AuthAction is a flexible auth platform for both frontend and M2M apps. It supports OAuth2, social logins, passkeys, and includes user, role, and org management. Scalable up to 1M MAUs for free, it's ideal for startups and enterprises alike.
In this blog, we'll explore how to authorise .Net APIs using AuthAction.
Prerequisites
Before you begin, ensure you have:
- .NET 8.0 SDK or later: Download from dotnet.microsoft.com
- AuthAction Account: You'll need your AuthAction tenant domain and API identifier
Configuration
1. Install Required Packages
Add the following NuGet packages to your project:
dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer
dotnet add package Microsoft.IdentityModel.Protocols.OpenIdConnect
2. Configure AuthAction Settings
Add the following configuration to your appsettings.json:
{
"Auth": {
"Authority": "https://your-authaction-tenant-domain/",
"Audience": "your-authaction-api-identifier"
}
}
Replace:
-
your-authaction-tenant-domainwith your AuthAction tenant domain -
your-authaction-api-identifierwith your API identifier
3. Configure JWT Authentication
In your Program.cs, add the following configuration:
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.Authority = builder.Configuration["Auth:Authority"];
options.Audience = builder.Configuration["Auth:Audience"];
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true
};
});
builder.Services.AddAuthorization();
// ... other service configurations ...
app.UseAuthentication();
app.UseAuthorization();
Usage
1. Protect Your Endpoints
Add the [Authorize] attribute to your controllers or actions that require authentication:
[ApiController]
[Route("[controller]")]
public class WeatherForecastController : ControllerBase
{
[Authorize]
[HttpGet]
public IEnumerable<WeatherForecast> Get()
{
// Your protected endpoint logic
}
}
2. Testing the API
To test your protected endpoints, you'll need to:
- Obtain an Access Token
Use the client credentials flow to get a token:
curl --request POST \
--url https://your-authaction-tenant-domain/oauth2/m2m/token \
--header 'content-type: application/json' \
--data '{
"client_id": "your-authaction-m2m-app-clientid",
"client_secret": "your-authaction-m2m-app-client-secret",
"audience": "your-authaction-api-identifier",
"grant_type": "client_credentials"
}'
- Call Protected Endpoints
Use the token to access protected endpoints:
curl --request GET \
--url http://localhost:5287/protected \
--header 'Authorization: Bearer YOUR_ACCESS_TOKEN'
Security Features
The implementation includes:
- JWT token validation using AuthAction's JWKS endpoint
- RS256 algorithm for token signing
- Automatic token validation and expiration checking
- Secure configuration management
- HTTPS support in production
Common Issues
Invalid Token Errors
- Ensure your token is signed with RS256 algorithm
- Verify the token contains correct issuer and audience claims
- Check that
AuthorityandAudienceare correctly set in configuration
Public Key Fetching Errors
- Verify your application can reach AuthAction's JWKS endpoint
- The JWKS URI should be:
https://your-authaction-tenant-domain/.well-known/jwks.json
Unauthorized Access
If requests to protected endpoints fail, check:
- The JWT token is included in the
Authorizationheader - The token is valid and not expired
- The token's audience matches your API identifier
- The token's issuer matches your AuthAction domain
Conclusion
Integrating authorization into a .net application using AuthAction is a straightforward process. This example helps streamline the setup, offering developers a robust foundation to build secure applications with minimal effort.
If you run into any issues, double-check your configurations to ensure everything is set up correctly. Happy coding!
Feel free to leave your thoughts and questions in the comments below!
Top comments (1)
Very helpful👍, thanks for your sharing!