Skip to content

gary-archer/oauth.apisample.netcore

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

55 Commits

.vscode

.vscode

 
 

data

data

 
 

deployment

deployment

 
 

images

images

 
 

src

src

 
 

test

test

 
 

.codacy.yaml

.codacy.yaml

 
 

.gitignore

.gitignore

 
 

LICENSE.txt

LICENSE.txt

 
 

README.md

README.md

 
 

api.config.json

api.config.json

 
 

build.sh

build.sh

 
 

downloadcerts.sh

downloadcerts.sh

 
 

integration_tests.sh

integration_tests.sh

 
 

load_test.sh

load_test.sh

 
 

run_api.sh

run_api.sh

 
 

sampleapi.csproj

sampleapi.csproj

 
 

start.sh

start.sh

 
 

testsetup.sh

testsetup.sh

 
 

Repository files navigation

Final OAuth .NET API

Codacy Badge

Behaviour

The final OAuth secured .NET API code sample, referenced in my blog at https://authguidance.com:

  • The API has a fictional business area of investments, but simply returns hard coded data
  • The API takes finer control over OAuth and claims to enable the best security with good manageability
  • The API uses structured logging and log aggregation, for the best supportability

API integrates with UI Clients

The API can run as part of an OAuth end-to-end setup, to serve my blog's UI code samples.
Running the API in this manner forces it to be consumer focused to its clients:

SPA and API

API can be Productively Tested

The API's clients are UIs, which get user level access tokens by running an OpenID Connect code flow.
For productive test driven development, the API instead mocks the Authorization Server:

Test Driven Development

API can be Load Tested

A basic load test uses Tasks to fire 5 parallel requests at a time at the API.
This ensures no concurrency problems, and error rehearsal is used, to ensure useful error responses:

Load Test

API is Supportable

API logs can be analysed in use case based manner by running Elasticsearch SQL and Lucene queries.
Follow the Technical Support Queries for some people friendly examples:

Support Queries

Commands

Prerequisites

  • Ensure that a .NET 8+ SDK is installed
  • Integration tests run Wiremock in Docker, so ensure that Docker is installed

Run the API

Run the API with this command:

./start.sh

Configure DNS and SSL

Configure DNS by adding these domains to your hosts file:

127.0.0.1 localhost apilocal.authsamples-dev.com login.authsamples-dev.com

Then call an endpoint over port 446:

curl -k https://apilocal.authsamples-dev.com:446/investments/companies

Then configure .NET SSL trust for the root CA at ./certs/authsamples-dev.ca.pem.

Test the API

Stop the API, then re-run it with a test configuration:

./testsetup.sh

Then run integration tests and a load test:

./integration_tests.sh
./load_test.sh

Further Details

Programming Languages

  • C# and .NET are used to implement the REST API

Infrastructure

  • The Kestrel web server is used to host the API over SSL
  • AWS Cognito is used as the default Authorization Server
  • The jose-jwt library is used to manage in memory validation of JWTs
  • The project includes API deployment resources for Docker and Kubernetes

About

Final OAuth secured .NET API Code Sample

Resources

Readme

License

MIT license
Activity

Stars

13 stars

Watchers

2 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages