Web API Token Based Authentication

ASP.NET Web API can be accessed over Http by any client using the Http protocol. This framework enables data communication in JSON format (by default) and hence helps in lightweight communication.

Token based authentication

Since the Web API adoption is increasing at a rapid pace, there is a serious need for implementing security for all types of clients trying to access data from Web API services. One of the most preferred mechanism is to authenticate client over HTTP using a signed token. Simply put, a token is a piece of data which is created by a server, and which contains enough data to identify a particular user. The process starts by allowing users to enter their username and password which accessing a service. Once the user provides the username/password, a token is issued which allows users to fetch a specific resource - without using their username and password every time. This token is sent to the server with each request made by the client and contains all necessary information to validate a user’s request. The following diagram explains how Token-Based authentication is used in communication between clients and server.
Token based authentication works by ensuring that each request to a server is accompanied by a signed token which the server verifies for authenticity and only then responds to the request.

Why use Tokens based authentication?

1. Tokens are stateless - The token is self-contained and contains all the information it needs for authentication. This is great for scalability as it frees your server from having to store session state.
2. Tokens can be generated from anywhere -  Token generation is decoupled from token verification allowing you the option to handle the signing of tokens on a separate server or even through a different company such us Auth0. 
3. Fine grained access control - Within the token payload you can easily specify user roles and permissions as well as resources that the user can access.
4. Mobile Friendly - This type of authentication does not require cookies, so this authentication type can be used with mobile applications.
5. Loosely Coupling- Your front-end application is not coupled with specific authentication mechanism, the token is generated from the server and your API is built in a way to understand this token and do the authentication.

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained method for securely transmitting information between parties encoded as a JSON object. JWT has gained mass popularity due to its compact size which allows tokens to be easily transmitted via query strings, header attributes and within the body of a POST request.

A JSON Web Token consists of three parts: Header, Payload and Signature. The header and payload are Base64 encoded, then concatenated by a period, finally the result is algorithmically signed producing a token in the form of header.claims.signature. The header consists of metadata including the type of token and the hashing algorithm used to sign the token. The payload contains the claims data that the token is encoding.

JSON Web Token Best practices

1. Keep it secret. Keep it safe. The signing key should be treated like any other credentials and revealed only to services that absolutely need it.
2. Do not add sensitive data to the payload. Tokens are signed to protect against manipulation and are easily decoded. Add the bare minimum number of claims to the payload for best performance and security.
3. Give tokens an expiration. Technically, once a token is signed – it is valid forever – unless the signing key is changed or expiration explicitly set. This could pose potential issues so have a strategy for expiring and/or revoking tokens.

4. Embrace HTTPS. Do not send tokens over non-HTTPS connections as those requests can be intercepted and tokens compromised.

World of Constructors in C#

Constructors

     Constructor are class methods that are executed automatically when instance of class is created. Constructors are use to initialize globally declared members of given class. Constructors can only run once when instance of class is created or in other words memory is allocated for given class and even it constructor runs before any written code in class. We can have multiple constructors in class, with help of polymorphism in way of overloading. If we do not define any constructor in class then compiler will automatically create Default constructor in the class.

Notable points about Constructors

üA Class can have any numbers of constructors.

üA static constructor does not have any parameters.

üWith in class you can create only one static constructors.

üA constructor does not have any return type, not even void.

Types of Constructors

1. Default constructor - A Constructor without any parameter is called a default constructor. In this constructor every instance of class will be initialized without any parameters values. The default constructor initializes all numeric fields to zero and all strings and object to null.

2. Parametrized constructor - A Constructor with at least one parameter is called a parameterized constructor. This good side of this constructor is that you can initialize each instance with different values.

a) Constructor Overloading - We can overload constructor by creating another constructor with same method name with different parameters.

3. Copy constructor - A Parameterized constructor that contains a parameter of same class type is called copy constructor. The main purpose of copy constructor is to initialize new instance to the value of an existing instance.

4. Static constructor - When we declare constructor as static it will be invoked only once for any number of instances of class and its during creation of first instance or first reference to a static member in the class. Static constructor is used to initialize static fields of the class and to write the code that needs to be executed only once.

a) Notable points of Static constructor

i. A static constructor does not take access modifiers or have parameters.

ii. A static constructor cannot be called directly.

iii. The user has not control on when the static constructor is executed in the program because it is called by CLR during compile time.

iv. In Static constructors constants variable can be created, where values does not changes after initialization.

5. Private constructor - Private constructor is a special instance constructor used in a class that contains static member only. If a class has private constructor and no public constructor then other classes is not allowed to create instance of this class this mean we can neither create the object of the class nor it can be inherit by other class. The main purpose of creating private constructor is used to restrict the class from being instantiated when it contains every member as static.

6.  Instance constructor - A Constructor without any parameter is called instance constructor. This sounds similar to Default constructor and static constructor, but it is different.

a) Default constructor initializes default values of variable as per data types, by in instance constructor we can assign specific values to variables.

              b) In static constructor, it get called automatically from CLR, but instance constructor get called when instance of class is created.

Destructor

     Destructor are use to release memory allocated for instance of object. In .Net framework, the garbage collector automatically manages the allocation and release of memory for manages objects in your application. But there were still unmanaged code, which can be free up specifically by using Destructor.