Google & Microsoft Token Validation Middleware in ASP.NET Applications

  I have been working on a web app that allows 3rd party login. I had to validate the token that existed in the authorization header of each request hitting my backend services.

The frontend team handled the 3rd party login and obtained a token from one of two providers: Google or Microsoft.

Middleware

The first step I decided to create middleware that intercepts all calls to my applications to validate the token before taking any further steps.

And because ASP.NET Core calls middlewares in order just like a pipeline so it's very important to register this middleware before any other middleware you would like to register, so as not to do any unnecessary processing of requests which are yet to be authenticated.

So basically, I created a class inside my API project under a folder named TokenHandling.

And right away always remember to register your middleware/services because sometimes you get caught up in applying your solution that miss the step where you register your new service in your application so just add the following line in your startup.cs program.cs file.

app.UseMiddleware<TokenValidationMiddleware>();

Basically, this is how your middleware should look like after you add it and add the necessary InvokeAsync function that gets invoked automatically and also add the RequestDelegate parameter that gets injected too.

    public class TokenValidationMiddleware(RequestDelegate requestDelegate)
    {
        public async Task InvokeAsync(HttpContext context)
        {
            await requestDelegate(context);
        }
    }

Token Validation

The next step we need to extract the token from the Authorization header, so you need to add a couple of  lines to your InvokeAsync function in your middleware so that it would look as follows.

        public async Task InvokeAsync(HttpContext context)

        {
            var token = context.Request.Headers[HeaderNames.Authorization].ToString().Replace($"{JwtBearerDefaults.AuthenticationScheme} ", string.Empty);
            await ValidateTokenAsync(token);
            await requestDelegate(context);
        }

Where ValidateTokenAsync is function where you apply one of the following validations on the token whether you choose to validate it as a Google or a Microsoft token or both by using switch or a condition based on the value of an additional header.

Google Authentication

Using Google.Apis.Auth nuget package you can validate your token in only one line so your ValidateTokenAsync function can look as follows.

        public async Task<bool> ValidateTokenAsync(string token)

        {

            await GoogleJsonWebSignature.ValidateAsync(token);

            return true;

        }

Microsoft Authentication

To validate a Microsoft token, change the ValidateTokenAsync function to the following:

        public async Task<bool> ValidateTokenAsync(string token)

        {

            var stsDiscoveryEndpoint = "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration";


            ConfigurationManager<OpenIdConnectConfiguration> configManager = new(stsDiscoveryEndpoint, new OpenIdConnectConfigurationRetriever());


            OpenIdConnectConfiguration config = configManager.GetConfigurationAsync().Result;


            var validationParams = new TokenValidationParameters

            {

                IssuerSigningKeys = config.SigningKeys,

                ValidateAudience = false,

                ValidateIssuer = false

            };


            var microsoftTokenHandler = new JwtSecurityTokenHandler();


            microsoftTokenHandler.ValidateToken(token, validationParams, out SecurityToken jwt);


            return true;

        }

Perfect! Now you're all set to validate the token provided to you.

Comments

Post a Comment

Popular posts

Publish and Consume Messages Using RabbitMQ as a Message Broker in 4 Simple Steps 🐰

Image
  SOLID principles seem to be the foundation that most engineers tend to build their solutions on. Using message brokers can help you achieve these core principles. Message brokers allow services and components to communicate directly, even if they were written in different languages or implemented on different platforms so it serves the Single-Responsibility Principle . Also, Message brokers act as intermediaries, allowing applications to communicate without direct dependencies. They provide a common abstraction for message handling which helps serve another principle which is  Dependency Inversion Principle . Of course, not to mention that most microservices, domain driven and event driven approaches are heavily dependent on message brokers. And message brokers come in all shapes and sizes and a lot of popular tools can help you set up a nice intermediatory space for your messages. Some of these tools are PubSub+ , Redis , Kafka , AWS SQS and more. Some of these are in the form of t
Read more

Real Life Case Study: Synchronous Inter-Service Communication in Distributed Systems

Image
The Problem Inter-Service Communication  I was working on a project where I was a part of a team responsible for service B, which was one service of microservices A, B, C & D.  And one day the business required that service B should process ( using the business logic of the service ) an entity that existed in the domain of service A. Therefore, a question arose; how should we manage to do it? Just Fire and Forget, right? Now the services were set up to communicate using Apache Kafka . So, normally the initial thought was that service A should publish a message with the entity that needed processing and service B should listen to this topic, process the message and publish the processed response to another topic that service A is subscribed to. But wait, this has to be a synchronous job. Service A Can't Wait, Won't Wait Okay so it turns out that service A isn't that relaxed and isn't into the whole we'll-get-back-to-you-soon attitude and wants the response immedi
Read more