Best resource for Online free Education
In this article, I am going to discuss how to implement Basic Authentication Using Message Handler in ASP.NET Web API. Please read our last article, where I discussed the Server-Side HTTP Message Handler in ASP.NET Web API.
As we already discussed, the basic authentication says that the client needs to send the username and password in base64 encoded format in the authorization header of the HTTP request. The server then gets the username and password from the authorization header. Once the username and password get from the header, then the server check and match the credentials with any persistent storage (most of the time it may be a database). If the credentials are found in the persistent storage then the server will treat that HTTP request as a valid request and process it else it simple return unauthorized response to the client.
Lets us implement Basic Authentication Using Message Handler
We are going to use the following UserMaster table in this demo
Please use below SQL Script to create and populate the UserMaster table with the required sample data.
Lets create an empty Web API application with the name BasicAuthenticationUsingMessageHandler (you can give any name) and select empty and Web API as shown in the below image.
Once you click on the OK button, it will create the application for us. Then the next step is to create an ADO.NET Entity Data Model against the SecurityDB and Select the UserMaster table.
Here you need to choose DB First Approach of Entity Framework.
Lets create a class with the name ValidateUser and copy and paste the following code.
In the above class, we create one method i.e. CheckUserCredentials which will validate the user by checking the username and password.
Now, lets implement our own custom message handler to check whether or not the client has sent an Authorization header along with the HTTP request, if it is presented then we will check the header value against the persistent storage, in our case, its the database table.
So lets create a class with the name BasicAuthenticationMessageHandler and copy and paste the following code.
BasicAuthenticationMessageHandler.cs
Please add the following namespaces:
Explanation of the above code:
If the Authorization header is not present in the HTTP request then it will be considered as a forbidden request but if it is present then we will get the header value. Once we get the header value then we need to decode as the value of the header is comes in encoded. Here we will use the Base64 encoding scheme in the attached header.
Once we get the user credentials then we will check the credentials and if the credentials are present in the database then we will consider it as a valid user and we will set the user principals along with the current thread.
The request will then be redirected towards a specific controller and action. Register the custom handler in the WebApiConfig file as shown in the below diagram.
Thats it. We are done with our implementation. Lets create one empty Web API controller and then copy and paste the following code.
As you can see in the above controller, both the Get and Post are decorated with an Authorise attribute and we have specified the role over each action. So, the specific roles can access a specific action. Since the Get() is to read the data, generally both the Admin and the User can access it but a Post is only allowed for an Admin.
Testing using Postman
First, lets test for the following user
UserName: Priyanka
Password: abcdef
The username and password need to be a colon (:) separated and must be in base64 encoded. To do this use the following website
Enter the username and password separated by a colon (:) in “Encode to Base64 format†textbox, and then click on the “Encode†button as shown in the below diagram which will generate the Base64 encoded value.
Once you generated the Base64 encoded string, lets see how to use basic authentication in the header to pass the Base64 encoded value.
Here we need to use the Authorization header and the value will be the Base64 encoded string as shown below.
Authorization: UHJpeWFua2E6YWJjZGVm
GET Request:
As you can see, we get Status 200 as expected as the user Priyanka has the role “User†and the role “User†has access to the Get Method of the Test Controller.
POST Request:
As you can see, we get Status 401 Unauthorized as expected as the user Priyanka has the role “User†and the role “User†does not have access to the Post Method of the Test Controller.
In the next Video, I am going to discuss HTTP Client Message Handler with some examples. Here, in this Video, I try to explain the Basic Authentication Using Message Handler step by step with an example. I hope this Video will help you with your need. I would like to have your feedback. Please post your feedback, question, or comments about this Video.
