Identity as a Service (IDaaS) : ASP.NET Core API and AWS Cognito
In this post, we learn how to add authentication to a web application by using the ASP.NET Core API and the AWS Cognito service.
Join the DZone community and get the full member experience.
Join For FreeThis is another article in a series on Identity as a Service. In this article, we are going to see how to configure an ASP.NET Core API to validate the identities of the users using AWS Cognito.
For this example, we need the app that we developed in the previous article — Identity as a service (IDaaS): AWS Cognito and ASP.NET Core. In addition, we will continue using Visual Studio 2017 Community Edition.
Protecting API Access
The objective of these examples is to add the necessary validations in the API developed in ASP.NET Core to allow only invocations from apps that have a valid user connected.
This example uses web apps but it is very simple to do the same for single page apps using JavaScript or for a mobile app. The important thing is the propagation of the token from the client to the API, which will validate it before returning the result of the invocation.
This relationship of trust is achieved through the publication of configuration parameters that are public for any service that wants to use them. New services and layers can be added to our ecosystem without modifying existing services.
Something to keep in mind when we create or modify an API Controller in ASP.NET Core is that the [Authorize]
attribute can be applied to a particular method or to the whole class. When applied to the entire class, then all methods will require you to meet the access criteria before responding.
Web API Using AWS Cognito
Let’s start by creating and configuring an ASP.NET Core API to use AWS Cognito as an identity provider. Again, most of the changes have to be made in startup.cs
, although, in this example, we will also create a new controller to return one of the JWT token values.
Startup.cs Changes
The first changes necessary are the using
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.IdentityModel.Tokens;
Most of the changes are in the ConfigureServices
method. Some comments before reviewing the code.
First, instead of harcoding the properties of the JWT validation in the code, we use appsettings.json
or more flexibility.
Then you have to useAddAuthentication
to indicate the Authentication and AddJwtBearer
schema to indicate the validation parameters of the JWT, by far the most important section of the code. The MetaDataAddress value depends on our AWS Cognito account, the same value that we use in our Web App.
Something distinctive about AWS Cognito is that the tokens do not have the Audience claim, so it is necessary to indicate to the ASP.NET validation routines that they must ignore it. If ValidateAudience = false is not included, each validation will give an error.
public void ConfigureServices(IServiceCollection services)
{
services.Configure<JwtBearerOptions>(Configuration.GetSection("Authentication:Cognito"));
var serviceProvider = services.BuildServiceProvider();
var authOptions = serviceProvider.GetService<IOptions<JwtBearerOptions>>();
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
options.MetadataAddress = authOptions.Value.MetadataAddress;
options.SaveToken = authOptions.Value.SaveToken;
options.IncludeErrorDetails = authOptions.Value.IncludeErrorDetails;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = authOptions.Value.TokenValidationParameters.ValidateAudience
};
});
services.AddMvc();
}
And, finally, modify the Configure
method to use the Authentication model that we configured in the previous step.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
app.UseAuthentication();
// The rest of the Configure Method
}
Note: Since I was refactoring the API example using Okta, I forgot to include this line... I spent 15 minutes reviewing the rest of the code before I found the error. In each test, the answer was Invalid Token without further explanation in the error message or in the debug log.
New API Controller

Each new API project in VS 2017 creates a default controller API ValuesController
. Instead of modifying it, we are going to create a new controller. This will allow us to see that the ValuesController
invocations will not require the JWT but it will be necessary for the new controller.
We will call the new API Controller, TokenController
, and we will only implement the action GET
that simply returns the date when the token expires. The [Authorize]
attribute indicates that a valid user is required to invoke any method of this class.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Authorization;
namespace APICognito.Controllers
{
[Produces("application/json")]
[Route("api/Token")]
[Authorize]
public class TokenController : Controller
{
// GET: api/Token
[HttpGet]
public string Get()
{
string exp = User.Claims.Where(c => c.Type == "exp").First().Value;
return "Your token is valid until " + (new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc)).AddSeconds(Double.Parse(exp)).ToString();
}
}
}
After the invocation, we can take the answer and show it on the screen.

Thanks for reading!
All views expressed are my own and do not represent opinions of any entity whatsoever with which I have been, am now, or will be affiliated.
Opinions expressed by DZone contributors are their own.
Trending
-
Application Architecture Design Principles
-
Top Six React Development Tools
-
What Is Envoy Proxy?
-
Building a Flask Web Application With Docker: A Step-by-Step Guide
Comments