OTP (One Time Password) Send it from any SMS Service, and how it is used.
What is OTP?
A one-time password (OTP) is an automatically generated numeric or alphanumeric string of characters that authenticates a user for a single transaction or login session.
Why to use OTP?
An OTP is more secure than a static password, especially a user-created password, which can be weak or reused across multiple accounts.
OTPs may replace authentication login information or may be used in addition to it to add another layer of security.
[HttpPost]
public JsonResult SendOTP(string number)
{
var status = "fail";
if (number != "")
{
status = "Invalid";
if (number.Length == 10)
{
string otpValue = new Random().Next(100000, 999999).ToString();
try
{
/// Sms Sending Code.
var messageAPI = new MessageAPI();
string smsBody = "Your OTP Number is " + otpValue
+ " ( Sent By : XT)";
//SMS Service Logic//
string smsResult = messageAPI.SendSmsViaNewAPI(smsBody,
number);
status = smsResult;
Otp createOtp = new Otp()
{
PhoneNo = number,
OtpValue = otpValue,
CreatedDate = DateTime.Now,
ExpiryDate = DateTime.Now.AddMinutes(10),
IsVerify = 0
};
otpManager.InsertOtp(createOtp);
return Json(status, JsonRequestBehavior.AllowGet);
}
catch (Exception e)
{
throw (e);
}
}
}
return Json(status, JsonRequestBehavior.AllowGet);
}
Why I wrote this article?
To describe how the one-time password works in a simple way and How you can use it in your application.
For sending the OTP, We can create a post method, which will have the Phone Number as input and the OTP will be sending to that 10-digit mobile number in form of a text SMS.
This Above Code will send the OTP to Mobile Number.
Now How to Verify the OTP? Which the user will enter what has been received in the SMS.
For that We need a Verify or Validating OTP Method ,Which will check the Enter OTP is correct or not.
[HttpPost]
public JsonResult VerifyOTP(string otp)
{
bool result = false;
//Code to Verify the OTP
var resultData = otpManager.VerifyOtp(otp);
if (resultData != null && resultData.Tables[0] != null && resultData.Tables[0].Rows.Count > 0)
{
result = true;
// Code to Update that the OTP which is entered is used.
otpManager.UpdateVerifyOtp(otp);
}
return Json(result, JsonRequestBehavior.AllowGet);
}
OAuth, which stands for “Open Authorization,” allows third-party services to exchange your information without you having to give away your password.
The OAuth (open authorization) protocol was developed by the Internet Engineering Task Force and enables secure delegated access. It lets an application access a resource that is controlled by someone else (end user). This kind of access requires Tokens, which represent delegated right of access.
It’s a process through which an application or website can access private data from another website. It provides applications the ability for “secure designated access.” For example, you can tell Google that it’s OK for abc.com to access your google account or contact without having to give abc.com your google password.
OAuth never share password data but instead uses authorization tokens to prove an identity between consumers and service providers. OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.
The Authorization Code Flow
Flow
The client redirects the user to the authorization server having the following parameters in the query string.
Step 1
response_type having the value code
client_id having the client identifier
redirect_uri having the client redirect URI.
scope a space-delimited list of scopes
state having a random string
After successful authentication, the user will be redirected to the Consent screen where he needs to provide consent to abc.com to access the account detail.
Authorization code is generated by the authorization server and sent back to the client with redirect Uri.
Step 2
The client will now send a POST request to the authorization server with the following parameters:
Grant_type having the value of authorization_code
Client_id having the client identifier
Client_secret having the client secret
Redirect_uri having the same redirect URI the user redirected back.
Code having the authorization code from the query string
In the entire flow, the access token is never exposed to a web browser. The client will ask the user for their authorization credentials (usually a username and password). The client then sends a POST request with following body parameters to the authorization server:
Grant_type having the value password
Client_id having the client’s ID
Client_secret having the client’s secret
Scope having a space-delimited list of requested scope permissions.
Username having a user’s username
Password having a user’s password
Client Credentials Grant
Using this flow the client can request an access token using only its client credentials (or other supported means of authentication).
Display Below Screen After that and click on New OAuth App
Filling details for register a new OAuth application And then Click Register application.
If you have completed register successfully then showing below OAuthWithGitHub screen. Here show your Client Id and Client Secrets. Click on Generate a new Client Secrets For generating your own secrets.
Now Next Step is Create Asp .Net Core App
Here we need some packages for more process. so keep install below following packages.
Set port number given in github oauth Registration and give Secure Connection.
Startup.cs File
using System.Linq;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
namespace OAuthApplication
{
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
private IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
// Step 1. Add Authentication Mechanisms
services.AddAuthentication(o =>
{
o.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(o =>
{
// set the path for the authentication challenge
o.LoginPath = "/signin";
// set the path for the sign out
o.LogoutPath = "/signout";
})
.AddGitHub(o =>
{
o.ClientId = Configuration["github:clientId"];
o.ClientSecret = Configuration["github:clientSecret"];
o.CallbackPath = "/signin-github";
// Grants access to read a user's profile data.
o.Scope.Add("read:user");
// Optional
// if you need an access token to call GitHub Apis
o.Events.OnCreatingTicket += context =>
{
if (context.AccessToken is { })
{
context.Identity?.AddClaim(new Claim("access_token", context.AccessToken));
}
return Task.CompletedTask;
};
});
services.AddRazorPages();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
// 2. add Authentication and Authorization Middleware
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapRazorPages();
// 3. Sign out Endpoint
// go to ./Pages/Signin.cshtml for 4.
endpoints.MapGet("/signout", async ctx =>
{
await ctx.SignOutAsync(
CookieAuthenticationDefaults.AuthenticationScheme,
new AuthenticationProperties
{
RedirectUri = "/"
});
});
});
}
}
}
Here You can Acces user Access Token if you needed.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.RazorPages;
using Microsoft.Extensions.DependencyInjection;
namespace OAuthApplication.Pages
{
public class Signin : PageModel
{
public IEnumerable<AuthenticationScheme> Schemes { get; set; }
[BindProperty(SupportsGet = true)]
public string ReturnUrl { get; set; }
public async Task OnGet()
{
Schemes = await GetExternalProvidersAsync(HttpContext);
}
public async Task<IActionResult> OnPost([FromForm] string provider)
{
if (string.IsNullOrWhiteSpace(provider))
{
return BadRequest();
}
return await IsProviderSupportedAsync(HttpContext, provider) is false
? BadRequest()
: Challenge(new AuthenticationProperties
{
RedirectUri = Url.IsLocalUrl(ReturnUrl) ? ReturnUrl : "/"
}, provider);
}
private static async Task<AuthenticationScheme[]> GetExternalProvidersAsync(HttpContext context)
{
var schemes = context.RequestServices.GetRequiredService<IAuthenticationSchemeProvider>();
return (await schemes.GetAllSchemesAsync())
.Where(scheme => !string.IsNullOrEmpty(scheme.DisplayName))
.ToArray();
}
private static async Task<bool> IsProviderSupportedAsync(HttpContext context, string provider) =>
(await GetExternalProvidersAsync(context))
.Any(scheme => string.Equals(scheme.Name, provider, StringComparison.OrdinalIgnoreCase));
}
}
Write Above Code in Signin.Cshtml.cs File to set retunUrl this file works like Controller Define Your methods.
@page
@model OAuthApplication.Pages.Signin
@{
}
<div class="jumbotron">
<h1>Authentication</h1>
<p class="lead text-left">Sign in using one of these external providers:</p>
@foreach (var scheme in Model.Schemes.OrderBy(p => p.DisplayName))
{
<form asp-page="SignIn" method="post">
<input type="hidden" name="Provider" value="@scheme.Name" />
<input type="hidden" name="ReturnUrl" value="@Model.ReturnUrl" />
<button class="btn btn-lg btn-success m-1" type="submit">
Sign in using @scheme.DisplayName
</button>
</form>
}
</div>
Above Code is Signin.Cshtml file here fetach the user details and redirect our website.
After that Display User Data in our Website.
Below Code is Account.Cshtml.Cs File To list Out User data.
using System.Collections.Generic;
using System.Linq;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc.RazorPages;
using OAuthApplication.Models;
using Octokit;
namespace OAuthApplication.Pages
{
[Authorize]
public class Account : PageModel
{
public async Task OnGet()
{
// We are reading claims that were
// supplied from our OpenID provider
Claims = User.Claims.ToList();
// From GitHub
if (User.AccessToken() is { } accessToken)
{
var client = new GitHubClient(new ProductHeaderValue("test"))
{
Credentials = new Credentials(accessToken)
};
GitHubUser = await client.User.Get(User.Identity?.Name);
}
}
public User GitHubUser { get; set; }
public List<Claim> Claims { get; set; }
}
}
