In this article, we will learn different ways to get an Access Token from HttpContext.

To download the source code for this article, you can visit our GitHub repository.

Let’s start.

Understanding the HttpContext

In the realm of ASP.NET Core, access tokens play a pivotal role in maintaining secure communication. These tokens serve as digital keys, enable applications to verify the identity of users, and grant them access to protected resources. We can retrieve them through HttpContext, a class in ASP.NET Core that encapsulates the details of an individual HTTP request and response. HttpContext provides us with the means to access various aspects of HTTP communication. In the context of OAuth 2.0 and OpenID Connect protocols, where JSON Web Tokens (JWTs) are commonly used, access tokens usually contain claims. Claims are specific pieces of information about the user, such as their identity, roles, and permissions.

You can find more about the creation of access tokens here.

However, it’s important to note that not all access tokens inherently contain claims.

Support Code Maze on Patreon to get rid of ads and get the best discounts on our products!
Become a patron at Patreon!

Extracting the Access Token

Two main ways to acquire access tokens from HttpContext are using the Headers approach or the GetTokenAsync approach.

Headers Approach

The first approach allows us to directly access the header of an HTTP request and retrieve its entire content as a string. This includes the token along with its type, such as “Bearer <token>”. We use this approach when we are interested in raw header content or handling different types of authorization schemes.

The implementation proceeds as follows: 

var authorizationHeader = HttpContext.Request.Headers["access_token"];
string accessToken = string.Empty;
if (authorizationHeader.ToString().StartsWith("Bearer"))
{
    accessToken = authorizationHeader.ToString().Substring("Bearer ".Length).Trim();
}
return accessToken;

Here, we fetch the whole raw header and remove the “Bearer ” part from it to retrieve the access token.

GetTokenAsync Approach

The second approach is a specifically designed extension method, that allows us to retrieve tokens from the known authentication scheme. This approach simplifies the token retrieval process, eliminating the need for manual parsing of the header.

var accessToken = await HttpContext.GetTokenAsync("authorization");

It’s worth mentioning, that this method is dependent on the authentication scheme configured in the application:

services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
    // Configure JWT bearer token options
});

But, we have the flexibility to define our scheme in one of the method overloads:

var accessToken = await HttpContext.GetTokenAsync(JwtBearerDefaults.AuthenticationScheme, "access_token");

This approach simplifies token retrieval when working with the established authentication framework of ASP.NET Core.

Accessing the HttpContext

We can retrieve the access token from HttpContext using two primary methods: from the controller or via middleware. Each approach serves different use cases and it is implemented as follows.

In the following examples, for the sake of simplification, we are going to use the GetTokenAsync() method.

Direct Extraction of Access Token From the Controller

The most straightforward approach to retrieving an access token is directly from within the controller. As we can see, our AccessTokenController class inherits ControllerBase class, the default base class for ASP.NET controller classes. ControllerBase provides us with an instance of HttpContext, which in turn grants us direct access to request and response data within the controller. 

Here is an example:

public class AccessTokenController : ControllerBase
{
    [HttpGet]
    public async Task<string> GetAccessToken()
    {
        var accessToken = await HttpContext.GetTokenAsync("access_token");
        return accessToken!;
    }
}

Here, we fetch the token from access_token header and return it to the caller.

Extraction of Access Token via Middleware

Alternatively, we can extract access tokens using middleware. Middleware is a layer of code that intercepts and processes HTTP requests before they reach the controller. This approach offers us more flexibility and separation of concerns, allowing us to encapsulate the token extraction logic within the middleware component.

Extracting the token using middleware looks like this:

public class AccessTokenMiddleware
{
    private readonly RequestDelegate _next;

    public AccessTokenMiddleware(RequestDelegate next)
    {
        _next = next;
    }

    public async Task Invoke(HttpContext httpContext)
    {
        var accessToken = await httpContext.GetTokenAsync("access_token");
        httpContext.Items["AccessToken"] = accessToken;
        await _next(httpContext);
    }
}

First, we should implement a middleware component that intercepts HTTP requests. Middleware enables us to access HttpContext and retrieve the access token. Then we add the access token to the HttpContext.Items collection which is a convenient way to store and share data between different components of the application.

Don’t forget to register your middleware in Startup.cs file: 

app.UseMiddleware<AccessTokenMiddleware>();

The placement of this snippet is crucial, as the order of component registration determines their invocation order on request (and the reverse order for the response). Therefore, if we are using this middleware to interact with the token, we should do it after  app.UseHttpRedirection(); and before app.UseAuthentication();.

Best Practices and Security Considerations to Get an Access Token from HttpContext

We should adhere to best practices when handling access tokens:

  • It’s not advisable to access HttpContext outside of controllers or middleware, such as in services since we can introduce security risks or lead to inefficient code 
  • Access tokens should be treated with the same level of security as passwords, avoid exposing tokens in URL-s, logs, or error messages, and be cautious about their storage
  • We should use encryption while storing access tokens to protect them from unauthorized access
  • Ensure that we validate tokens before granting access to protected resources, we should ensure that the token is valid, unexpired, and issued for the intended user
  • Implement error handling which enables us to identify issues related to missing or malformed tokens
  • Remember to implement mechanisms to handle expired tokens, when we receive an expired token we should refresh it using the refresh token or redirect the user to re-authenticate
  • Always use HTTPS and proper configuration of security headers to protect tokens during transmission

Why IHttpContextAccessor Isn’t the Best Choice

Challenges arise when we need to access HttpContext outside of controllers or middleware, for example, in services or other parts of the application. The framework allows this through the IHttpContextAccessor interface, but using this approach demands careful consideration. Designed as an abstraction over HttpContext, its frequent use, especially in high-traffic scenarios can lead to decreased performance. Additionally, accessing the HttpContext outside its typical lifecycle, for example in singleton services, can result in sharing user-specific information across different requests. That poses a security risk such as unintentional information leaks between different user sessions.

Considering all of this, here is an example:

public class ExampleService
{
    private readonly IHttpContextAccessor _httpContextAccessor;

    public ExampleService(IHttpContextAccessor httpContextAccessor)
    {
        _httpContextAccessor = httpContextAccessor;
    }

    public async Task<string> MyAction()
    {
        var accessToken = await _httpContextAccessor.HttpContext.GetTokenAsync("access_token");

        return accessToken;
    }
}

Here, we injected the IHttpContextAccessor and used it to access the HttpContext, from which we fetched the access token.

That said, we should limit IHttpContextAccessor use scenarios where it’s absolutely necessary. We must carefully manage the lifecycle of any service or component that accesses HttpContext to ensure that it aligns with the scope of a single request to avoid cross-request data leakage.

Conclusion

In this article, we learned how to get an access token from HttpContext in ASP.NET Core. Understanding and implementing the correct methods for extracting and handling access tokens is paramount. By adhering to these guidelines and practices, we ensure that our applications maintain robust authentication and authorization mechanisms, which thereby enhances both security and efficiency.

Liked it? Take a second to support Code Maze on Patreon and get the ad free reading experience!
Become a patron at Patreon!