How to generate random unique and secure token in webapi without using owin, identity or jwt library?

Question

1.00/5 (2 votes)

See more:

How we can generate random , unique and secure token for a web api that will be consumed by different web and mobile applications.

What I have tried:

reserached different techniques

Posted 30-Mar-17 6:11am

Member 9129971

Updated 30-Mar-17 6:28am

v2

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Afzaal Ahmad Zeeshan · Answer 1 · 2017-03-30T06:28:00

Solution 1

You may use this, RNGCryptoServiceProvider Class (System.Security.Cryptography)[^] and it provides a secure random — not a seeded random number. In most secure cases this is the random number generator that should be used instead of the plain old Random class of the .NET framework. You can read more about this object on the MSDN page itself.

Update:

If you are using the token only for the sake of authentication, like OAuth etc. Then I would recommend using the Guid object, to create a new unique string for every device. It has a size of 128 bits (2¹²⁸ + 1) is a huge amount. You can generate that quite easily as well,

C#

var token = Guid.NewGuid().ToString();

Then this can be stored and used wherever needed. I used this method in my own application. The secure and cryptic way of generating a token would be useful in cases where everything needs to be private — cash management is one of the examples here, encryption/decryption or generating the secure keys or salts for password hashing.

For more on this, please see: Guid Structure (System)[^]

Posted 30-Mar-17 6:28am

Afzaal Ahmad Zeeshan

Updated 30-Mar-17 7:38am

v3

Comments

Member 9129971 30-Mar-17 13:25pm

thanks great, any points which you i should keep in mind while using this technique and generating token for webapi.so to make it secure.

Afzaal Ahmad Zeeshan 30-Mar-17 13:35pm

If the token needs to be secure, such as for currency or for encryption, then you should use it. Otherwise, the pretty old Random or the Guid objects are enough.

If the tokens are just going to serve for authentication, then consider using Guid, they are unique to an extent. I personally used Guid in my web application that I developed a while ago. :-)

Member 9129971 30-Mar-17 15:36pm

also its always that we find billions of articles for any issue online but for securing webapi found only one article over whole internet that seems to be used by the whole world. and that is this one http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/ . But this includes heavy configuration and many things behind the scene and found difficluties in implementing according to my requirement.

Afzaal Ahmad Zeeshan 30-Mar-17 15:41pm

Security is a tough concept, brother! :-)

Member 9129971 30-Mar-17 15:46pm

no doubt :), btw thanks for your response and quick reply.And best wishes.

Member 9129971 30-Mar-17 15:29pm

The application is very sensitive and involves payment and transactions, so cannot use guid as i think its predictable.People are suggesting to use owin,identity or jwt for this purpose, but I have not worked with them previously and they do token generation behind the scene , which i didn't get how and have very limited time to learn and understand them completely.Thats why i am looking for something without using too much configuration.

Afzaal Ahmad Zeeshan 30-Mar-17 15:31pm

In my own opinion, Identity would be a great framework to use. I also did not know and I don't know the all of Identity till now, but the basic concepts are pretty much simple.

In that case, the solution I provided may work. But still, it would need to be configured and developed.

Good luck as well.

Member 9129971 30-Mar-17 15:44pm

what your thoughts on this article http://www.primaryobjects.com/2015/05/08/token-based-authentication-for-web-service-apis-in-c-mvc-net/ .
It uses hmac.

Afzaal Ahmad Zeeshan 30-Mar-17 15:57pm

That is a really very nice write up, however a few areas where I may not agree to the author. But overall was a good write up with clear sections.

Member 9129971 30-Mar-17 16:36pm

can you explain where you donot agree with this article.I am planning to use this article with a little change that instead of generating token at client side we would only generate token at serverside and store it at client side and then use it for further requests until it is expired.

Afzaal Ahmad Zeeshan 30-Mar-17 17:11pm

In that case it is a perfect article, and you should use it.

The case where I think it has me disagreeing is the generation of the tokens; he is using a crypto function to do that. Whereas, a simple Guid can be enough to generate a token. It has quite huge size in the terms of possibilities and thus can be used for any enterprise grade application.

Otherwise, the guy did a great job.