๐Ÿฟ CornPop

Authentication and Authorization

5 min read

ู‡ู†ูƒู…ู„ ูƒู„ุงู…ู†ุง ููŠ ุงู„ู€ Security Module Overview of ASP.NET Core Authentication | Microsoft Learn Authentication is the process of determining a userโ€™s identity. ู‡ู„ ู‡ูˆ User ุนู†ุฏู†ุง ุฃุตู„ุง ูˆู„ุง ู„ุงุŸ Authorizationย is the process of determining whether a user has access to a resource. ู„ู‡ ุตู„ุงุญูŠุฉ ุงู†ู‡ ูŠุดูˆู ุงู„ุญุงุฌุฉ ุฏูŠ ูˆู„ุง ู„ุงุŸ ูˆู‡ูŠ ู…ุนู†ุงู‡ุง Roles ูŠุนู†ูŠ ูƒู„ User ู„ู‡ Role ู…ุนูŠู†ุฉ ูˆุนู„ู‰ ุงุณุงุณู‡ุง ุจุชุญุฏุฏ ู‡ูˆ ู…ุณู…ูˆุญู„ุฉ ูŠุฏุฎู„ ุนู„ู‰ ุงูŠู‡ ูˆู…ูŠุฏุฎู„ุด ุนู„ู‰ ุงูŠู‡ ุงู†ู…ุง ู„ูˆ ู…ููŠุด Roles ูŠุจู‚ุง ูƒุฏุง ู…ุนู†ู‰ ุงู†ู‡ Authenticate ุงู†ู‡ ุจุฑุถูˆ Authorized ูŠุฏุฎู„ ุนู„ู‰ ุงูŠ ุญุงุฌุฉ

ู‡ู†ุนู…ู„ Test ุฏู„ูˆู‚ุชูŠ ู„ู„ู€ Authorization ุงู† ุนู†ุฏูŠ Endpoint ูˆู…ูŠู†ูุนุด ุญุฏ ูŠูƒู„ู…ู‡ุง ุบูŠุฑ ู„ู…ุง ูŠุจู‚ุง Authorized ุจู…ุง ุงู†ูŠ ู…ุนู†ุฏูŠุด Roles ูู…ุนู†ู‰ Authorized ุงู†ู‡ Authenticated ูŠุนู†ูŠ ู…ู† ุงู„ุขุฎุฑ ูŠุจุนุชู„ูŠ Token

Get all product

ู‡ู†ุฌุฑุจ ููŠ ุงู„ู€ Endpoint ุงู„ู„ูŠ ุจุชุฌูŠุจ ูƒู„ ุงู„ู€ Products ู†ุฑูˆุญ ุนู„ู‰ Product Controller ูˆู†ุญุท ุงู„ู€ Decorator ุงู„ู„ูŠ ุงุณู…ู‡ [Authorize]

ูˆูƒู…ุงู† ู…ุญุชุงุฌูŠู† ู†ุฒูˆุฏ ุงู„ุงุชู†ูŠู† Middle Wares ุงู„ุฎุงุตูŠู† ุจุงู„ู€ Authentication and Authorization ูˆุจุญุทู‡ู… ุจุนุฏ ุงู„ู€ Routing ุจุนุฏ ุงู„ู€ MapControllers

// main
app.UseStaticFiles();
 
app.MapControllers();
 
app.UseAuthentication();
 
app.UseAuthorization();

UseAuthentication: ู„ู…ุง ุจูŠุนุฏูŠ ุนู„ูŠู‡ุง ุจูŠุจุฏุฃ ูŠุนู…ู„ Check ู‡ู„ ู‡ูˆ ู…ุนุงู‡ Token ูˆู„ุง ู„ุง ูˆุงู„ู€ Token ุจูŠุชุจุนุช ููŠ ุงู„ู€ Header ุจุชุงุน ุงู„ู€ Request ูˆุงู„ู€ Http ุนุจุงุฑุฉ ุนู† ุงุชู†ูŠู† Messages ูˆู‡ู…ุง: Http Request Message, Http Response Message ูˆุนุดุงู† ูŠุนู…ู„ Login ุจูŠุนู…ู„ Http Request ูˆุจูŠุจู‚ุง ู„ูŠู‡ุง Header ูˆ Body ูˆู‡ูˆ ุจูŠุจุนุช ุงู„ู€ Token ููŠ ุงู„ู€ Header ุจุชุงุน ุงู„ู€ Request ูˆุงู„ู€ Middle ware ุจูŠุนู…ู„ Check ุนู„ู‰ ุงู„ู€ Token ูˆูŠุดูˆู ู‡ูˆ ุชู…ุงู… ูˆู„ุง ู„ุง UseAuthorization: ุงู†ุช ุนุงูŠุฒ ุชูƒู„ู… ุฃูŠ EndpointุŸ ุทุจ ู‡ูŠ ุฃูŠ ุญุฏ ูŠูƒู„ู…ู‡ุง ุนุงุฏูŠ ูˆู„ุง ู„ุงุฒู… ุจู€ Role ู…ุนูŠู†ุฉุŸ

ุงู„ู€ Middle ware ุจุชูƒูˆู† ุจูŠุนุฏูŠ ุจูŠู‡ุง ููŠ ุงู„ู€ Request ูˆุงู„ู€ Response

ู„ูˆ ุฌุฑุจู†ุง ุฏู„ูˆู‚ุชูŠ ู†ุนู…ู„ Request ุนู„ู‰ ุงู„ู€ Endpoint ุจุชุงุนู†ุง ูู‡ูˆ ู‡ูŠุนุฏูŠ ุนู„ู‰ ูƒู„ ุงู„ู€ Middlewares ุจุณ ู‡ูŠูŠุฌูŠ ุนู„ู‰ UseAuthentication ูˆูŠู‚ู ู„ุงู†ู†ุง ู…ุจุนุชู†ุงุด ุงู„ู€ Token ููŠู‡ุง ูู‡ูŠุฑุฌุน ุชุงู†ูŠ ุนู„ู‰ ู†ูุณ ุงู„ู€ Middlewares ุจุณ Response ูˆูŠู†ูุฐ ู„ูˆ ููŠู‡ Logic ูˆู‡ูŠู†ูุฐ Middleware ุงู„ู€ Error ุจู€ Code ุจูŠุณุงูˆูŠ 404 ูˆุฏุง ุจุณุจุจ ุงู†ู‡ ู…ุจุนุชุด ุงู„ู€ Token ูˆุงู„ู€ Token ุจูŠุจู‚ุง ู„ู‡ Schema ู…ุนูŠู†ุฉ ูˆู‡ูˆ ุฌุงู„ูŠ Schema ู…ุฎุชู„ูุฉ ูˆุฏุง ุจุณุจุจ ุงู† ู…ู…ูƒู† ูŠุจู‚ุง ุนู†ุฏูŠ Endpoint ุชุงู†ูŠุฉ ุจุชุณู…ุญ ุงู† ุงูŠ ุญุฏ ูŠุฏุฎู„ู‡ุง ู…ุด ู„ุงุฒู… ูŠุจู‚ุง Authorize ูู‡ูˆ ู…ุด ุจูŠุชุนุฑู ุนู„ู‰ ุงู„ู€ Endpoint ุฏูŠ ูˆุจูŠู‚ูˆู„ ุงู† ุงู„ู€ Error 404

ูุงู†ุง ู…ุญุชุงุฌ ูˆุงู†ุง ุจุนู…ู„ Request ุงุจุนุช ุงู„ู€ Token ูˆุงุจุนุชู‡ ููŠ ุงู„ู€ headers ุจุชุงุน ุงู„ู€ Request ุงุฒูˆุฏ ูˆุงุญุฏ ุงุณู…ู‡ Authorization ูˆุงุญุทู„ู‡ ุงู„ู€ Token ู…ู† ุฎู„ุงู„ ุงู†ูŠ ุงุนู…ู„ Login ูˆู‡ูŠุจู‚ุง ู…ุนุงูŠุง ุจุณ ู„ุงุฒู… ุงุญุทู„ู‡ ุงู„ู€ Schema ูˆู„ุชูƒู† ู‡ุญุท Bearer Token

ุจุณ ุฏู„ูˆู‚ุชูŠ ุงู†ุง ู…ุญุฏุฏุชุด Schema ู…ุนูŠู†ุฉ ููŠ ุงู„ู€ Endpoint ุจุชุงุนู†ุง ูˆูƒุฏุง ู‡ูˆ ู‡ูŠุนุชุจุฑู‡ุง ุงู„ู€ Default ูˆู…ุด ู„ุงุฒู… ู†ุนุฑูู‡ุง ูู„ูˆ ุจุนุช ุจุฑุถูˆ ู‡ูŠุจุนุช ู†ูุณ ุงู„ู€ Error ู„ุงู†ู‡ ู…ุญุชุงุฌ ุงู„ู€ Schema ุงู„ู€ Default ูุงู†ุง ู…ุญุชุงุฌ ุงู‚ูˆู„ู‡ ุงู† ุงู„ู€ Schema ู‡ูŠ ุงู„ู€ Bearer [Authorize(AuthenticationSchemes = "Bearer")]

ูุจุฑุถูˆ ู„ูˆ ุดุบู„ู†ุงู‡ ู‡ูŠุฏูŠู„ูŠ Error ุจุณ 500 ู„ุฃู†ูŠ ู…ุญุชุงุฌ ุฃุนู…ู„ Authentication handler ู„ุฃู† ู‡ูˆ ููŠู‡ Token ุฌุงูŠ ูุฃู†ุง ู„ุงุฒู… ุงุนู…ู„ ููŠ ุงู„ู€ Code ุงุฒุงูŠ ุฃุนู…ู„ู‡ Validate

ูุงู„ู€ Scheme ุฏูŠ ู‡ูŠ ุงู„ู„ูŠ ุจุชุญุฏุฏ ุทุฑูŠู‚ุฉ ุงู„ู€ Validation ุนู„ู‰ ุงู„ู€ Token ูˆู…ู…ูƒู† ูŠูƒูˆู† ุนู†ุฏูŠ ุฃูƒุชุฑ ู…ู† Scheme

The registered authentication handlers and their configuration options are called โ€œschemesโ€. Authentication schemes are specified by registering authentication services inย Program.cs

Theย authentication schemeย can select which authentication handler is responsible for generating the correct set of claims. For more information, seeย Authorize with a specific scheme.

An authentication scheme is a name that corresponds to:

  • An authentication handler. ุฏุง ุจูŠุนู…ู„ Validate ุนู„ู‰ ุงู„ู€ Token ู‡ูˆ ุตุญ ูˆู„ุง ู„ุงุŸ
  • Options for configuring that specific instance of the handler.

authentication handler

ูุฃู†ุง ุฏู„ูˆู‚ุชูŠ ู…ุญุชุงุฌ ุงุนู…ู„ authentication handler ู†ุฑูˆุญ ููŠ ุงู„ู€ Program ููŠ ุฌุฒุก ุงู„ู€ Configure Services

ู‡ูˆ ู‚ุงู„ูƒ Register ูŠุนู†ูŠ DI ูู‡ุฑูˆุญ ููŠ ุงู„ู€ AddIdentityServices ูˆุงุถูŠู

public static IServiceCollection AddIdentityServices(this IServiceCollection services, IConfiguration configuration)
// Add IConfiguration
 
// We be called by default, When I call `AddIdentity`
	// Registers services required by authentication services
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) // "Bearer"
	.AddJwtBearer(options =>
	{
		// Configure Authentication Handler
		// options.ForwardSignIn // Go to page SignIn but for MVC
		options.TokenValidationParameteres = new TokenValidationParameters()
		{ // Object initializer
			// Validate with Register Claims that i used to generate token
			ValidateAudience = true,
			// From configurations
			ValidAudience = configuration["JWT:ValidAudience"],
			ValidateIssuer = true,
			ValidIssuer = configuration["JWT:ValidIssuer"],
			ValidateIssuerSigningKey = true, // authKey
			IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["JWT:SecretKey"])),
			ValidateLifetime = true,
			ClockSkew = TimeSpan.FromDays(double.Parse(configuration["JWT:DurationInDays"]))
		};
	});
	// If I want another Scheme
	.AddJwtBearer("Bearer02", option =>
	{
	});
 
// Program
builder.Services.AddIdentityServices(builder.Configuration);
 
// Endpoint
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
 
// Search how to add more than one scheme

ู‡ูŠ ุจูŠุชู†ุงุฏู‰ ุนู„ูŠู‡ุง By Default ู„ู…ุง ุจุณุชุฎุฏู… AddIdentity ู„ุงู†ู‡ุง ุจุชุนู…ู„ Allow DI Services ุงู„ู„ูŠ ู…ุญุชุงุฌุงู‡ุง ุงู„ู€ Authentication Services ูˆุจุฑุถูˆ ุงู„ุทุจูŠุนูŠ ุงู†ู‡ุง ู…ุด ุจุชุงุฎุฏ Parameter ุจุณ ุงู„ู…ุฑุงุฏูŠ ู‡ุณุชุฎุฏู… ุงู„ู€ Overload ุงู„ู„ูŠ ุจูŠุงุฎุฏ defaultScheme

ูุฃูˆู„ ูˆุงุญุฏุฉ ู‡ุชู„ุงู‚ูŠู†ูŠ ู…ุญุฏุฏุชุด ุงุณู…ู‡ ูู‡ูˆ ู‡ูŠุณุชุฎุฏู… ุงู„ู€ Default ุงู„ู„ูŠ ู‡ูˆ ููŠ ุงู„ุญุงู„ุฉ ุฏูŠ ุงู„ู€ Bearer ูˆู„ูˆ ู…ุญุฏุฏุชุด ู‡ูŠุณุชุฎุฏู… ุงู„ู€ Default ุงู„ู„ูŠ ู‡ูˆ ุจูŠุธู‡ุฑ ููŠ ุงู„ู€ Error ููŠ ุงู„ุขุฎุฑ ุฎุงู„ุต

ุงู†ุง ููŠ ุงู„ุนุงุฏูŠ ู…ุด ุจุจุนุช ุงู„ู€ Token ููŠ ุงู„ู€ Header ุงู†ู…ุง ุจุฏุฎู„ ููŠ ุฎุงู†ุฉ ุงู„ู€ Authorization ูˆุจุฎุชุงุฑ Bearer Token ูˆุจูƒุชุจ ุงู„ู€ Token

ู„ูˆ ุฎุฏุช ุจุงู„ูŠ ุงู†ุง ูƒุฏุง ู‡ุญุชุงุฌ ูƒู„ ู…ุฑุฉ ุงุญุฏุฏ ุงู„ู€ Authorize scheme ู„ูƒู„ Endpoint ุทูŠุจ ู„ูˆ ุงู†ุง ุนุงูŠุฒ ุฃุซุจุช ุงู„ู€ Scheme ุฏูŠ ูˆู„ู…ุง ุงุนู…ู„ ุญุงุฌุฉ ู…ุฎุชู„ูุฉ ุงุนู…ู„ ูˆุงุญุฏุฉ ุชุงู†ูŠุฉุŸ

Set Default Scheme

ู‡ู†ุฑูˆุญ ู„ู„ู€ AddAuthentication ูˆูƒู†ุง ุงุณุชุฎุฏู…ู†ุง ุงู„ู€ Overload ุงู„ุชุงู†ูŠ ุงู„ู„ูŠ ุจูŠุงุฎุฏ ุงู„ู€ Scheme ุงู†ุง ู‡ุนู…ู„ ูˆุงุญุฏ ุชุงู„ุช ุจูŠุงุฎุฏ ู…ู†ูŠ Lambda ุงุณู…ู‡ุง Option

services.AddAuthentication(options => 
{
	options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; // ุฏูŠ ุฒูŠ ุงู„ุนุงุฏูŠุฉ ุฎุงู„ุต
	options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
	//ุงูŠ ุงูŠู†ุฏ ุจูˆูŠู†ุช ุงูˆุซุฑูŠุฒุฏ ุงู„ู„ูŠ ุจูŠุณุชุฎุฏู…ู‡ุง ุนุดุงู† ูŠุชุญุฏู‰ ุงูŠ ุญุฏ
})
 
// Endpoint
[Authorize]

Graph View

Backlinks