Before we dive into the code, it’s always helpful to set some context on the problem itself.<\/p>\n
What Is Basic Authentication?<\/h2>\n
When we are trying to protect some resources (for example, an operation on a backend API, or maybe access to some data), we require some kind of authentication<\/a> to secure this access. This requires the consumer to identify themselves to the target server, to gain access to the resource it requires. It does this via the A sample Basic Authentication header might look like this:<\/p>\n The value comprises the word Basic (to identify the scheme), followed by a space, followed by a Base-64 encoded value of a username\/password combination, in the format of Since Base-64 is a very simple algorithm with no encryption which is easy to reverse, any attacker could easily figure out the username and password and issue that same request to gain access. Furthermore, since the credential is passed in every request, it’s very simple for an attacker to impersonate the real user.\u00a0<\/p>\n If we contrast this to the more popular method of OAuth, all these problems are solved. Therefore, if we are trying to secure applications over the public internet, it’s generally preferred to use OAuth or some other style of token-based authentication<\/strong>.<\/p>\n It’s important to always understand the limitations of the practices we apply, so we can make an informed judgment choice. Now that we understand those limitations, let’s move on and see how to apply basic authentication in .NET with To demonstrate basic authentication, we require a client and server. To show this in its simplest form, we’ll create the server and client as separate ASP.NET Core APIs. But in reality, the applications can be anything that can deal with HTTP, as that’s the protocol for basic authentication security.<\/p>\n Let’s start with the server, by creating a standard ASP.NET Core API with Controllers, calling it “Server” and adding a method called There’s a lot going on in the code, but essentially we are getting the value from the header, decoding it, and ensuring it matches the username-password combination we expect. If it does, we return true. Otherwise, false.<\/p>\n Now let’s modify the existing It’s very straightforward: if the request is authenticated we allow it through, otherwise, we return Unauthorized (401).<\/p>\n We should note there are much cleaner ways to this approach.<\/p>\n First, we should set up some middleware to run on every request so that we don’t need to repeat ourselves and keep the authentication code separate from our logic<\/strong>. After that, there are several NuGet packages available that can do all this heavy lifting for us and improve some of our security logic.<\/p>\n However, since we are just demonstrating the concept here, this code is fine.<\/p>\n Let’s hit the endpoint in Postman with no additional headers to observe the result and ensure that our server is secured as we expect:<\/p>\n As we expected, we got an Let’s now set the This time the request was successful, and we get a We have a server protected with basic authentication. Now it’s time to set up the client to communicate with it.<\/p>\n Let’s add another project to our solution, again an ASP.NET Core API, this time let’s call it “Client”. Let’s modify the The most notable aspect of our code is the use of As we demonstrate in our Fetching Data and Content Negotiation with HttpClient in ASP.NET Core<\/a> article, we create a static instance of Let’s see what happens if we execute our The client code crashes, returning\u00a0 a There are a few ways to do this, let’s start with the manual way.<\/p>\n Let’s modify our Because we know the value it needs to be, we can simply hardcode it in the However, this code has several issues. If the username or password changes, we need to re-generate the Base-64 encoded value external to this app and redeploy it. Moreover, we should avoid embedding security credentials in code and source control<\/strong>.<\/p>\n Let’s look to improve these issues.<\/p>\n Let’s first look at securing the credential. Right-click on our project and select “Manage User Secrets”, and add a couple of values:<\/p>\n User Secrets<\/a> are a great way to keep sensitive values out of code and source control. If we wanted to deploy this somewhere, for example, Azure App Service, we could leverage something like Azure Key Vault. However, for our example here, this is perfectly secure.<\/p>\n Let’s modify our code:<\/p>\n This time we are reading the values from the configuration, and applying them at runtime. This means if the values change, all we need to do is update the secrets and restart the app. No redeployment is necessary.<\/strong> Note we could also use a strongly-typed configuration<\/a> instead of dealing with We can simplify our code that sets the header even further:<\/p>\n This is cleaner as we don’t need to clear the default headers or perform string manipulation in the value.<\/p>\n Everything is working great!<\/p>\nAuthorization<\/code> header in the HTTP Request.<\/p>\nAuthorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=<\/code><\/p>\nusername:password<\/code>.\u00a0<\/p>\nComparing Basic Authentication to Other Authentication Schemes<\/h3>\n
HttpClient<\/code>.<\/p>\nBuilding the Server<\/h2>\n
IsRequestAuthenticated()<\/code>:<\/p>\nprivate bool IsRequestAuthenticated()\r\n{\r\n try\r\n {\r\n if (AuthenticationHeaderValue.TryParse(Request.Headers.Authorization, \r\n out var basicAuthCredential))\r\n {\r\n if (basicAuthCredential.Scheme == \"Basic\" &&\r\n !string.IsNullOrWhiteSpace(basicAuthCredential.Parameter))\r\n {\r\n var usernamePassword = \r\n Encoding.UTF8.GetString(Convert.FromBase64String(basicAuthCredential.Parameter));\r\n if (!string.IsNullOrWhiteSpace(usernamePassword))\r\n {\r\n var separatorIndex = usernamePassword.IndexOf(':');\r\n\r\n var username = usernamePassword[..separatorIndex];\r\n var password = usernamePassword[(separatorIndex+ 1)..];\r\n\r\n if (username == \"codemaze\" &&\r\n password == \"isthebest\")\r\n {\r\n return true;\r\n }\r\n }\r\n }\r\n }\r\n }\r\n catch\r\n {\r\n \/\/logic for catching exceptions here\r\n }\r\n\r\n return false;\r\n}<\/pre>\nGet()<\/code> method to make use of our new method:<\/p>\n[HttpGet]\r\npublic IActionResult Get()\r\n{\r\n if (IsRequestAuthenticated())\r\n {\r\n return Ok(Enumerable.Range(1, 5).Select(index => new WeatherForecast\r\n {\r\n Date = DateOnly.FromDateTime(DateTime.Now.AddDays(index)),\r\n TemperatureC = Random.Shared.Next(-20, 55),\r\n Summary = Summaries[Random.Shared.Next(Summaries.Length)]\r\n }));\r\n }\r\n \r\n return Unauthorized(); \r\n}<\/pre>\nTesting Basic Authentication on the Server<\/h3>\n<\/div>\n
![\"Server](\"https:\/\/code-maze.com\/wp-content\/uploads\/2023\/08\/01-Server-Secure.png\")
<\/a><\/p>\n401 Unauthorized<\/code> response.<\/p>\nAuthorization<\/code> header with the value of Basic Y29kZW1hemU6aXN0aGViZXN0<\/code> (which is the Base-64 encoded representation of codemaze:isthebest<\/code>):<\/p>\n![\"Successful](\"https:\/\/code-maze.com\/wp-content\/uploads\/2023\/08\/02-Successful-Postman-Request-With-Basic-Authentication.png\")
<\/a><\/p>\n200 OK<\/code> status code and the response we expected.<\/p>\nBuilding the Client<\/h2>\n
WeatherForecastController<\/code>:<\/p>\nusing Microsoft.AspNetCore.Mvc;\r\n\r\nnamespace Client.Controllers;\r\n\r\n[ApiController]\r\n[Route(\"[controller]\")]\r\npublic class WeatherForecastController : ControllerBase\r\n{\r\n private static readonly HttpClient _httpClient = new HttpClient();\r\n\r\n public WeatherForecastController()\r\n {\r\n _httpClient.BaseAddress = new Uri(\"https:\/\/localhost:7003\");\r\n }\r\n\r\n [HttpGet]\r\n public async Task<IActionResult> Get()\r\n {\r\n var response = await _httpClient.GetStringAsync(\"weatherforecast\");\r\n\r\n return Content(response, \"application\/json\");\r\n }\r\n}<\/pre>\nHttpClient<\/code>, which is the preferred way to interact with remote services over HTTP.<\/p>\nHttpClient<\/code>, set the base address in the constructor then call out to it in our Get()<\/code> method. Because we know the response is JSON (when successful), we can use the convenient GetStringAsync()<\/code> method, and instead of trying to deserialize again into a model, we can return it straight back.\u00a0<\/p>\nGet()<\/code> route in Postman:<\/p>\n![\"Failing](\"https:\/\/code-maze.com\/wp-content\/uploads\/2023\/08\/03-Failing-Client-Request-Without-Basic-Authentication-2.png\")
<\/a><\/p>\n500 Internal Server Error<\/code>, because it received a 401 Unauthorized<\/code> error. We expect this, as, of course, we didn’t set the header.<\/p>\nSetting the Basic Authentication Header<\/h3>\n
Get()<\/code> method:<\/p>\n[HttpGet]\r\npublic async Task<IActionResult> Get()\r\n{\r\n _httpClient.DefaultRequestHeaders.Clear();\r\n _httpClient.DefaultRequestHeaders.Add(\"Authorization\", \"Basic Y29kZW1hemU6aXN0aGViZXN0\");\r\n\r\n var response = await _httpClient.GetStringAsync(\"weatherforecast\");\r\n\r\n return Content(response, \"application\/json\");\r\n}<\/pre>\nAuthorization<\/code> header. If we run the request again, we see it succeeds and we receive the response we expect:<\/p>\n![\"Successful](\"https:\/\/code-maze.com\/wp-content\/uploads\/2023\/08\/04-Successful-Client-Request-With-Basic-Authentication-1.png\")
<\/a><\/p>\nImproving the Basic Authentication Logic<\/h3>\n
{\r\n \"BasicAuthenticationUsername\": \"codemaze\",\r\n \"BasicAuthenticationPassword\": \"isthebest\"\r\n}<\/pre>\n[HttpGet]\r\npublic async Task<IActionResult> Get()\r\n{\r\n var basicAuthenticationUsername = _configuration[\"BasicAuthenticationUsername\"];\r\n var basicAuthenticationPassword = _configuration[\"BasicAuthenticationPassword\"];\r\n var basicAuthenticationValue = \r\n Convert.ToBase64String(\r\n Encoding.ASCII.GetBytes($\"{basicAuthenticationUsername}:{basicAuthenticationPassword}\"));\r\n\r\n _httpClient.DefaultRequestHeaders.Clear();\r\n _httpClient.DefaultRequestHeaders.Add(\"Authorization\", $\"Basic {basicAuthenticationValue}\");\r\n\r\n var response = await _httpClient.GetStringAsync(\"weatherforecast\");\r\n \r\n return Content(response, \"application\/json\");\r\n}<\/pre>\nIConfiguration<\/code> directly which is the preferred way, but that is outside the scope of this article.<\/p>\n[HttpGet]\r\npublic async Task<IActionResult> Get()\r\n{\r\n var basicAuthenticationUsername = _configuration[\"BasicAuthenticationUsername\"];\r\n var basicAuthenticationPassword = _configuration[\"BasicAuthenticationPassword\"];\r\n var basicAuthenticationValue = \r\n Convert.ToBase64String(\r\n Encoding.ASCII.GetBytes($\"{basicAuthenticationUsername}:{basicAuthenticationPassword}\"));\r\n\r\n _httpClient.DefaultRequestHeaders.Authorization = \r\n new AuthenticationHeaderValue(\"Basic\", basicAuthenticationValue);\r\n\r\n var response = await _httpClient.GetStringAsync(\"weatherforecast\");\r\n\r\n return Content(response, \"application\/json\");\r\n}<\/pre>\n