will create a simplified model for some of our domain object model (Users, Roles, Claims, etc..) we have in the database. Shaping the response and building customized object graph is very important here; because we do not want to leak sensitive data such as “PasswordHash” to the client.
  • We have added a function named “GetErrorResult” which takes “IdentityResult” as a constructor and formats the error messages returned to the client.

Step 8: Create the “ModelFactory” Class:

Now add new folder named “Models” and inside this folder create new class named “ModelFactory”, this class will contain all the functions needed to shape the response object and control the object graph returned to the client, so open the file and paste the code below:

C#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
    public class ModelFactory
    {
        private UrlHelper _UrlHelper;
        private ApplicationUserManager _AppUserManager;
 
        public ModelFactory(HttpRequestMessage request, ApplicationUserManager appUserManager)
        {
            _UrlHelper = new UrlHelper(request);
            _AppUserManager = appUserManager;
        }
 
        public UserReturnModel Create(ApplicationUser appUser)
        {
            return new UserReturnModel
            {
                Url = _UrlHelper.Link("GetUserById", new { id = appUser.Id }),
                Id = appUser.Id,
                UserName = appUser.UserName,
                FullName = string.Format("{0} {1}", appUser.FirstName, appUser.LastName),
                Email = appUser.Email,
                EmailConfirmed = appUser.EmailConfirmed,
                Level = appUser.Level,
                JoinDate = appUser.JoinDate,
                Roles = _AppUserManager.GetRolesAsync(appUser.Id).Result,
                Claims = _AppUserManager.GetClaimsAsync(appUser.Id).Result
            };
        }
    }
 
    public class UserReturnModel
    {
        public string Url { get; set; }
        public string Id { get; set; }
        public string UserName { get; set; }
        public string FullName { get; set; }
        public string Email { get; set; }
        public bool EmailConfirmed { get; set; }
        public int Level { get; set; }
        public DateTime JoinDate { get; set; }
        public IList<string> Roles { get; set; }
        public IList<System.Security.Claims.Claim> Claims { get; set; }
    }

Notice how we included only the properties needed to return them in users object graph, for example there is no need to return the “PasswordHash” property so we didn’t include it.

Step 9: Add Method to Create Users in”AccountsController”:

It is time to add the method which allow us to register/create users in our Identity system, but before adding it, we need to add the request model object which contains the user data which will be sent from the client, so add new file named “AccountBindingModels” under folder “Models” and paste the code below:

C#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
    public class CreateUserBindingModel
    {
        [Required]
        [EmailAddress]
        [Display(Name = "Email")]
        public string Email { get; set; }
 
        [Required]
        [Display(Name = "Username")]
        public string Username { get; set; }
 
        [Required]
        [Display(Name = "First Name")]
        public string FirstName { get; set; }
 
        [Required]
        [Display(Name = "Last Name")]
        public string LastName { get; set; }
 
        [Display(Name = "Role Name")]
        public string RoleName { get; set; }
 
        [Required]
        [StringLength(100, ErrorMessage = "The {0} must be at least {2} characters long.", MinimumLength = 6)]
        [DataType(DataType.Password)]
        [Display(Name = "Password")]
        public string Password { get; set; }
 
        [Required]
        [DataType(DataType.Password)]
        [Display(Name = "Confirm password")]
        [Compare("Password", ErrorMessage = "The password and confirmation password do not match.")]
        public string ConfirmPassword { get; set; }
    }

The class is very simple, it contains properties for the fields we want to send from the client to our API with some data annotation attributes which help us to validate the model before submitting it to the database, notice how we added property named “RoleName” which will not be used now, but it will be useful in the coming posts.

Now it is time to add the method which register/creates a user, open the controller named “AccountsController” and add new method named “CreateUser” and paste the code below:

C#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
[Route("create")]
public async Task<IHttpActionResult> CreateUser(CreateUserBindingModel createUserModel)
{
if (!ModelState.IsValid)
{
return BadRequest(ModelState);
}
 
var user = new ApplicationUser()
{
UserName = createUserModel.Username,
Email = createUserModel.Email,
FirstName = createUserModel.FirstName,
LastName = createUserModel.LastName,
Level = 3,
JoinDate = DateTime.Now.Date,
};
 
IdentityResult addUserResult = await this.AppUserManager.CreateAsync(user, createUserModel.Password);
 
if (!addUserResult.Succeeded)
{
return GetErrorResult(addUserResult);
}
 
Uri locationHeader = new Uri(Url.Link("GetUserById", new { id = user.Id }));
 
return Created(locationHeader, TheModelFactory.Create(user));
}

What we have implemented here is the following:

  • We validated the request model based on the data annotations we introduced in class “AccountBindingModels”, if there is a field missing then the response will return HTTP 400 with proper error message.
  • If the model is valid, we will use it to create new instance of class “ApplicationUser”, by default we’ll put all the users in level 3.
  • Then we call method “CreateAsync” in the “AppUserManager” which will do the heavy lifting for us, inside this method it will validate if the username, email is used before, and if the password matches our policy, etc.. if the request is valid then it will create new user and add to the “AspNetUsers” table and return success result. From this result and as good practice we should return the resource created in the location header and return 201 created status.

Notes:

  • Sending a confirmation email for the user, and configuring user and password policy will be covered in the next post.
  • As stated earlier, there is no authentication or authorization applied yet, any anonymous user can invoke any available method, but we will cover this authentication and authorization part in the coming posts.

Step 10: Test Methods in”AccountsController”:

Lastly it is time to test the methods added to the API, so fire your favorite REST client Fiddler or PostMan, in my case I prefer PostMan. So lets start testing the “Create” user method, so we need to issue HTTP Post to the URI: “http://localhost:59822/api/accounts/create” as the request below, if creating a user went good you will receive 201 response:

Create User

Now to test the method “GetUsers” all you need to do is to issue HTTP GET to the URI: “http://localhost:59822/api/accounts/users” and the response graph will be as the below:

JavaScript
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
[
  {
    "url": "http://localhost:59822/api/accounts/user/29e21f3d-08e0-49b5-b523-3d68cf623fd5",
    "id": "29e21f3d-08e0-49b5-b523-3d68cf623fd5",
    "userName": "SuperPowerUser",
    "fullName": "Taiseer Joudeh",
    "email": "taiseer.joudeh@gmail.com",
    "emailConfirmed": true,
    "level": 1,
    "joinDate": "2012-01-17T12:41:40.457",
    "roles": [
      "Admin",
      "Users",
      "SuperAdmin"
    ],
    "claims": [
      {
        "issuer": "LOCAL AUTHORITY",
        "originalIssuer": "LOCAL AUTHORITY",
        "properties": {},
        "subject": null,
        "type": "Phone",
        "value": "123456782",
        "valueType": "http://www.w3.org/2001/XMLSchema#string"
      },
      {
        "issuer": "LOCAL AUTHORITY",
        "originalIssuer": "LOCAL AUTHORITY",
        "properties": {},
        "subject": null,
        "type": "Gender",
        "value": "Male",
        "valueType": "http://www.w3.org/2001/XMLSchema#string"
      }
    ]
  },
  {
    "url": "http://localhost:59822/api/accounts/user/f0f8d481-e24c-413a-bf84-a202780f8e50",
    "id": "f0f8d481-e24c-413a-bf84-a202780f8e50",
    "userName": "tayseer.Joudeh",
    "fullName": "Tayseer Joudeh",
    "email": "tayseer_joudeh@hotmail.com",
    "emailConfirmed": true,
    "level": 3,
    "joinDate": "2015-01-17T00:00:00",
    "roles": [],
    "claims": []
  }
]

The source code for this tutorial is available on GitHub.

In the next post we’ll see how we’ll configure our Identity service to start sending email confirmations, customize username and password polices, implement Json Web Token (JWTs) Authentication and manage the access for the methods.

Follow me on Twitter @tjoudeh

References

  • Code First Migrations and Deployment with the Entity Framework in an ASP.NET MVC
  • The good, the bad and the ugly of ASP.NET Identity
  • Introduction to ASP.NET Identity

Related Posts

  • Integrate Azure AD B2C with ASP.NET MVC Web App – Part 3
  • Secure ASP.NET Web API 2 using Azure AD B2C – Part 2
  • Azure Active Directory B2C Overview and Policies Management – Part 1
  • ASP.NET Web API Claims Authorization with ASP.NET Identity 2.1 – Part 5
  • ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration – Part 2

Filed Under: ASP.NET, ASP.NET Identity, ASP.Net Web API, Web API Tutorial Tagged With: Token Authentication, Tutorial, Web API 2

Comments

  1. Robin says

    March 30, 2017 at 9:09 pm

    This is an awesome tutorial and it helped tremendously in our project, thank you so much! Do you have any thoughts in making this OData compatible though? The rest of our API is OData, and I found it a bit challenging in mapping between OData and non-OData tables. Thanks!

    Reply
    • Taiseer Joudeh says

      April 8, 2017 at 6:28 pm

      You are welcome Robin, to be honest I have to thoughts now, and I do not like OData, I find it complex to be called from client apps 🙂

      Reply
  2. Shubham Rajput says

    April 24, 2017 at 9:15 am

    this is awesome tutorial. it really help us.
    Thank U

    Reply
  3. Andrei Utkin says

    May 27, 2017 at 1:49 pm

    Thanks you for posts, it was very useful for me.

    Reply
    • Taiseer Joudeh says

      June 13, 2017 at 12:52 am

      You are welcome 🙂

      Reply
  4. Fred Josephs says

    July 4, 2017 at 11:19 am

    Unfortunately this code is very old and quite hard to follow with VS 2017.
    Most important is that the code does not include the references used:
    There are no “using” statements and hence for someone who is new to all the libraries there is great impedance to progress since one has to constantly search to find simple things like IdentityDbContext, UserManager etc.

    Reply
    • Hamza Khanzada says

      March 6, 2022 at 8:42 pm

      You can speed up the process by cloning code from his repository that is on github https://github.com/tjoudeh/AspNetIdentity.WebApi and then copy and paste the relevant code from there

      Reply
  5. Abas says

    July 9, 2017 at 1:11 pm

    Hi. it’s so use full for me. but i need part 6 for AngularJS.

    Reply
  6. djama says

    August 16, 2017 at 8:55 pm

    Hi Taiseer,

    Nice post, Very happy
    But I tested the validation but, the app allows duplicate email address.

    Reply
  7. Hassan says

    August 19, 2017 at 9:24 am

    Thanks for your tutorial. Can I ask where is login method or how can i implement it to get token based on jwt?

    Reply
  8. Muhammad Ahmed says

    August 19, 2017 at 6:46 pm

    Thank you for the great article.

    However tell me one thing. Isn’t the global.asax file necessary to be present ? . You didn’t cover that file as far as i can see in this tutorial. Isn’t RouteConfig.RegisterRoutes(RouteTable.Routes); necessary for the engine to recognize the urls?

    Thanks for the article again

    Reply
  9. Mazdak says

    September 23, 2017 at 4:02 pm

    Thank you, It was really helpful for me, i have tried many times to get close to this subject but always i have failed before even starting it! this time your step by step article made it easy for me.
    Thanks a lot 🙂

    Reply
  10. Sergio Sanchez Arias says

    October 8, 2017 at 10:58 pm

    Thank you!

    Reply
  11. twitter says

    October 10, 2017 at 3:51 am

    I hаve been exploring fοr a littlpe forr ɑny hiɡһ-quality articles or weblog posts іn thi sort оff house .
    Exploring in Yahoo I eventually sttumbled սpon this
    website. Readingg tһіs info Sⲟ i’m glad tо show thаt I hɑve an incredibly good uncanny feeling І came upon exactly ԝһat I neеded.

    I such a lot undoubtedly wiⅼl makе ѕure tⲟ ԁo not foeget thiѕ website ɑnd giᴠe it a glance regularly.

    Reply
  12. gustavo garcia says

    October 10, 2017 at 4:07 am

    Step 9 where it says:
    [Route(“create”)]
    public async Task CreateUser(CreateUserBindingModel createUserModel)

    this object CreateUserBindingModel does not exist. The object you wanted to write is AccountBindingModels.

    Other than that, I really appreciate your code!

    Reply
  13. Akshay Joy says

    October 17, 2017 at 10:46 am

    hey I am getting this compiler error “Error 3 ‘System.Net.Http.HttpRequestMessage’ does not contain a definition for ‘GetOwinContext’ and the best extension method overload ‘System.Web.HttpContextBaseExtensions.GetOwinContext(System.Web.HttpContextBase)’ has some invalid arguments ..\Project X\WebApiOAuth\WebApiOAuth\Controllers\BaseApiController.cs 23 43 WebApiOAuth. I am almost there.. please help

    Reply
  14. Guatam says

    November 2, 2017 at 12:41 pm

    Many thanks for the article. I have a question in relation to the asp identity framework which I also posted no to the stackoverflow. In my project, I am using OAuth with the identity framework. In our project, there are two types of users(employees) one type of users will be able to sign in using the username and password and other type of the user will be login using SSO. I have two tables one for asp.net user and the other for the employee information. I have added the employeeId in the user table. My question is that should I create the user in AspNetUsers table for the employees logging in without the password using SSO or I don’t need it. Forgot to mention that SSOtoken is passed with employee ID. If I do it means I have to create a user without password or dummy password? Thanks

    Reply
  15. Mr.Stupid_coder says

    November 28, 2017 at 10:48 am

    This is awesome.But there is no database with storedprocedure.How can I get it?

    Reply
  16. Abudawood says

    November 28, 2017 at 9:02 pm

    Thank you for the tutorial
    I want to know what is the difference between this series and the old series https://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/?
    Many Thanks

    Reply
    • Tony Nguyen says

      December 5, 2018 at 1:49 pm

      I also have the same question. Has you found out?

      Reply
  17. Eugene says

    December 11, 2017 at 3:40 pm

    Thank you for your post. It helps me a lot. I have just one small question.
    When I was trying to get all users via postman my response does not contain claims.
    Is it something what I missed during this tutorial or is it something what needs to be developed extra?
    Thank you in advance.

    Reply
  18. Sean S says

    January 22, 2018 at 5:34 am

    If anyone is having problems with Request.GetOwinContext() returning null, you may need to add app.UseCookieAuthentication(new CookieAuthenticationOptions()); to your Startup.cs as a temporary measure. Not sure why this is, but it can probably be removed when JWT is actually implemented in the later tutorials.

    Reply
    • Chad E says

      February 20, 2019 at 11:31 pm

      Many thanks for the hint on what the issue could be.

      In my particular case I was working with an already established Web Api project without a Startup.cs. Per the tutorial I added the Startup file, but realized it was not being called when I placed a breakpoint. The fix was to install-package Microsoft.Owin.Host.SystemWeb.

      Reply
  19. Edson-TNB says

    January 29, 2018 at 12:23 am

    Hi Taiseer Joudeh ! I Hope that you’re OK. First of all thanks a lot, your posting havebeen fantastic. obs: “Sorry abt my poor english.”

    note: I Already complete all tutorial.

    Can you help me? Using postman to GetUserById (with comment on GetUserByName) works. If I keep the GetUserById and uncomment the GetUserByName using Postman to Get User by Name appear the error below.

    {
    “message”: “An error has occurred.”,
    “exceptionMessage”: “Multiple actions were found that match the request: \r\nGetUser on type AspNetIdentity.WebApi.Controllers.AccountsController\r\nGetUserByName on type AspNetIdentity.WebApi.Controllers.AccountsController”,
    “exceptionType”: “System.InvalidOperationException”,
    “stackTrace”: ” em System.Web.Http.Controllers.ApiControllerActionSelector.ActionSelectorCacheItem.SelectAction(HttpControllerContext controllerContext)\r\n em System.Web.Http.Controllers.ApiControllerActionSelector.SelectAction(HttpControllerContext controllerContext)\r\n em System.Web.Http.ApiController.ExecuteAsync(HttpControllerContext controllerContext, CancellationToken cancellationToken)\r\n em System.Web.Http.Dispatcher.HttpControllerDispatcher.d__1.MoveNext()”
    }

    Reply
  20. Alexandre Hedreville says

    February 25, 2018 at 11:50 pm

    Hi Taiseer Joudeh

    I tried to re factor your code and use a TypeConverter instead of a ModelFactory. But I get a strange behavior when AP Controllers methods try to return the ApplicationUser Type.

    Let me explain. I had decorated the ApplicationUser type as follows

    [TypeConverter(typeof(ApplicationUserConverter))]
    public class ApplicationUser : IdentityUser

    An create a TypeConverter as Follows…

    public class ApplicationUserConverter : TypeConverter
    {
    public override bool CanConvertTo(ITypeDescriptorContext context, Type destinationType)
    {
    return destinationType == typeof(string) || destinationType == typeof(UserReturnModel) || base.CanConvertTo(context, destinationType);
    }
    public override object ConvertTo(ITypeDescriptorContext context, CultureInfo culture, object value, Type destinationType)
    {
    if (value == null)
    return new UserReturnModel();
    if (destinationType != typeof(UserReturnModel))
    return base.ConvertTo(context, culture, value, destinationType);
    if (!(value is ApplicationUser))
    return base.ConvertTo(context, culture, value, destinationType);
    var user = (ApplicationUser)value;
    return new UserReturnModel
    {
    Id = user.Id,
    UserName = user.UserName,
    Email = user.Email,
    EmailConfirmed = user.EmailConfirmed
    …… bla bla bla…
    };
    }
    }
    }

    If I write the method in the controller like below it converts OK, and I receive the JSON that I expect

    return Ok(this.AppUserManager.Users.ToList().Select(u => _typeConverter.ConvertTo(u, typeof(UserReturnModel))));

    BUT if I write the method like below… where I return the ApplicationUser not the converted type..

    return Ok(this.AppUserManager.Users.ToList());

    I got the TYPE NAMES (really the class Type Name for ApplicationUser)
    [
    “AspNetIdentity.WebApi.Infrastructure.ApplicationUser”
    ]

    It seems that, as soon I apply the [TypeConverter(typeof(ApplicationUserConverter))] attribute on the ApplicationUser class I get that behavior.

    The returned type is not longer the ApplicationUser object with their properties on JSON format, but instead I get the Type Class Name.

    Any idea of how can ride off this “collateral-effect” when applying TypeConverter on classes? Is very annoying

    Reply
    • Alexandre Hedreville says

      February 26, 2018 at 2:41 pm

      I found a valid answer at https://stackoverflow.com/questions/31325866/newtonsoft-json-cannot-convert-model-with-typeconverter-attribute

      😉

      Reply
  21. Alexandre Hedreville says

    February 27, 2018 at 1:21 am

    Hi again..
    I would need to pass a repository to the TypeConverter in order to do the convertion work.
    There is a way to pass parameters to a TypeConverter?
    I mean if a TypeConverter needs some objects to perform his work of convertion? how can I pass those as parameters to the TypeConverter?

    I we can’t do so.. the TypeConverter can’t set Url, Roles, or Claims since we have no way to do it

    Reply
  22. Berylius says

    March 13, 2018 at 5:08 pm

    Absolutely excellent tutorial!

    Thanks a lot!

    Reply
  23. Reza says

    May 8, 2018 at 1:09 pm

    Hi.
    I appreciate for your tutorial but i have a question.
    as well as you know,should we use Identity in n-tier applications with other models, where should we to put these classes and configures files? what about Dbcontext? , I create Dbcontext in DAL layer and models in Domain Layer.
    where should i put Identity models?
    Do you have any tutorial or example for this scenario?
    Best regards.

    Reply
  24. TRAVIS says

    February 1, 2020 at 7:52 pm

    Exactly what I was looking for, beautiful article, however being 5 years old, is it still what you feel to be the right technique to use nowadays to add asp.net identity to a webapi?

    Reply
  25. Travis says

    February 4, 2020 at 7:55 pm

    This looks exactly like what I need, but being that the article was written in 2015 with .net framework 4.5 & it is 2020 and 3.1 will be used, I have to wonder if this article is still relevant. Could you address whether you’d still use this technique or have things changed enough that a new article would be needed?

    Reply
  26. Travis says

    February 4, 2020 at 9:44 pm

    In my C# .net core project I don’t have a Web.config to add the db connectionstring to.

    Reply
  27. Travis says

    February 5, 2020 at 12:23 am

    Your solution here truly is a work of art. As is sometimes the case with the passage of time, I have to wonder if there may be a simpler solution which accomplishes the same work you have performed here, now available. Maybe you might already know, or could take a moment to look at, if using IdentityServer4 and its integration with ASP.NET Core Identity might provide the same solution (see http://docs.identityserver.io/en/latest/reference/aspnet_identity.html).

    I am very interested in your thoughts on this & look forward to hearing from you.

    Reply
  28. Asaad says

    March 18, 2020 at 1:42 am

    Thank you very much for this very well tutorial.

    Reply
  29. Taiseer Joudeh Sucks nigger muslim dick says

    June 3, 2020 at 3:50 pm

    Who the dumb sob unit inch goat humper who posted this crapola
    Hey Taiseer Joudeh the dick sucket
    UserManager has no constructor that accepts one parameter you dip in shit muslem goat dick sucker

    Reply
« Older Comments

Trackbacks

  1. First choice voucher code says:
    January 12, 2018 at 8:21 pm

    http://www.voucherbadger.codes

    ASP.NET Identity 2.1 with ASP.NET Web API 2.2 (Accounts Management) – Part 1 – Bit of Technology

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Taiseer

Husband, Father, Consultant @ MSFT, Life Time Learner... Read More…

Buy me a coffeeBuy me a coffee

Recent Posts

  • Integrate Azure AD B2C with ASP.NET MVC Web App – Part 3
  • Secure ASP.NET Web API 2 using Azure AD B2C – Part 2
  • Azure Active Directory B2C Overview and Policies Management – Part 1
  • ASP.NET Web API Claims Authorization with ASP.NET Identity 2.1 – Part 5
  • ASP.NET Identity 2.1 Roles Based Authorization with ASP.NET Web API – Part 4

Blog Archives

Recent Posts

  • Integrate Azure AD B2C with ASP.NET MVC Web App – Part 3
  • Secure ASP.NET Web API 2 using Azure AD B2C – Part 2
  • Azure Active Directory B2C Overview and Policies Management – Part 1
  • ASP.NET Web API Claims Authorization with ASP.NET Identity 2.1 – Part 5
  • ASP.NET Identity 2.1 Roles Based Authorization with ASP.NET Web API – Part 4

Tags

AJAX AngularJS API API Versioning ASP.NET ASP.Net 5 Authentication Autherization Server Azure Active Directory Azure Active Directory B2C Azure AD B2C basic authentication Code First Dependency Injection Documentation Entity Framework Entity Framework 7 Facebook Foursquare API Google Authenticator Identity jQuery JSON JSON Web Tokens JWT MVC 6 Ninject OAuth OData Resource Server REST RESTful RESTful. Web API Single Page Applications SPA Swagger-ui Swashbuckle TFA Token Authentication Tutorial Two Factor Authentication Web API Web API 2 Web API Security Web Service

Search

Copyright © 2022 · eleven40 Pro Theme on Genesis Framework · WordPress · Log in