In my previous post about token authentication in ASP.NET Core Web Api I mentioned that is not a good practice to hardcode strings in controller or Startup class, especially if we want to put some sensitive data like key for SigningCredentials or connection string to database or configuration parameters. How to avoid it? We can add all strings to configuration file. In ASP.NET Core we have appsettings.json file which is the right place to put these kind of data. It looks like this by default in Web Api project
|
1 2 3 4 5 6 7 8 |
{ "Logging": { "IncludeScopes": false, "LogLevel": { "Default": "Warning" } } } |
ok let’s say we want to add few parameters here, for example data to generate token (in my previous post you can read about generating token) in CreateToken method in one of my Controllers – LoginController. Here is the method we want to modify.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
[HttpPost("token")] public async Task<IActionResult> CreateToken([FromBody] UserDto userDto) { try { var user = await _userService.GetUserByUsername(userDto.Username); if (user != null) { if (_userService.VerifyHashedPassword(user, userDto.Password) == PasswordVerificationResult.Success) { var userClaims = await _userService.GetClaims(user); var claims = new[] { new Claim(JwtRegisteredClaimNames.Sub, user.UserName), new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()), new Claim(JwtRegisteredClaimNames.GivenName, user.FirstName), new Claim(JwtRegisteredClaimNames.FamilyName, user.LastName), new Claim(JwtRegisteredClaimNames.Email, user.Email) }.Union(userClaims); var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("SuperSecretKey")); var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256); var token = new JwtSecurityToken( issuer: "http://localhost:4200", audience: "http://localhost:4200", claims: claims, expires: DateTime.UtcNow.AddMinutes(15), signingCredentials: creds ); return Ok(new { token = new JwtSecurityTokenHandler().WriteToken(token), expiration = token.ValidTo }); } } } catch (Exception ex) { _logger.LogError(ex.Message); } return BadRequest("Failed to login"); } |
We want in this case to read issuer and audience from config file, the same with „SuperSecretKey” to generate SymmetricSecurityKey. First we need to add these data to appsettings.json.
|
1 2 3 4 5 |
"Tokens": { "Key": "SuperSecretKey", "Issuer": "http://localhost:4200", "Audience": "http://localhost:4200" } |
Then we need to modify the LoginController where CreateToken method is located.
We need to use IConfigurationRoot object to read data from config file. Let’s add it as private field and inject it in controller.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
public class LoginController : Controller { private readonly IUserService _userService; private readonly ILogger<LoginController> _logger; private readonly IConfigurationRoot _config; public LoginController(IUserService userService, ILogger<LoginController> logger, IConfigurationRoot config) { _userService = userService; _logger = logger; _config = config; } ....... |
Now it’s time to replace hardcoded strings in CreteToken method.
|
1 2 3 4 5 6 7 8 9 10 |
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_config["Tokens:Key"])); var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256); var token = new JwtSecurityToken( issuer: _config["Tokens:Issuer"], audience: _config["Tokens:Audience"], claims: claims, expires: DateTime.UtcNow.AddMinutes(15), signingCredentials: creds ); |
Unfortunately that’s not all. It will not work. There’s one step we need to do. In Startup class we need to register IConfigurationRoot object as a singleton. There’s property called Configuration by default
|
1 |
public IConfigurationRoot Configuration { get; } |
and we need to add this line of code to ConfigureServices method
|
1 |
services.AddSingleton(Configuration); |
That’s all. Since we have known about appsettings.json file it’s good to use it.