Authored by pwelter34, this article introduces AspNetCore.SecurityKey, a robust API key authentication library for ASP.NET Core. It examines installation steps, configuration options, and advanced customization for securing .NET applications.

Overview

AspNetCore.SecurityKey is an open-source library designed to provide a complete and flexible API key authentication solution for ASP.NET Core applications. The library integrates with the existing ASP.NET Core authentication and authorization system and supports multiple input methods, making it adaptable for various scenarios.

Key Features

  • Multiple Input Sources: API keys via headers, query parameters, or cookies.
  • Flexible Authentication: Integrates with ASP.NET Core authentication or works as standalone middleware.
  • Extensible Design: Supports custom validation and extraction logic.
  • Rich Integration: Use controller attributes, middleware, or minimal API support.
  • OpenAPI Support: Automatically generates Swagger/OpenAPI documentation (.NET 9+).
  • Minimal Overhead: High performance with optional caching.
  • Multiple Deployment Patterns: Choose from attribute-based, middleware, or endpoint filters.

Getting Started

  1. Package Installation:

    • Install via NuGet:

      dotnet add package AspNetCore.SecurityKey
  2. Configure the API Key:

    • In appsettings.json:

      { "SecurityKey": "your-secret-api-key-here" }

  3. Register Services & Secure Endpoints:

    builder.Services.AddSecurityKey();
app.UseSecurityKey();

  4. Call the API:

    curl -H "X-API-KEY: your-secret-api-key-here" https://yourapi.com/endpoint

NuGet & CLI Options

  • NuGet package
  • Install using Package Manager Console or .NET CLI.

Passing API Keys

AspNetCore.SecurityKey allows clients to pass API keys in different ways:

  • Headers (Recommended): Secure and common for API-to-API communication.
  • Query Parameters: Useful for simple scenarios; less secure.
  • Cookies: Suitable for browser-based applications or persistent usage.

Security Note: Query params can leak keys via logs and browser history; headers are preferred for production.

Configuration Details

  • Configure one or more valid API keys in appsettings.json. To support multiple keys, separate them with semicolons.

    { "SecurityKey": "key1;key2;key3" }

Usage Patterns

AspNetCore.SecurityKey supports a variety of integration methods:

  1. Middleware Pattern: Apply globally to all endpoints for comprehensive security.
  2. Attribute Pattern: Secure specific controllers or actions using [SecurityKey] attributes.
  3. Endpoint Filter Pattern: For minimal APIs, attach directly to chosen endpoints or groups.
  4. Authentication Scheme Pattern: Integrate with ASP.NET Core’s authentication and use with roles or policies.

Example: Attribute-Based Security

[ApiController]
[Route("[controller]")]
public class UsersController : ControllerBase {
    [SecurityKey]
    [HttpGet]
    public IEnumerable GetUsers() => UserService.GetUsers();

    [HttpGet("public")]
    public IEnumerable GetPublicUsers() => UserService.GetPublicUsers();
}

Advanced Customization

Users can implement custom validation logic by providing their own ISecurityKeyValidator. For example, one could verify API keys against a database, check expiration, log usage, and populate claims for authenticated users.

Sample Custom Validator

public class DatabaseSecurityKeyValidator : ISecurityKeyValidator {
    private readonly IApiKeyRepository _repository;
    private readonly ILogger _logger;
    // ... Constructor and implementation ...
}

Register your custom implementation with dependency injection for full control.

License

AspNetCore.SecurityKey is distributed under the MIT License.

This post appeared first on “Reddit CSharp”. Read the entire article here