Authentication, Authorization, Static Files, and Routing middleware work together in ASP.NET Core.
Basic Pipeline Setup (Program.cs)
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
options.Authority = "https://example.com"; // identity provider
options.Audience = "api";
});
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("AdminOnly", policy =>
policy.RequireRole("Admin"));
});
builder.Services.AddControllers();
var app = builder.Build();
// Middleware pipeline
app.UseStaticFiles(); // 1. Serve static files
app.UseRouting(); // 2. Match routes
app.UseAuthentication(); // 3. Identify user
app.UseAuthorization(); // 4. Check permissions
app.MapControllers(); // 5. Execute endpoint
app.Run();
1. Static Files Middleware
Serves files from wwwroot
app.UseStaticFiles();Note: No need of registering in builder.Servies as framework already added some defaultfeatures which are enough to work Static files middleware.
Example request:
GET /logo.png
If file exists:
wwwroot/logo.png → returned directly
Skips authentication, authorization, controllers → very fast
2. Routing Middleware
Decides which endpoint should handle the request
app.UseRouting();Note: No need of registering in builder.Servies as framework alreadyadded it when controllers middleware get added (builder.Services.AddControllers())
Example:
[HttpGet("products/{id}")]
public IActionResult GetProduct(int id)
Request:
GET /products/10
Routed to:
GetProduct(10)
3. Authentication Middleware
Identifies the user
app.UseAuthentication();
Example request:
GET /products
Authorization: Bearer <token>
Middleware:
- Validates token
- Creates
HttpContext.User
If valid:
User.Identity.IsAuthenticated = true
If missing/invalid:
User = anonymous
4. Authorization Middleware
Checks permissions
app.UseAuthorization();
Controller example:
[Authorize(Policy = "AdminOnly")]
[HttpGet("admin")]
public IActionResult GetAdminData()
{
return Ok("Secret data");
}
Behavior:
- User is Admin → allowed
- User not Admin → 403 Forbidden
- Not logged in → 401 Unauthorized
End-to-End Flow Example
Request 1 (Static file)
GET /logo.png
Flow:
StaticFiles → Response returned
Request 2 (Public API)
GET /products/1
Flow:
Routing → Controller → Response
(No auth required)
Request 3 (Protected API)
GET /admin
Authorization: Bearer valid-token
Flow:
Routing → Authentication → Authorization → Controller → Response
Request 4 (Unauthorized user)
GET /admin
(no token)
Flow:
Routing → Authentication(failed) → Authorization → 401
Quick Summary Table
| Middleware | Purpose | Example Outcome |
|---|---|---|
| Static Files | Serve files directly | /logo.png |
| Routing | Match URL to endpoint | /products/1 → method |
| Authentication | Identify user | Valid JWT → user |
| Authorization | Check permissions | Admin role required |
Easy Way to Remember
- StaticFiles → “Just give the file”
- Routing → “Where should this go?”
- Authentication → “Who are you?”
- Authorization → “Are you allowed?”
No comments:
Post a Comment