locked
ASP.NET Web API - Custom Token Based Authentication RRS feed

  • Question

  • User135423268 posted

    Good Day Everyone

    PS: I'm just beginner in ASP.NET WebAPi so please bear with me.

    We have just recently learned about Token Based Authentication via video tutorial and other websites, TBA creates a database (mdf) that stores the users who can login on the webAPI application, and this is good, but the only problem on our side is we have a existing user database, that is been used by multiple applications, we cannot modify all of our applications just to connect on the TBA's users database, is there a other way around to customize this for our database? I tried to search on the net but we haven't found a site that suit our needs or understandable on our level.

    Here's the stracture of our User's table

    tblCCPUsers 

    UserID UserFullName UserPassword Dept Position Active

    as you can see we have different format that the TBA's user database, changing it to another might take a while and our bosses want's to take the change for next year, but our current 2 project that is using webapi, must be implemented within the year, the only problem is that project 2 will get the webapi method from project 2, and both has a username and password, token based authentication is the answer for this and we can also on who's user that call's the method, does someone here successfully customize their TBA into a existing user database? kindly give us a simple explanation as we are a beginner on using ASP.NET webAPI

    Thanks Everyone and Regards. 

    Friday, May 31, 2019 1:01 AM

Answers

  • User1724605321 posted

    Hi amendoza ,

    In client you can post username/password to web api side , web api validate the credential in your exist database , use ADO.NET :

    protected void ValidateUserInfo(string user, string pass) 
    { 
       
        SqlConnection connection = new SqlConnection("YOUR CONNECTION STRING HERE"); 
        string sql = "SELECT * FROM TableName WHERE UserID = @username AND Password = @password"; 
        SqlCommand cmd = new SqlCommand(sql,connection); 
        cmd.Parameters.AddWithValue("@username", user); 
        cmd.Parameters.AddWithValue("@password", pass); 
        connection.Open(); 
      
        DataTable dt = new DataTable(); 
        SqlDataAdapter ad = new SqlDataAdapter(cmd); 
        ad.Fill(dt); 
        if (dt.Rows.Count > 0) { //check if the query returns any data 
            //Valid Username and Password 
            Response.Redirect("Default.aspx"); 
        } 
        else 
        { 
            Response.Write("INVALIDname and Password, Try Again!"); 
        } 
        connection.Close();    
    } 

    Then you can create token and return back to client .

    Best Regards,

    Nan Yu

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, June 5, 2019 1:45 AM
  • User1724605321 posted

    Hi amendoza ,

    As @mgebhard said , How to connect to your database and validate the credential is up to you , that is not related to token based authentication . The token is used to access your protected api , i can't understand what is your issue in your scenario .

    Best Regards,

    Nan Yu

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, June 7, 2019 1:36 AM

All replies

  • User1724605321 posted

    Hi amendoza ,

    That is up to you have to validate the username/password according to current database schema . Normally the client app will send the token request to web api , web api side will validate the credential and create the access token to your client app , client app can send http request with token as authorization header to web api , for accessing protected actions .

    The validation of credential the process you can fully customize to  fit your requirement , connect to your exist database , validate the credential .

    Best Regards,

    Nan Yu

    Monday, June 3, 2019 6:50 AM
  • User135423268 posted

    Good Day Nan Yu

    Thanks for answering all of my questions

    I'm thinking on how to do that, we are not experienced on using EntityFramework, so we are using ADO.NET (SQLClient) which is "dim sqlConn as new sqlConnection" coding, do you have any example that we can follow?? 

    I'm expecting to create a basic authentication and under it's ajax is another ajax that has the token based authentication, but the problem is we have to register all the user's to the TBA's database, do you have a sample code for this?

    Tuesday, June 4, 2019 6:19 AM
  • User475983607 posted

    I'm expecting to create a basic authentication and under it's ajax is another ajax that has the token based authentication, but the problem is we have to register all the user's to the TBA's database, do you have a sample code for this?

    An authentication protocol and a database are two different concepts.  You can reuse any user account data store for use in token based authentication.

    Tuesday, June 4, 2019 1:15 PM
  • User1724605321 posted

    Hi amendoza ,

    In client you can post username/password to web api side , web api validate the credential in your exist database , use ADO.NET :

    protected void ValidateUserInfo(string user, string pass) 
    { 
       
        SqlConnection connection = new SqlConnection("YOUR CONNECTION STRING HERE"); 
        string sql = "SELECT * FROM TableName WHERE UserID = @username AND Password = @password"; 
        SqlCommand cmd = new SqlCommand(sql,connection); 
        cmd.Parameters.AddWithValue("@username", user); 
        cmd.Parameters.AddWithValue("@password", pass); 
        connection.Open(); 
      
        DataTable dt = new DataTable(); 
        SqlDataAdapter ad = new SqlDataAdapter(cmd); 
        ad.Fill(dt); 
        if (dt.Rows.Count > 0) { //check if the query returns any data 
            //Valid Username and Password 
            Response.Redirect("Default.aspx"); 
        } 
        else 
        { 
            Response.Write("INVALIDname and Password, Try Again!"); 
        } 
        connection.Close();    
    } 

    Then you can create token and return back to client .

    Best Regards,

    Nan Yu

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, June 5, 2019 1:45 AM
  • User-474980206 posted
    It a huge security flaw to store passwords as clear text in a database. You should use a one way hash.
    Wednesday, June 5, 2019 3:28 AM
  • User135423268 posted

    Hi Nan Yu

    I think my question got everyone confused, okay so here we go

    first I want to replace to existing Token Based Authentication database with our existing database, inshort, we want all our employees to access the web api, for example:

          We have a 5 Web Applications,  App1 is a Inventory/Trucking application it has a many functionalities and procedures, , while App2  is the application for function room and training room reservation, App3 is the finance application, App4 is the travel application, now App5  is the centralized approval application which all the Approval functionalities of all the 4 applications is in there (all are ASP.NET Web API Site), this app has been created for the purpose that all Managers and Up can view all the list of transactions for their approval. each site has a login page, with username and password from our existing database.

    We want to try to change it from our existing to the TBA but it will take time and our developers must update all of our projects.

    So what's the reason why I want the employees to web api method? because we need to know who is the user who use that method, all the transactions must be logged.

    I do understand how the Web API and token based authentication work, and how you can give access to a client to access the site, but for us we have existing user database, what I want to know is how can we change the authentication of the Web API to our existing database, please feel free to ask any question if you are getting confused on my question

    Thursday, June 6, 2019 1:19 AM
  • User135423268 posted

    Hi Bruce

    I didn't say the our password is stored in our database as clear text, our passwords is encrypted on our database as part of our IT Security protocol, thanks.

    Thursday, June 6, 2019 1:20 AM
  • User475983607 posted

    amendoza29

    I do understand how the Web API and token based authentication work, and how you can give access to a client to access the site, but for us we have existing user database, what I want to know is how can we change the authentication of the Web API to our existing database, please feel free to ask any question if you are getting confused on my question

    We are confused because token based authentication has little to do with your data access layer.  Why are you having trouble accessing an existing database?

    Is the actual issue you need to customize an API like Identity to work with an existing database?

    A token, and I assume a JWT token, is signed by the token server when it is created.  The remote secured resources know how to validate the token and extract user information.

    Thursday, June 6, 2019 11:24 AM
  • User1724605321 posted

    Hi amendoza ,

    As @mgebhard said , How to connect to your database and validate the credential is up to you , that is not related to token based authentication . The token is used to access your protected api , i can't understand what is your issue in your scenario .

    Best Regards,

    Nan Yu

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, June 7, 2019 1:36 AM