Two Factor authentication in Web Api mvc

Question

I want email or phonenumber login .in default Web Api have username authentication i don't know how to customize that.this is my mvc code.i just call web api here in https://localhost:44327/Token

[AllowAnonymous]

        //[ValidateAntiForgeryToken]
        [HttpPost]
        public async Task<ActionResult> Login(Login model, string returnUrl)
        {
            /*This will depend totally on how you will get access to the identity provider and get your token, this is just a sample of how it would be done*/
            /*Get Access Token Start*/
            HttpClient httpClient = new HttpClient();
            httpClient.BaseAddress = new Uri("https://localhost:44327/Token");
            var postData = new List<KeyValuePair<string, string>>();
            postData.Add(new KeyValuePair<string, string>("Username", model.UserName));
            postData.Add(new KeyValuePair<string, string>("Email", model.Email));
            postData.Add(new KeyValuePair<string, string>("Password", model.Password));
            postData.Add(new KeyValuePair<string, string>("grant_type", "password"));
            HttpContent content = new FormUrlEncodedContent(postData);

            HttpResponseMessage response = await httpClient.PostAsync("https://localhost:44327/Token", content);
            // response.EnsureSuccessStatusCode();
            string AccessToken = response.Content.ReadAsStringAsync().Result;
            //string AccessToken = /*Newtonsoft.Json.*/JsonConvert.DeserializeObject<string>(result);
            /*Get Access Token End*/

            if (AccessToken.Length >= 200)
            {

                TempData["userid"] = "userid";
                TempData["name"] = model.UserName;
                return RedirectToAction("Home");
            }

            ModelState.AddModelError("Username", "Username and password is not valid");
            return View(model);
        }

Sachin Singh · Answer

As far as I could understand, you send a username and password to the token endpoint and then receive a token that you use in successive requests. The problem is, you are using a readymade code for authenticating the request, you need to create a custom Authorization Server that will verify the request based on Email/Phone Number instead of a username like shown below. step 1. The startup class public class Startup { public void Configuration(IAppBuilder app) { app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll); var myProvider = new AuthProvider(); OAuthAuthorizationServerOptions options = new OAuthAuthorizationServerOptions { AllowInsecureHttp = true , TokenEndpointPath = new PathString( "/token" ), AccessTokenExpireTimeSpan = TimeSpan.FromDays(1), Provider = myProvider }; app.UseOAuthAuthorizationServer(options); app.UseOAuthBearerAuthentication( new OAuthBearerAuthenticationOptions()); HttpConfiguration config = new HttpConfiguration(); WebApiConfig.Register(config); } } step 2. Custom Authorization Server as per your need. public class AuthProvider: OAuthAuthorizationServerProvider { public override Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context) { //Here we get the Custom Field sent in /Token var Email= context.Parameters.Where(x => x.Key == "Email" ).Select(x => x.Value).FirstOrDefault(); if (Email.Length > 0 && Email[0].Trim().Length > 0) { context.OwinContext.Set ( "Email" , Email[0].Trim()); } // Resource owner password credentials does not provide a client ID. if (context.ClientId == null) { context.Validated(); } return Task.FromResult (null); } public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { var identity = new ClaimsIdentity(context.Options.AuthenticationType); string Email= context.OwinContext.Get ( "Email" ); if (Email == "admin@gmail.com" && context.Password == "admin" ) { identity.AddClaim( new Claim(ClaimTypes.Role, "admin" )); identity.AddClaim( new Claim( "username" , "admin" )); identity.AddClaim( new Claim(ClaimTypes.Name, "Hi Admin" )); context.Validated(identity); } else if (context.UserName == "user" && context.Password == "user" ) { identity.AddClaim( new Claim(ClaimTypes.Role, "user" )); identity.AddClaim( new Claim( "username" , "user" )); identity.AddClaim( new Claim(ClaimTypes.Name, "Hi User" )); context.Validated(identity); } else { context.SetError( "invalid_grant" , "Provided username and password is incorrect" ); return ; } } } summary is , you can send additional parameters to token endpoint as you are already sending. Now , in the ValidateClientAuthentication method add the additional parameters such as Email or phone number to context so that it becomes available in the OAuthGrantResourceOwnerCredentialsContext And then you can validate as i am validating.

selvi jp · Answer

But I want to have both email and mobile phone authentication at the same time.

Salman Beg · Answer

See this link, https://www.c-sharpcorner.com/forums/need-to-introduce-2-factor-authentication-sms-in-webapi https://docs.microsoft.com/en-us/aspnet/identity/overview/features-api/two-factor-authentication-using-sms-and-email-with-aspnet-identity