ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,208 questions
Retrieve Correct id from Backend by using Authorization
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 25%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJT%3C/text%3E%3C/svg%3E)
JJ TT
141
Reputation points
Goal:
End user retrieve correct and its own customerid without getting others customerid when it occur at the same time.
Everything take place at the backend.
Background:
Today, you get your token from backend and it will be sent to frontend. The token alreadly contain the customerid.
The same token is locaated at the method named GetAll() in the backend.
It is not only a single ActionResult that need to contain customerid as a parameter.
You are enable to retrieve the customerid at the backend without sending the customerid from frontend to backend with help of method named GetAll().
Problem:
When you have for instance 2 or more end user that will login at the same time. In the next step is to make a request call for the method named GetAll() in order to retrieve the customerid at the same time.
WIll the end user retrieve the correct customerid from backend?
Question:
How is the securit that this user A will retrieve correct customerid without retrieving customerid from user B?
Each user should retrieve the correct customerid from the method GetAll().
Thank you!
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Microsoft.IdentityModel.Tokens;
using System;
using System.Collections.Generic;
using System.IdentityModel.Tokens.Jwt;
using System.Linq;
using System.Security.Claims;
using System.Text;
using System.Threading.Tasks;
namespace WebApplication10.Controllers
{
[AllowAnonymous]
[ApiController]
[Route("api/v1/[controller]")]
public class AuthController : Controller
{
[HttpPost("AlphaClientLogin")]
[AllowAnonymous]
public ActionResult<ClientToken> AlphaClientLogin([FromBody] User user)
{
if (user.Username == "userAlpha" && user.Password == "123")
{
return AlphaTokenService.GenerateToken(user);
}
else
{
return Unauthorized(new { message = "Invalid Username or password" });
}
}
}
[Route("api/v1/[controller]")]
[ApiController]
[Authorize(AuthenticationSchemes = "AlphaClient")]
public class TestController : Controller
{
/// <summary>
/// https://localhost:38744/api/v1/Test/Test2
/// </summary>
/// <returns></returns>
[HttpGet("Test2", Name = "Test2")]
public async Task<ActionResult<Int32>> Test2(string customerid)
{
return 3;
}
[HttpGet]
[Authorize]
public IActionResult GetAll()
{
var user = User?.Identity?.Name;
var id = User?.Claims.FirstOrDefault(c => c.Type == "customerid")?.Value;
return Ok(new { username = user, customerid = id });
}
}
public class ClientToken
{
public string Token { get; set; }
public DateTime DateExpiration { get; set; }
}
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v1", new OpenApiInfo { Title = "WebApplication10", Version = "v1" });
});
services.AddAuthentication().AddJwtBearer("AlphaClient", options => {
options.TokenValidationParameters = new TokenValidationParameters()
{
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("myunlegiveblealphasecret")),
ValidAudience = "AudienceClientAlpha",
ValidIssuer = "IssuerClientAlpha",
ValidateIssuerSigningKey = true,
ValidateLifetime = true,
ClockSkew = TimeSpan.Zero
};
});
}
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 90%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZL%3C/text%3E%3C/svg%3E)
Zhi Lv - MSFT 32,021 Reputation points Microsoft Vendor2022-03-28T08:13:44.047+00:00 Hi @JJ TT ,
You are enable to retrieve the customerid at the backend without sending the customerid from frontend to backend with help of method named GetAll().
Problem:
When you have for instance 2 or more end user that will login at the same time. In the next step is to make a request call for the method named GetAll() in order to retrieve the customerid at the same time.
WIll the end user retrieve the correct customerid from backend?From your description, do you mean you will re-query the customerid from the backend (from database), instead of get the customerid from the JWT token claims?
Generally, when using JWT Authentication and generate the JWT token, we can add the user data (such as user role, customerid) in the JWT claims. Then, the token will add to the following request's header, and on the server side, when access the protect data, it will get the token from the request header and validate whether it is valid or not, if valid, we can get the login user's data from the JWT claims, if invalid, show the 403 error.
If you will re-query the customerid from the backend, first, you will need to get the current user's information (such as user name), then find the customerid.
How is the securit that this user A will retrieve correct customerid without retrieving customerid from user B?
Each user should retrieve the correct customerid from the method GetAll().So, for the above question, generally each login user could retrieve his/her relates customerid, and will not access others information.
Best regards,
Dillion -
AgaveJoe 26,146 Reputation points2022-03-28T11:08:51.697+00:00 See your previous thread.
The user's data is in the JWT token passed to the Web API application.
WIll the end user retrieve the correct customerid from backend?
In your example code, GetAll() returns the customerId that the client passed to the action.
-
JJ TT 141 Reputation points
2022-03-28T16:31:59.11+00:00 Thank you for your help!
1.
"From your description, do you mean you will re-query the customerid from the backend (from database), instead of get the customerid from the JWT token claims?"Lets say both of them that is "re-query the customerid from the backend (from database)" and " get the customerid from the JWT token claims"
-
AgaveJoe 26,146 Reputation points
2022-03-28T18:02:24.68+00:00 Lets say both of them that is "re-query the customerid from the backend (from database)" and " get the customerid from the JWT token claims"
Please clarify your response. If the customerId is fetched from the JWT then what exactly are you using to re-query the database and why? Are there many users with the same customerId and you need the user's Id? Remember from your duplicate thread, you get to add whatever claims you like when the user authenticates. This information is cached in the JWT. You get to fetch whatever data you like from the JWT using a basic LINQ query against the user principal.
var nameOfTheClaimValue = User?.Claims.FirstOrDefault(c => c.Type == "nameOfTheClaim")?.Value;
Sign in to comment