{"id":8336,"date":"2018-06-27T21:41:28","date_gmt":"2018-06-27T21:41:28","guid":{"rendered":"http:\/\/www.gencayyildiz.com\/blog\/?p=8336"},"modified":"2018-06-27T21:41:28","modified_gmt":"2018-06-27T21:41:28","slug":"asp-net-mvc-web-api-token-authentication","status":"publish","type":"post","link":"https:\/\/www.gencayyildiz.com\/blog\/asp-net-mvc-web-api-token-authentication\/","title":{"rendered":"Asp.NET MVC – Web Api Token Authentication"},"content":{"rendered":"

<\/div>\n

Bir \u00f6nceki Asp.NET MVC \u2013 Web Api Nedir? Nas\u0131l Olu\u015fturulur?<\/a> ba\u015fl\u0131kl\u0131 yaz\u0131mda Web Apilerin ne olduklar\u0131na ve nas\u0131l olu\u015fturulduklar\u0131na de\u011finen i\u00e7eri\u011fi kaleme(klavyeye) alm\u0131\u015ft\u0131k. Bu i\u00e7eri\u011fimizde ise olu\u015fturdu\u011fumuz Web Apilerde Token Authentication ile kullan\u0131c\u0131 tarafl\u0131 do\u011frulama uygulamas\u0131n\u0131 inceliyor olaca\u011f\u0131z.<\/p>\n

Token Authentication Nedir?<\/h3>\n

“Token” kelimesi T\u00fcrk\u00e7e’de “jeton”, “i\u015faret”, “anahtar” vs. \u015feklinde kar\u015f\u0131l\u0131\u011f\u0131 olan bir kelimedir. Ben burada “jeton” tabirini tercih etmekteyim.<\/p>\n

Token Authentication; olu\u015fturdu\u011fumuz Web API’yi kullanmak isteyenlere kar\u015f\u0131, geli\u015ftiriciler taraf\u0131ndan kontrol ve g\u00fcvenlik mekanizmas\u0131 sa\u011flayan bir do\u011frulama y\u00f6ntemidir. API geli\u015ftiricisi, token authentication y\u00f6ntemini kullanarak Apiyi kullanmak isteyen clientlara denetleme sa\u011flamakta ve bu \u015fekilde kontroll\u00fc bir a\u00e7\u0131l\u0131m uygulamaktad\u0131r. Denetlemede do\u011fru kullan\u0131c\u0131 ad\u0131 ve \u015fifreyi giren kullan\u0131c\u0131ya server taraf\u0131nda belirli bir s\u00fcreli\u011fine bir adet token olu\u015fturulur. Kullan\u0131c\u0131 bu token\u0131 kullanarak Web API’nin nimetlerinden faydalanabilmektedir. <\/p>\n

Token Authentication \u0130\u00e7in Hangi K\u00fct\u00fcphanelerin Projeye Entegrasyonu Gereklidir?<\/h3>\n

Token Authentication’\u0131 sa\u011flayabilmek i\u00e7in a\u015fa\u011f\u0131daki k\u00fct\u00fcphanelerin projeye entegre edilmesi gerekmektedir;<\/p>\n

Microsoft.AspNet.WebApi.Owin<\/strong><\/li>\n
Microsoft.Owin.Security.OAuth<\/strong><\/li>\n
Microsoft.Owin.Cors<\/strong><\/li>\n

Microsoft.Owin.Host.SystemWeb<\/strong><\/li>\n<\/ul>\n
\u0130lgili k\u00fct\u00fcphanelerin entegrasyonunu “NuGet Package Manager” penceresinden sa\u011flayabilirsiniz.<\/p>\n
Token Authentication’\u0131n Uygulanmas\u0131<\/h3>\n
\u015eimdi varsayal\u0131m ki elimizde a\u015fa\u011f\u0131daki Web API Controller bulunsun.<\/p>\n
\r\n public class PersonelController : ApiController\r\n {\r\n NorthwindEntities db = new NorthwindEntities();\r\n public IEnumerable<Personel> GetAllPersonel() => db.Personeller.Select(p => new Personel\r\n {\r\n Adi = p.Adi,\r\n Soyadi = p.SoyAdi,\r\n Unvan = p.Unvan\r\n });\r\n public Personel GetPersonel(int id) => db.Personeller.FirstOrDefault(p => p.PersonelID == id);\r\n public IHttpActionResult PostPersonel(Personel personel)\r\n {\r\n db.Personeller.Add(personel);\r\n db.SaveChanges();\r\n return Ok(personel);\r\n }\r\n }\r\n<\/pre>\n
Bu apiye \u00f6zel bir Token Authentication olu\u015ftural\u0131m.<\/p>\n
\u0130lk olarak projeye “Startup.cs” dosyas\u0131 ekleyelim. <\/p>\n
\r\n public class Startup\r\n {\r\n public void Configuration(IAppBuilder app)\r\n {\r\n HttpConfiguration httpConfiguration = new HttpConfiguration();\r\n ConfigureOAuth(app);\r\n WebApiConfig.Register(httpConfiguration);\r\n app.UseWebApi(httpConfiguration);\r\n }\r\n\r\n void ConfigureOAuth(IAppBuilder app)\r\n {\r\n \/\/Token \u00fcretimi i\u00e7in authorization ayarlar\u0131n\u0131 belirliyoruz.\r\n OAuthAuthorizationServerOptions oAuthAuthorizationServerOptions = new OAuthAuthorizationServerOptions()\r\n {\r\n TokenEndpointPath = new PathString("\/token"), \/\/Token talebini yapaca\u011f\u0131m\u0131z dizin\r\n AccessTokenExpireTimeSpan = TimeSpan.FromDays(1), \/\/Olu\u015fturulacak token\u0131 bir g\u00fcn ge\u00e7erli olacak \u015fekilde ayarl\u0131yoruz.\r\n AllowInsecureHttp = true, \/\/G\u00fcvensiz http portuna izin veriyoruz.\r\n Provider = new ProviderAuthorization() \/\/Sa\u011flay\u0131c\u0131 s\u0131n\u0131f\u0131n\u0131 belirtiyoruz. Birazdan bu s\u0131n\u0131f\u0131 olu\u015fturaca\u011f\u0131z.\r\n };\r\n\r\n \/\/Yukar\u0131da belirlemi\u015f oldu\u011fumuz authorization ayarlar\u0131nda \u00e7al\u0131\u015fmas\u0131 i\u00e7in server'a ilgili OAuthAuthorizationServerOptions tipindeki nesneyi g\u00f6nderiyoruz.\r\n app.UseOAuthAuthorizationServer(oAuthAuthorizationServerOptions);\r\n\r\n \/\/Authentication Type olarak Bearer Authentication'\u0131 kullanaca\u011f\u0131m\u0131z\u0131 belirtiyoruz.\r\n app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());\r\n\r\n \/\/Bearer Token, OAuth 2.0 ile gelen standartla\u015fm\u0131\u015f bir token t\u00fcr\u00fcd\u00fcr.\r\n \/\/Herhangi bir kriptolu veriye ihtiya\u00e7 duyulmaks\u0131z\u0131n client taraf\u0131ndan token iste\u011finde bulunulur ve server belirli bir zamana sahip access_token \u00fcretir.\r\n \/\/Bearer Token SSL g\u00fcvenli\u011fine dayan\u0131r.\r\n }\r\n }\r\n<\/pre>\n
Yukar\u0131daki “Startup.cs” s\u0131n\u0131f\u0131n\u0131 incelerseniz e\u011fer “Configuration” metodunda gerekli http konfig\u00fcrasyonlar\u0131 sa\u011flanmaktad\u0131r. “ConfigureOAuth” isimli metotta ise token \u00fcretimi i\u00e7in gerekli authorization olu\u015fturulmakta ve gerekli provider s\u0131n\u0131f\u0131 tan\u0131mlanmaktad\u0131r.<\/p>\n
Tan\u0131mlad\u0131\u011f\u0131m\u0131z “ProviderAuthorization” isimli provider s\u0131n\u0131f\u0131m\u0131z\u0131da incelersek e\u011fer;<\/p>\n
\r\n public class ProviderAuthorization : OAuthAuthorizationServerProvider\r\n {\r\n public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)\r\n {\r\n context.Validated();\r\n }\r\n public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)\r\n {\r\n \/\/Domainler aras\u0131 etkile\u015fim ve kaynak payla\u015f\u0131m\u0131n\u0131 sa\u011flayan ve bir domainin bir ba\u015fka domainin kayna\u011f\u0131n\u0131 kullanmas\u0131n\u0131 sa\u011flayan CORS ayarlar\u0131n\u0131 set ediyoruz.\r\n context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });\r\n\r\n \/\/Kullan\u0131c\u0131n\u0131n access_token alabilmesi i\u00e7in gerekli validation i\u015flemlerini yap\u0131yoruz.\r\n if (context.UserName == "Gen\u00e7ay" && context.Password == "SebepsizBo\u015fYereAyr\u0131lacaksan")\r\n {\r\n ClaimsIdentity identity = new ClaimsIdentity(context.Options.AuthenticationType);\r\n identity.AddClaim(new Claim("sub", context.UserName));\r\n identity.AddClaim(new Claim("role", "user"));\r\n\r\n context.Validated(identity);\r\n }\r\n else\r\n {\r\n context.SetError("hata", "Kullan\u0131c\u0131 ad\u0131 veya \u015fifre hatal\u0131.");\r\n }\r\n }\r\n }\r\n<\/pre>\n
Yukar\u0131daki kod blo\u011funu incelerseniz e\u011fer, olu\u015fturmu\u015f oldu\u011fumuz ProviderAuthorization s\u0131n\u0131f\u0131n\u0131n client eri\u015fimine izin verebilmek i\u00e7in ValidateClientAuthentication metodunu OAuthAuthorizationServerProvider s\u0131n\u0131f\u0131ndan override ettik. Benzer \u015fekilde ProviderAuthorization s\u0131n\u0131f\u0131n\u0131n kaynak eri\u015fimine izin verebilmek i\u00e7in de GrantResourceOwnerCredentials metodunu override etmi\u015f bulunmaktay\u0131z.<\/p>\n
Art\u0131k Token Authentication i\u00e7in gerekli t\u00fcm \u00e7al\u0131\u015fmalar\u0131 ger\u00e7ekle\u015ftirmi\u015f bulunmaktay\u0131z. Dolay\u0131s\u0131yla ilgili Web Apimizde do\u011frulama g\u00fcvenli\u011fi uygulamak istedi\u011fimiz metotlar\u0131 “Authorize” attribute’u ile i\u015faretlememiz yeterlidir. Tabi ben t\u00fcm metotlar\u0131mda bu do\u011frulamay\u0131 istedi\u011fim i\u00e7in komple web api s\u0131n\u0131f\u0131n\u0131 ilgili attribute ile i\u015faretlemekteyim.<\/p>\n
\r\n [Authorize]\r\n public class PersonelController : ApiController\r\n {\r\n NorthwindEntities db = new NorthwindEntities();\r\n public IEnumerable<Personel> GetAllPersonel() => db.Personeller.Select(p => new Personel\r\n {\r\n Adi = p.Adi,\r\n Soyadi = p.SoyAdi,\r\n Unvan = p.Unvan\r\n });\r\n public Personel GetPersonel(int id) => db.Personeller.FirstOrDefault(p => p.PersonelID == id);\r\n public IHttpActionResult PostPersonel(Personel personel)\r\n {\r\n db.Personeller.Add(personel);\r\n db.SaveChanges();\r\n return Ok(personel);\r\n }\r\n }\r\n<\/pre>\n
Evet… \u015eu noktadan itibaren Postman uygulamas\u0131 \u00fczerinden herhangi bir GET ya da POST metoduna requestte bulundu\u011fumuzda a\u015fa\u011f\u0131daki hatayla kar\u015f\u0131la\u015faca\u011f\u0131z.<\/p>\n
\n{
\n “Message”: “Authorization has been denied for this request.”
\n}<\/em><\/strong>\n<\/p><\/blockquote>\n
G\u00f6rd\u00fc\u011f\u00fcn\u00fcz \u00fczere web apimiz token \u00fcretmeyen kullan\u0131c\u0131lara nimetlerini sunmamaktad\u0131r.<\/p>\n
\u00d6ncelikle token \u00fcretmemiz gerekecektir. Haliyle ilk olarak a\u015fa\u011f\u0131daki linki belirtilen headers ve body \u00f6zellikleriyle tetikleyerek gerekli kullan\u0131c\u0131 ad\u0131 ve \u015fifre ile token\u0131m\u0131z\u0131 elde edelim.<\/p>\n
http:\/\/localhost:*****\/token<\/strong><\/p><\/blockquote>\n
Headers’a eklenecek parametreler;<\/p>\n\n\n\n\n\n\n
Header<\/th>\n Value<\/th>\n<\/tr>\n<\/thead>\n
Accept<\/td>\n application\/json<\/td>\n<\/tr>\n
Content-Type<\/td>\n application\/x-www-form-urlencoded<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Body’e eklenecek parametreler;<\/p>\n\n\n\n\n\n\n\n
Key<\/th>\n Value<\/th>\n<\/tr>\n<\/thead>\n
grant_type<\/td>\n password<\/td>\n<\/tr>\n
username<\/td>\n Gen\u00e7ay<\/td>\n<\/tr>\n
password<\/td>\n SebepsizBo\u015fYereAyr\u0131lacaksan<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
$\"Asp.NET$ <\/a>
\nG\u00f6r\u00fcld\u00fc\u011f\u00fc \u00fczere token\u0131m\u0131z\u0131 elde etmi\u015f olduk. Art\u0131k bu token\u0131 kullanarak Web Api’de istedi\u011fimiz herhangi bir metoda eri\u015febiliriz.<\/p>\n
GET ya da POST metotlar\u0131na eri\u015fmeye \u00e7al\u0131\u015f\u0131rken her ikisinde de ortak olan headers \u00f6zelliklerini a\u015fa\u011f\u0131daki gibi vermemiz yeterli olacakt\u0131r.<\/p>\n\n\n\n\n\n\n
Header<\/th>\n Value<\/th>\n<\/tr>\n<\/thead>\n
Content-Type<\/td>\n application\/json<\/td>\n<\/tr>\n
Authorization<\/td>\n Bearer (….D4buSqsfoyuXEdvWpvpBGbHBTP9FAY…)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Burada dikkat etmeniz gereken nokta, Authorization’a token de\u011ferini yazarken ba\u015f\u0131na “Bearer” de\u011ferini yazmay\u0131 unutmay\u0131n\u0131z.<\/p>\n
$\"Asp.NET$ <\/a>
\n $\"Asp.NET$ <\/a>
\n $\"Asp.NET$ <\/a>
\nG\u00f6r\u00fcld\u00fc\u011f\u00fc \u00fczere web api’de ki her bir metot i\u00e7in elde etti\u011fimiz token ile ba\u015far\u0131l\u0131 requestlerimizi ger\u00e7ekle\u015ftirmi\u015f bulunmaktay\u0131z.<\/p>\n
Bu sat\u0131rlardan itibaren Asp.NET MVC – Web Api uygulamalar\u0131nda Token Authentication’\u0131n nas\u0131l sa\u011fland\u0131\u011f\u0131n\u0131 yeterince incelemi\u015f bulunuyoruz. Umar\u0131m faydal\u0131 bir i\u00e7erik olmu\u015ftur.<\/p>\n
Sonraki yaz\u0131lar\u0131mda g\u00f6r\u00fc\u015fmek \u00fczere…
\n\u0130yi \u00e7al\u0131\u015fmalar dilerim…<\/p>\n","protected":false},"excerpt":{"rendered":"
Bir \u00f6nceki Asp.NET MVC \u2013 Web Api Nedir? Nas\u0131l Olu\u015fturulur? ba\u015fl\u0131kl\u0131 yaz\u0131mda Web Apilerin ne olduklar\u0131na ve nas\u0131l olu\u015fturulduklar\u0131na de\u011finen i\u00e7eri\u011fi kaleme(klavyeye) alm\u0131\u015ft\u0131k. Bu i\u00e7eri\u011fimizde ise olu\u015fturdu\u011fumuz Web Apilerde Token Authentication ile kullan\u0131c\u0131 tarafl\u0131...<\/p>\n","protected":false},"author":1,"featured_media":8358,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,2402],"tags":[746,2398,2411,2407,2409,2410,2408,2406,2405,2404],"class_list":["post-8336","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-asp-net-mvc","category-web-api","tag-asp-net-mvc","tag-asp-net-mvc-web-api","tag-bearer-authentication","tag-microsoft-aspnet-webapi-owin","tag-microsoft-owin-cors","tag-microsoft-owin-host-systemweb","tag-microsoft-owin-security-oauth","tag-token-authentication","tag-web-api-token","tag-web-api-token-authentication"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.gencayyildiz.com\/blog\/wp-json\/wp\/v2\/posts\/8336","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.gencayyildiz.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gencayyildiz.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gencayyildiz.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gencayyildiz.com\/blog\/wp-json\/wp\/v2\/comments?post=8336"}],"version-history":[{"count":29,"href":"https:\/\/www.gencayyildiz.com\/blog\/wp-json\/wp\/v2\/posts\/8336\/revisions"}],"predecessor-version":[{"id":8369,"href":"https:\/\/www.gencayyildiz.com\/blog\/wp-json\/wp\/v2\/posts\/8336\/revisions\/8369"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.gencayyildiz.com\/blog\/wp-json\/wp\/v2\/media\/8358"}],"wp:attachment":[{"href":"https:\/\/www.gencayyildiz.com\/blog\/wp-json\/wp\/v2\/media?parent=8336"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gencayyildiz.com\/blog\/wp-json\/wp\/v2\/categories?post=8336"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gencayyildiz.com\/blog\/wp-json\/wp\/v2\/tags?post=8336"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}