How to implement two factor auth in Web API 2 using ASP.NET identity?

authentication asp.net-web-api asp.net-identity one-time-password

13,294

This is what i have implemented to get this working on an api. i assume you are using the default ASP.NET single user template.

1. ApplicationOAuthProvider

inside GrantResourceOwnerCredentials method you must add this code

var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>();
ApplicationUser user = await userManager.FindAsync(context.UserName, context.Password);

var twoFactorEnabled = await userManager.GetTwoFactorEnabledAsync(user.Id);
if (twoFactorEnabled)
{
 var code = await userManager.GenerateTwoFactorTokenAsync(user.Id, "PhoneCode");
 IdentityResult notificationResult = await userManager.NotifyTwoFactorTokenAsync(user.Id, "PhoneCode", code);
 if(!notificationResult.Succeeded){
   //you can add your own validation here
   context.SetError(error, "Failed to send OTP"); 
 }
}

// commented for clarification
ClaimIdentity oAuthIdentity .....

// Commented for clarification
AuthenticationProperties properties = CreateProperties(user);
// Commented for clarification

Inside CreateProperties method replace the paramenter with userObject like this:

public static AuthenticationProperties CreateProperties(ApplicationUser user)
{
  IDictionary<string, string> data = new Dictionary<string, string>
  {
    { "userId", user.Id },
    { "requireOTP" , user.TwoFactorEnabled.ToString() },
  }

// commented for clarification
}

The above code with check if the user has TFA enable, if its enabled it will generate verification code and send it using SMSService of your choice.

2. Create TwoFactorAuthorize Attribute

create response class ResponseData

public class ResponseData
{
    public int Code { get; set; }
    public string Message { get; set; }
}

add TwoFactorAuthorizeAttribute

public override async Task OnAuthorizationAsync(HttpActionContext actionContext, System.Threading.CancellationToken cancellationToken)
    {
        #region Get userManager
        var userManager = HttpContext.Current.GetOwinContext().Get<ApplicationUserManager>();
        if(userManager == null)
        {
            actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized, new ResponseData
            {
                Code = 100,
                Message = "Failed to authenticate user."
            });
            return;
        }
        #endregion

        var principal = actionContext.RequestContext.Principal as ClaimsPrincipal;

        #region Get current user
        var user = await userManager.FindByNameAsync(principal?.Identity?.Name);
        if(user == null)
        {
            actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized, new ResponseData
            {
                Code = 100,
                Message = "Failed to authenticate user."
            });
            return;
        }
        #endregion

        #region Validate Two-Factor Authentication
        if (user.TwoFactorEnabled)
        {
            actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized, new ResponseData
            {
                Code = 101,
                Message = "User must be authenticated using Two-Factor Authentication."
            });
        }
        #endregion

        return;
    }
}

3. Use TwoFactorAuthorizeAttribute

in a controller use TwoFactorAuthorizeAttribute

[Authorize]
[TwoFactorAuthorize]
public IHttpActionResult DoMagic(){
}

4. Verify OTP In your AccountController you must add the api end-point to verify the OTP

    [Authorize]
    [HttpGet]
    [Route("VerifyPhoneOTP/{code}")]
    public async Task<IHttpActionResult> VerifyPhoneOTP(string code)
    {
        try
        {
           bool verified = await UserManager.VerifyTwoFactorTokenAsync(User.Identity.GetUserId(), "PhoneCode", code);
            if (!verified)
                return BadRequest($"{code} is not a valid OTP, please verify and try again.");


            var result = await UserManager.SetTwoFactorEnabledAsync(User.Identity.GetUserId(), false);
            if (!result.Succeeded)
            {
                foreach (string error in result.Errors)
                    errors.Add(error);

                return BadRequest(errors[0]);
            }

            return Ok("OTP verified successfully.");
        }
        catch (Exception exception)
        {
            // Log error here
        }
    }

13,294

Anand Murali

Developer with 10+ years of experience on web and desktop application development using C#, Web API, .NET Core, WPF, Angular.

Updated on June 04, 2022

Comments

Anand Murali almost 2 years
I have seen this link Two Factor Auth using goolgle authenticator on how to create a two factor authentication in web api, but my requirements are little different.
1. I want to use two factor authentication for issuing an access token. (If the user has chosen to enable two factor authentication)
2. I would like to create the OTP code using ASP.NET identity itself. (Like the way we do in MVC web application SignInManager.SendTwoFactorCodeAsync("Phone Code")
The problem with my current implementation is, when I call SignInManager.SendTwoFactorCodeAsync("Phone Code") I get the error user id not found.

To debug, I tried calling User.Identity.GetUserId(); and it returns the correct user id.

I checked the source code of Microsoft.AspNet.Identity.Owin assembly
```
    public virtual async Task<bool> SendTwoFactorCodeAsync(string provider)
    {
        var userId = await GetVerifiedUserIdAsync().WithCurrentCulture();
        if (userId == null)
        {
            return false;
        }

        var token = await UserManager.GenerateTwoFactorTokenAsync(userId, provider).WithCurrentCulture();
        // See IdentityConfig.cs to plug in Email/SMS services to actually send the code
        await UserManager.NotifyTwoFactorTokenAsync(userId, provider, token).WithCurrentCulture();
        return true;
    }

    public async Task<TKey> GetVerifiedUserIdAsync()
    {
        var result = await AuthenticationManager.AuthenticateAsync(DefaultAuthenticationTypes.TwoFactorCookie).WithCurrentCulture();
        if (result != null && result.Identity != null && !String.IsNullOrEmpty(result.Identity.GetUserId()))
        {
            return ConvertIdFromString(result.Identity.GetUserId());
        }
        return default(TKey);
    }
```
As seen from the above code, SendTwoFactorCodeAsync method internally calls GetVerifiedUserIdAsync which checks the two factor authentication cookie. As this is a web api project, cookie isn't there and 0 is returned, resulting in user id not found error.

My question, how to correctly implement two factor authentication in web api using asp.net identity?
Anand Murali about 7 years

Hi Spharah, thanks a lot for the detailed answer. Can you also include the logic to validate the OTP code which is entered by the user?
Spharah about 7 years

Hi Anand, i updated the answer to include the code to validate OTP, dont forget to upvote the answer :-)
Anand Murali about 7 years

Spharah, I've up voted. Before accepting the answer, plz can you clear by doubt. After successful OTP verification, you set IsTwoFactorEnabled to false. Lets say, the user logs in again in another machine, now he will not get the OTP (right?), since IsTwoFactorEnabled is set to false. When do you re-enable it?
Spharah about 7 years

Anand, you are correct this was the requirement on the application i was working on. To continuously asking the user to enter the OTP everytime the user login, you have to change the TwoFactorAuthorization code. I will prepare the solution for that scenario.
Spharah almost 7 years

PEO, no i dont have it.
PEO almost 7 years

hI @Sparah I am struggling with 2FA stackoverflow.com/questions/45134662/… can you check this what i am doing wrong if you have spare time.