How to implement two factor auth in Web API 2 using ASP.NET identity?
This is what i have implemented to get this working on an api. i assume you are using the default ASP.NET single user template.
1. ApplicationOAuthProvider
inside GrantResourceOwnerCredentials method you must add this code
var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>();
ApplicationUser user = await userManager.FindAsync(context.UserName, context.Password);
var twoFactorEnabled = await userManager.GetTwoFactorEnabledAsync(user.Id);
if (twoFactorEnabled)
{
var code = await userManager.GenerateTwoFactorTokenAsync(user.Id, "PhoneCode");
IdentityResult notificationResult = await userManager.NotifyTwoFactorTokenAsync(user.Id, "PhoneCode", code);
if(!notificationResult.Succeeded){
//you can add your own validation here
context.SetError(error, "Failed to send OTP");
}
}
// commented for clarification
ClaimIdentity oAuthIdentity .....
// Commented for clarification
AuthenticationProperties properties = CreateProperties(user);
// Commented for clarification
Inside CreateProperties method replace the paramenter with userObject like this:
public static AuthenticationProperties CreateProperties(ApplicationUser user)
{
IDictionary<string, string> data = new Dictionary<string, string>
{
{ "userId", user.Id },
{ "requireOTP" , user.TwoFactorEnabled.ToString() },
}
// commented for clarification
}
The above code with check if the user has TFA enable, if its enabled it will generate verification code and send it using SMSService of your choice.
2. Create TwoFactorAuthorize Attribute
create response class ResponseData
public class ResponseData
{
public int Code { get; set; }
public string Message { get; set; }
}
add TwoFactorAuthorizeAttribute
public override async Task OnAuthorizationAsync(HttpActionContext actionContext, System.Threading.CancellationToken cancellationToken)
{
#region Get userManager
var userManager = HttpContext.Current.GetOwinContext().Get<ApplicationUserManager>();
if(userManager == null)
{
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized, new ResponseData
{
Code = 100,
Message = "Failed to authenticate user."
});
return;
}
#endregion
var principal = actionContext.RequestContext.Principal as ClaimsPrincipal;
#region Get current user
var user = await userManager.FindByNameAsync(principal?.Identity?.Name);
if(user == null)
{
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized, new ResponseData
{
Code = 100,
Message = "Failed to authenticate user."
});
return;
}
#endregion
#region Validate Two-Factor Authentication
if (user.TwoFactorEnabled)
{
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized, new ResponseData
{
Code = 101,
Message = "User must be authenticated using Two-Factor Authentication."
});
}
#endregion
return;
}
}
3. Use TwoFactorAuthorizeAttribute
in a controller use TwoFactorAuthorizeAttribute
[Authorize]
[TwoFactorAuthorize]
public IHttpActionResult DoMagic(){
}
4. Verify OTP In your AccountController you must add the api end-point to verify the OTP
[Authorize]
[HttpGet]
[Route("VerifyPhoneOTP/{code}")]
public async Task<IHttpActionResult> VerifyPhoneOTP(string code)
{
try
{
bool verified = await UserManager.VerifyTwoFactorTokenAsync(User.Identity.GetUserId(), "PhoneCode", code);
if (!verified)
return BadRequest($"{code} is not a valid OTP, please verify and try again.");
var result = await UserManager.SetTwoFactorEnabledAsync(User.Identity.GetUserId(), false);
if (!result.Succeeded)
{
foreach (string error in result.Errors)
errors.Add(error);
return BadRequest(errors[0]);
}
return Ok("OTP verified successfully.");
}
catch (Exception exception)
{
// Log error here
}
}
Related videos on Youtube
Anand Murali
Developer with 10+ years of experience on web and desktop application development using C#, Web API, .NET Core, WPF, Angular.
Updated on June 04, 2022Comments
-
Anand Murali almost 2 years
I have seen this link Two Factor Auth using goolgle authenticator on how to create a two factor authentication in web api, but my requirements are little different.
- I want to use two factor authentication for issuing an access token. (If the user has chosen to enable two factor authentication)
- I would like to create the OTP code using ASP.NET identity itself. (Like the way we do in MVC web application
SignInManager.SendTwoFactorCodeAsync("Phone Code")
The problem with my current implementation is, when I call
SignInManager.SendTwoFactorCodeAsync("Phone Code")
I get the error user id not found.To debug, I tried calling
User.Identity.GetUserId();
and it returns the correct user id.I checked the source code of Microsoft.AspNet.Identity.Owin assembly
public virtual async Task<bool> SendTwoFactorCodeAsync(string provider) { var userId = await GetVerifiedUserIdAsync().WithCurrentCulture(); if (userId == null) { return false; } var token = await UserManager.GenerateTwoFactorTokenAsync(userId, provider).WithCurrentCulture(); // See IdentityConfig.cs to plug in Email/SMS services to actually send the code await UserManager.NotifyTwoFactorTokenAsync(userId, provider, token).WithCurrentCulture(); return true; } public async Task<TKey> GetVerifiedUserIdAsync() { var result = await AuthenticationManager.AuthenticateAsync(DefaultAuthenticationTypes.TwoFactorCookie).WithCurrentCulture(); if (result != null && result.Identity != null && !String.IsNullOrEmpty(result.Identity.GetUserId())) { return ConvertIdFromString(result.Identity.GetUserId()); } return default(TKey); }
As seen from the above code,
SendTwoFactorCodeAsync
method internally callsGetVerifiedUserIdAsync
which checks the two factor authentication cookie. As this is a web api project, cookie isn't there and 0 is returned, resulting in user id not found error.My question, how to correctly implement two factor authentication in web api using asp.net identity?
-
Anand Murali about 7 yearsHi Spharah, thanks a lot for the detailed answer. Can you also include the logic to validate the OTP code which is entered by the user?
-
Spharah about 7 yearsHi Anand, i updated the answer to include the code to validate OTP, dont forget to upvote the answer :-)
-
Anand Murali about 7 yearsSpharah, I've up voted. Before accepting the answer, plz can you clear by doubt. After successful OTP verification, you set IsTwoFactorEnabled to false. Lets say, the user logs in again in another machine, now he will not get the OTP (right?), since IsTwoFactorEnabled is set to false. When do you re-enable it?
-
Spharah about 7 yearsAnand, you are correct this was the requirement on the application i was working on. To continuously asking the user to enter the OTP everytime the user login, you have to change the TwoFactorAuthorization code. I will prepare the solution for that scenario.
-
Spharah almost 7 yearsPEO, no i dont have it.
-
PEO almost 7 yearshI @Sparah I am struggling with 2FA stackoverflow.com/questions/45134662/… can you check this what i am doing wrong if you have spare time.