First of all I should say that, I'm not native in English that may cause to misunderstanding on explanation.
This issue is about Securing swagger ui in ASP.Net Core as describe in this link I have done it and it works well in Mozilla Firefox, Microsoft edge and Opera explorer but it does not work in Google chrome.
Chrome opens the swagger api page with out any alert or login information.
Does anyone have a suggestion for configuration in startup.cs or any help on the subject?
Here I paste some codes that did to solve it but it does not work on Chrome.
app.UseSwaggerAuthorized( );
app.UseSwagger( );
app.UseSwaggerUI( c => c.SwaggerEndpoint( "/swagger/v1/swagger.json", "Broker.Rest v1" ) );
I think Chrome can not excute the "UseSwaggerAuthorized". I test it in many ways.
This is my UseSwaggerAuthorized method
public static class AuthorizedSampleClass
{
public static IApplicationBuilder UseSwaggerAuthorized( this IApplicationBuilder builder )
{
return builder.UseMiddleware<SwaggerBasicAuthMiddleware>( );
}
}
public class SwaggerBasicAuthMiddleware
{
private readonly RequestDelegate next;
public SwaggerBasicAuthMiddleware( RequestDelegate next )
{
this.next = next;
}
public async Task InvokeAsync( HttpContext context )
{
if ( context.Request.Path.StartsWithSegments( "/swagger" ) )
{
string authHeader = context.Request.Headers[ "Authorization" ];
if ( authHeader != null && authHeader.StartsWith( "Basic " ) )
{
// Get the credentials from request header
var header = AuthenticationHeaderValue.Parse( authHeader );
var inBytes = Convert.FromBase64String( header.Parameter );
var credentials = Encoding.UTF8.GetString( inBytes ).Split( ':' );
var username = credentials[ 0 ];
var password = credentials[ 1 ];
// validate credentials
if ( username.Equals( "a" ) && password.Equals( "a" ) )
{
await next.Invoke( context ).ConfigureAwait( false );
return;
}
}
context.Response.Headers[ "WWW-Authenticate" ] = "Basic";
context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
}
else
{
await next.Invoke( context ).ConfigureAwait( false );
}
}
}
Chrome update, chrome bug, startup.cs settings, Lunchsetting.json, appsetting.json
Related
Problem
I have an existing .NET Framework 4.x Web API that uses OWIN to handle token requests, create and issue tokens and validate them.
The Web API project is being migrated to .NET 6.
As far as I'm aware .NET 6 does not include any functionality that can create tokens, so a third party solution is required. See https://developer.okta.com/blog/2018/03/23/token-authentication-aspnetcore-complete-guide#generate-tokens-for-authentication-in-aspnet-core for more details.
I need a code solution to this problem not an OAuth cloud provider solution.
Possible solution 1
Firstly I looked into IdentityServer 6 from Duende but the licensing costs were prohibitive, even though we have a single Web API to secure we allow each of our clients to generate up to 5 unique ClientId/ClientSecret combinations for their use to access the API.
We currently have around 200+ unique ClientId/ClientSecret combinations that can access our API.
To support this number of clients we would have needed to purchase the Enterprise edition of IdentityServer 6 which is currently $12,000 USD per year.
Possible solution 2
One of my colleagues' suggested using OpenIddict 3.0
From colleague:
"I found AspNet.Security.OpenIdConnect.Server which appears similar to how we currently provide OAuth, it's been merged into OpenIddict 3.0. Apparently DegradedMode allows us to do our own token validation like in the current OWIN provider."
I have created a POC prototype using OpenIddict 3.0 with DegradedMode enabled.
My concern is that because I've enabled DegradedMode that its not down to me to ensure that I've done everything right as I've disabled all of the out of the box goodness.
My question is, looking at the existing implementation details below, do I need to enable DegradedMode in OpenIddict 3.0 in order to have the same functionality as OWIN gives us?
Current .NET Framework 4.x Web API using OWIN implementation details
****************************************
Request New Token
****************************************
ApplicationOAuthProvider.cs => ValidateClientAuthentication(...)
=> GrantClientCredentials(...)
=> GetClaimsIdentities(...)
=> CreateProperties(...)
=> TokenEndpoint(...)
AccessTokenProvider.cs => Create(...)
RefreshTokenProvider.cs => Create(...) (no-ops as AllowRefresh is false)
****************************************
Send API request with Bearer token
****************************************
MyAppOAuthBearerAuthenticationProvider.cs => RequestToken(...)
AccessTokenProvider.cs => Receive...)
Web API
Startup.Auth.cs
public partial class Startup
{
public void ConfigureAuth(IAppBuilder app)
{
// Configure the application for OAuth based flow
var oauthOptions = new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/oauth/token"),
Provider = new ApplicationOAuthProvider(),
AuthorizeEndpointPath = new PathString("/oauth/authorize"),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
AllowInsecureHttp = true,
AccessTokenProvider = new AccessTokenProvider(),
RefreshTokenProvider = new RefreshTokenProvider()
};
// Enable the application to use bearer tokens to authenticate users
app.UseOAuthAuthorizationServer(oauthOptions);
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
{
Provider = new MyAppOAuthBearerAuthenticationProvider("/oauth/"),
AccessTokenProvider = new AccessTokenProvider()
});
}
}
ApplicationOAuthProvider.cs
public class ApplicationOAuthProvider : OAuthAuthorizationServerProvider
{
/// <summary>
/// grant_type=client_credentials
/// </summary>
public override async Task GrantClientCredentials(OAuthGrantClientCredentialsContext context)
{
var partner = context.OwinContext.Get<Partner>(OwinKeys.Partner);
Account account = null;
var accountScopes = context.Scope.Where(s => s.StartsWith("account:")).ToList();
if (accountScopes.Count > 1)
{
// Tokens cannot be scoped to multiple accounts.
context.Rejected();
context.SetError("invalid_grant", "Only one account scope can be provided");
return;
}
if (accountScopes.Count == 1)
{
var accountId = accountScopes[0].Substring("account:".Length);
account = await DependencyResolver.Current.GetService<IAccountService>().FindAsync(partner.Id, accountId);
if (account?.Status != AccountStatus.Active)
{
context.Rejected();
context.SetError("invalid_scope", "Account not found.");
return;
}
context.OwinContext.Set(OwinKeys.Account, account);
}
var (oAuthIdentity, cookiesIdentity) = await GetClaimIdentities(partner, account, null, null).ConfigureAwait(false);
var properties = CreateProperties(context.ClientId, null);
var ticket = new AuthenticationTicket(oAuthIdentity, properties);
// Disable refresh token for client_credentials.
// 'A refresh token SHOULD NOT be included.' https://tools.ietf.org/html/rfc6749#section-4.4.3
properties.AllowRefresh = false;
context.Validated(ticket);
context.Request.Context.Authentication.SignIn(properties, cookiesIdentity);
}
public override Task TokenEndpoint(OAuthTokenEndpointContext context)
{
foreach (var property in context.Properties.Dictionary)
{
context.AdditionalResponseParameters.Add(property.Key, property.Value);
}
return Task.FromResult<object>(null);
}
/// <summary>
/// Validate that the request is using valid OAuth ClientId.
/// </summary>
public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
if (!context.TryGetBasicCredentials(out var clientId, out var clientSecret) && !context.TryGetFormCredentials(out clientId, out clientSecret))
{
context.Rejected();
context.SetError("invalid_client", "Client credentials could not be retrieved through the Authorization header.");
return;
}
var partnerService = DependencyResolver.Current.GetService<IPartnerService>();
var partnerOAuthClient = await partnerService.GetPartnerOAuthClientByClientIdAsync(clientId).ConfigureAwait(false);
if (partnerOAuthClient == null || (partnerOAuthClient.ClientSecret != null && partnerOAuthClient.ClientSecret != clientSecret))
{
// Client could not be validated.
context.Rejected();
context.SetError("invalid_client", "Client credentials are invalid.");
return;
}
context.OwinContext.Set(OwinKeys.Partner, partnerOAuthClient.Partner);
// Client has been verified.
context.Validated(clientId);
}
private AuthenticationProperties CreateProperties(string clientId, string username)
{
var data = new Dictionary<string, string>
{
{ "clientId", clientId }
};
if (!string.IsNullOrWhiteSpace(username))
{
data.Add("userName", username);
}
return new AuthenticationProperties(data);
}
/// <summary>
/// Gets the OAuth and Cookie claims identities.
/// </summary>
/// <param name="partner">Partner the token is for.</param>
/// <param name="account">Account the token is for, null if not account restricted token.</param>
/// <param name="user">User the token is for, if using password grant.</param>
/// <param name="userManager">ApplicationUserManager to generate ClaimsIdentity for user, only required for password grant.</param>
private Tuple<ClaimsIdentity, ClaimsIdentity> GetClaimIdentities(Partner partner, Account account)
{
ClaimsIdentity oAuthIdentity = new ClaimsIdentity(OAuthDefaults.AuthenticationType);
ClaimsIdentity cookiesIdentity = new ClaimsIdentity(CookieAuthenticationDefaults.AuthenticationType);
oAuthIdentity.AddClaim(new Claim("http://myapp.com/claims/partnerid", partner.Id.ToString(), ClaimValueTypes.Integer));
cookiesIdentity.AddClaim(new Claim("http://myapp.com/claims/partnerid", partner.Id.ToString(), ClaimValueTypes.Integer));
oAuthIdentity.AddClaim(new Claim(ClaimTypes.Role, IdentityRoleNames.User));
cookiesIdentity.AddClaim(new Claim(ClaimTypes.Role, IdentityRoleNames.User));
if (account == null)
{
oAuthIdentity.AddClaim(new Claim(ClaimTypes.Role, "Partner"));
cookiesIdentity.AddClaim(new Claim(ClaimTypes.Role, "Partner"));
}
else
{
oAuthIdentity.AddClaim(new Claim(ClaimTypes.Role, "Account"));
cookiesIdentity.AddClaim(new Claim(ClaimTypes.Role, "Account"));
oAuthIdentity.AddClaim(new Claim(ClaimTypes.Sid, account.Id.ToString()));
cookiesIdentity.AddClaim(new Claim(ClaimTypes.Sid, account.Id.ToString()));
}
return Tuple.Create(oAuthIdentity, cookiesIdentity);
}
}
AccessTokenProvider.cs
public class AccessTokenProvider : AuthenticationTokenProvider
{
public override void Create(AuthenticationTokenCreateContext context)
{
Guid? accountId = null;
var accessTokenService = DependencyResolver.Current.GetService<IAccessTokenService>();
AccessTokenScope scope = AccessTokenScope.None;
if (context.Ticket.Identity.HasClaim(c => c.Type == ClaimTypes.Role && c.Value == "Account"))
{
scope = AccessTokenScope.Account;
accountId = Guid.Parse(context.Ticket.Identity.Claims.First(c => c.Type == ClaimTypes.Sid).Value);
}
else if (context.Ticket.Identity.HasClaim(c => c.Type == ClaimTypes.Role && c.Value == "Partner"))
scope = AccessTokenScope.Partner;
if (scope == AccessTokenScope.None)
throw new ArgumentNullException(nameof(AccessTokenScope));
context.SetToken(Guid.NewGuid().ToString("n") + Guid.NewGuid().ToString("n"));
var accessTokenHash = GetTokenHash(context.Token);
context.OwinContext.Set(OwinKeys.OAuthAccessTokenHash, accessTokenHash);
accessTokenService.Insert(new AccessToken
{
TokenHash = accessTokenHash,
Ticket = context.SerializeTicket(),
ExpiresUtc = context.Ticket.Properties.ExpiresUtc.Value.UtcDateTime,
ClientId = context.Ticket.Properties.Dictionary["clientId"],
UserId = context.Ticket.Identity.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier)?.Value,
PartnerId = int.Parse(context.Ticket.Identity.Claims.First(c => c.Type == "http://myapp.com/claims/partnerid").Value),
Scope = scope,
AccountId = accountId
});
}
public override void Receive(AuthenticationTokenReceiveContext context)
{
var accessTokenService = DependencyResolver.Current.GetService<IAccessTokenService>();
var accessToken = accessTokenService.Find(GetTokenHash(context.Token));
if (accessToken != null)
context.DeserializeTicket(accessToken.Ticket);
}
public static string GetTokenHash(string token)
{
var sha = new SHA256Managed();
var hash = sha.ComputeHash(Encoding.UTF8.GetBytes(token));
for (var i = 0; i < 9999; i++)
hash = sha.ComputeHash(hash);
return Convert.ToBase64String(hash);
}
}
RefreshTokenProvider.cs
public class RefreshTokenProvider : AuthenticationTokenProvider
{
public override void Create(AuthenticationTokenCreateContext context)
{
if (context.Ticket.Properties.AllowRefresh == false)
return;
var refreshTokenService = DependencyResolver.Current.GetService<IRefreshTokenService>();
context.SetToken(Guid.NewGuid().ToString("n") + Guid.NewGuid().ToString("n"));
string key = context.Token;
context.Ticket.Properties.ExpiresUtc = DateTimeOffset.MaxValue;
string value = context.SerializeTicket();
RefreshToken refreshToken = new RefreshToken
{
Key = key,
Value = value,
AccessTokenHash = context.OwinContext.Get<string>(OwinKeys.OAuthAccessTokenHash)
};
refreshTokenService.InsertRefreshToken(refreshToken);
}
public override void Receive(AuthenticationTokenReceiveContext context)
{
var refreshTokenService = DependencyResolver.Current.GetService<IRefreshTokenService>();
var accessTokenService = DependencyResolver.Current.GetService<IAccessTokenService>();
var refreshToken = refreshTokenService.GetRefreshTokenByKey(context.Token);
if (refreshToken != null)
{
context.DeserializeTicket(refreshToken.Value);
accessTokenService.Delete(refreshToken.AccessTokenHash);
refreshTokenService.DeleteRefreshToken(refreshToken);
}
}
}
MyAppOAuthBearerAuthenticationProvider.cs
public class MyAppOAuthBearerAuthenticationProvider : OAuthBearerAuthenticationProvider
{
private readonly string _oauthRequestPath;
public MyAppOAuthBearerAuthenticationProvider(string oauthRequestPath)
{
_oauthRequestPath = oauthRequestPath;
}
public override async Task RequestToken(OAuthRequestTokenContext context)
{
if (context.Token != null && !context.Request.Path.Value.StartsWith(_oauthRequestPath))
{
// Need to check the token is still valid.
var accessTokenService = DependencyResolver.Current.GetService<IAccessTokenService>();
var accessToken = accessTokenService.Find(AccessTokenProvider.GetTokenHash(context.Token));
if (accessToken == null)
{
context.Token = null;
return;
}
// Check for expired token.
if (accessToken.ExpiresUtc < DateTime.UtcNow)
{
context.Token = null;
accessTokenService.Delete(accessToken);
return;
}
var revokeToken = false;
Partner partner = null;
string externalAccountId = null;
Guid? accountId = null;
if (accessToken.Scope == AccessTokenScope.Partner && context.Request.Headers.ContainsKey(MyAppWebParameters.APIAccountHeaderName))
{
if (string.IsNullOrWhiteSpace(context.Request.Headers[MyAppWebParameters.APIAccountHeaderName]))
{
context.Token = null;
return;
}
externalAccountId = context.Request.Headers[MyAppWebParameters.APIAccountHeaderName]; // Set the account ID from the header.
}
else if (accessToken.Scope == AccessTokenScope.Account)
{
accountId = accessToken.AccountId; // Set the account ID from the token.
}
var scope = externalAccountId != null || accountId != null ? AccessTokenScope.Account : accessToken.Scope;
switch (scope)
{
case AccessTokenScope.Account:
// Check the account still exists.
var accountService = DependencyResolver.Current.GetService<IAccountService>();
var account = externalAccountId != null ? await accountService.FindAsync(accessToken.PartnerId, externalAccountId) :
accountId != null ? await accountService.FindAsync(accessToken.PartnerId, accountId.Value) : null;
if (account?.Status == AccountStatus.DeleteScheduled)
{
// Account is scheduled to be deleted, don't want to revoke the token yet incase delete was mistake and cancelled.
context.Token = null;
return;
}
partner = account?.Partner;
revokeToken = account == null || account.Partner?.OAuthClients?.Any(s => s.Id == accessToken.ClientId) != true ||
account.Status != AccountStatus.Active || account.Partner?.Id != accessToken.PartnerId;
if (revokeToken && accessToken.Scope == AccessTokenScope.Partner)
{
// Don't revoke partner tokens if account not found or for different partner.
context.Token = null;
return;
}
if (!revokeToken)
{
context.OwinContext.Set(OwinKeys.Account, account);
context.OwinContext.Set(OwinKeys.Partner, account.Partner);
}
break;
case AccessTokenScope.Partner:
// Check that the partner client id hasn't changed.
var partnerService = DependencyResolver.Current.GetService<IPartnerService>();
partner = (await partnerService.GetPartnerOAuthClientByClientIdAsync(accessToken.ClientId))?.Partner;
revokeToken = partner?.Id != accessToken.PartnerId;
if (!revokeToken)
context.OwinContext.Set(OwinKeys.Partner, partner);
break;
case AccessTokenScope.None:
default:
break;
}
if (partner?.PartnerStatus != PartnerStatus.Active || partner?.TrialExpired == true)
throw new UnauthorizedAccessException();
if (revokeToken)
{
context.Token = null;
accessTokenService.Delete(accessToken);
return;
}
}
await base.RequestToken(context);
}
}
Current POC prototype OpenIddict implementation details
Program.cs
var builder = WebApplication.CreateBuilder(args);
// Add services to the container.
builder.Services.AddControllers();
var migrationsAssembly = typeof(Program).Assembly.GetName().Name;
var connectionString = builder.Configuration.GetConnectionString("DefaultConnection");
builder.Services.AddDbContext<OAuthDbContext>(options =>
{
// Configure the context to use Microsoft SQL Server.
options.UseMySql(connectionString,
new MySqlServerVersion(new Version(CyclrParameters.MySqlMajorVersion,
CyclrParameters.MySqlMinorVersion,
CyclrParameters.MySqlBuildVersion)),
mySql => mySql.MigrationsAssembly(migrationsAssembly));
// Register the entity sets needed by OpenIddict but use the specified entities instead of the default ones.
options.UseOpenIddict<OAuthApplication, OAuthAuthorization, OAuthScope, OAuthToken, string>();
});
// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();
builder.Services.AddAuthentication("cyclr")
.AddCookie();
builder.Services.AddAuthorization(options =>
{
options.AddPolicy(AuthorizationPolicies.UserPolicy, policy =>
{
policy.RequireAuthenticatedUser();
policy.RequireRole(AuthorizationRoles.UserRole);
});
options.AddPolicy(AuthorizationPolicies.PartnerPolicy, policy =>
{
policy.RequireAuthenticatedUser();
policy.RequireRole(AuthorizationRoles.PartnerRole);
});
options.AddPolicy(AuthorizationPolicies.AccountPolicy, policy =>
{
policy.RequireAuthenticatedUser();
policy.RequireRole(AuthorizationRoles.AccountRole);
});
});
builder.Services
.AddOpenIddict()
// Register the OpenIddict core components.
.AddCore(options =>
{
// Configure OpenIddict to use the Entity Framework Core stores and models.
// Note: call ReplaceDefaultEntities() to replace the default OpenIddict entities.
options.UseEntityFrameworkCore()
.UseDbContext<OAuthDbContext>()
.ReplaceDefaultEntities<OAuthApplication, OAuthAuthorization, OAuthScope, OAuthToken, string>();
options.AddApplicationStore<OAuthApplicationStore>();
options.ReplaceApplicationManager<OAuthApplicationManager>();
})
// Register the OpenIddict server components.
.AddServer(options =>
{
//options.DisableAccessTokenEncryption(); //uncomment this line if you wish to view the JWT payload in https://jwt.io/
options.EnableDegradedMode();
options.DisableScopeValidation();
// Enable the token endpoint.
options.SetTokenEndpointUris(CommonParameters.TokenEndPoint);
// Enable the client credentials flow.
options.AllowClientCredentialsFlow();
options.RegisterScopes("account");
// Register the signing and encryption credentials.
options.AddDevelopmentEncryptionCertificate()
.AddDevelopmentSigningCertificate();
// Register the ASP.NET Core host and configure the ASP.NET Core-specific options.
options.UseAspNetCore()
.EnableTokenEndpointPassthrough();
// Custom Token Request Validation
options.AddEventHandler<ValidateTokenRequestContext>(builder =>
builder.UseScopedHandler<ValidateTokenRequestHandler>());
options.AddEventHandler<HandleTokenRequestContext>(builder =>
builder.UseInlineHandler(context =>
{
var scopes = context.Request.GetScopes();
Console.WriteLine("HandleTokenRequestContext");
return default;
}));
options.AddEventHandler<ValidateAuthorizationRequestContext>(builder =>
builder.UseInlineHandler(context =>
{
Console.WriteLine("ValidateAuthorizationRequestContext");
return default;
}));
//Custom Handle Authorization Request
options.AddEventHandler<HandleAuthorizationRequestContext>(builder =>
builder.UseInlineHandler(context =>
{
//context.Reject(error: "Invalid Client", description: "The specified 'client_id' doesn't match a registered application.");
Console.WriteLine("HandleAuthorizationRequestContext");
return default;
}));
})
// Register the OpenIddict validation components.
.AddValidation(options =>
{
// Import the configuration from the local OpenIddict server instance.
options.UseLocalServer();
// Register the ASP.NET Core host.
options.UseAspNetCore();
});
// Register the worker responsible for seeding the database.
// Note: in a real world application, this step should be part of a setup script.
builder.Services.AddHostedService<Worker>();
var app = builder.Build();
// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
app.UseSwagger();
app.UseSwaggerUI();
}
app.UseHttpsRedirection();
app.UseAuthentication();
app.UseAuthorization();
app.MapControllers();
app.Run();
ValidateTokenRequestHandler.cs
public class ValidateTokenRequestHandler : IOpenIddictServerHandler<ValidateTokenRequestContext>
{
private readonly IOpenIddictApplicationManager _applicationManager;
private readonly IAccountService _accountService;
public ValidateTokenRequestHandler(IOpenIddictApplicationManager applicationManager,
IAccountService accountService)
{
_applicationManager = applicationManager;
_accountService = accountService;
}
public async ValueTask HandleAsync(ValidateTokenRequestContext context)
{
var application = await _applicationManager.FindByClientIdAsync(CommonParameters.ClientId);
if (application is not null && application is OAuthApplication oauthApplication)
{
//The ClientSecret is hashed (using PBKDF with HMAC-SHA256) before it is stored in the database.
//You can't retrieve the original secret once it's stored in the database, for obvious security reasons.
//See: https://github.com/openiddict/openiddict-core/issues/418#issuecomment-315090786
//The best option to verify that the ClientSecret is correct is to use the same Third Party CryptoHelper to verify
//that the hash and password are a cryptographic match.
var isMatch = false;
try
{
isMatch = CryptoHelper.Crypto.VerifyHashedPassword(oauthApplication.ClientSecret, context.ClientSecret);
}
catch
{
isMatch = false;
}
if (!isMatch)
{
context.Reject(error: "invalid_grant", description: "Client credentials are invalid.");
return;
}
var partnerId = oauthApplication.PartnerId;
Guid? accountId = null;
const string AccountScopeKey = "account:";
var accountScopes = context.Request.GetScopes().Where(s => s.StartsWith(AccountScopeKey)).ToList();
if (accountScopes.Count > 1)
{
// Tokens cannot be scoped to multiple accounts.
context.Reject(error: "invalid_grant", description: "Only one account scope can be provided.");
return;
}
if (accountScopes.Count == 1)
{
var account = await _accountService.FindAsync(partnerId, accountScopes[0].Substring(AccountScopeKey.Length));
if (account?.Status != AccountStatus.Active)
{
context.Reject(error: "invalid_scope", description: "Account not found.");
return;
}
accountId = account?.Id;
if (accountId.HasValue)
{
context.Request.SetParameter("AccountId", accountId.Value.ToString());
}
}
return;
}
context.Reject(error: "invalid_grant", description: "Client credentials are invalid.");
return;
}
}
I created an ASP.NET WEB API 2.2 project. I used the Windows Identity Foundation based template for individual accounts available in visual studio see it here.
The web client (written in angularJS) uses OAUTH implementation with web browser cookies to store the token and the refresh token. We benefit from the helpful UserManager and RoleManager classes for managing users and their roles.
Everything works fine with OAUTH and the web browser client.
However, for some retro-compatibility concerns with desktop based clients I also need to support Basic authentication. Ideally, I would like the [Authorize], [Authorize(Role = "administrators")] etc. attributes to work with both OAUTH and Basic authentication scheme.
Thus, following the code from LeastPrivilege I created an OWIN BasicAuthenticationMiddleware that inherits from AuthenticationMiddleware.
I came to the following implementation. For the BasicAuthenticationMiddleWare only the Handler has changed compared to the Leastprivilege's code. Actually we use ClaimsIdentity rather than a series of Claim.
class BasicAuthenticationHandler: AuthenticationHandler<BasicAuthenticationOptions>
{
private readonly string _challenge;
public BasicAuthenticationHandler(BasicAuthenticationOptions options)
{
_challenge = "Basic realm=" + options.Realm;
}
protected override async Task<AuthenticationTicket> AuthenticateCoreAsync()
{
var authzValue = Request.Headers.Get("Authorization");
if (string.IsNullOrEmpty(authzValue) || !authzValue.StartsWith("Basic ", StringComparison.OrdinalIgnoreCase))
{
return null;
}
var token = authzValue.Substring("Basic ".Length).Trim();
var claimsIdentity = await TryGetPrincipalFromBasicCredentials(token, Options.CredentialValidationFunction);
if (claimsIdentity == null)
{
return null;
}
else
{
Request.User = new ClaimsPrincipal(claimsIdentity);
return new AuthenticationTicket(claimsIdentity, new AuthenticationProperties());
}
}
protected override Task ApplyResponseChallengeAsync()
{
if (Response.StatusCode == 401)
{
var challenge = Helper.LookupChallenge(Options.AuthenticationType, Options.AuthenticationMode);
if (challenge != null)
{
Response.Headers.AppendValues("WWW-Authenticate", _challenge);
}
}
return Task.FromResult<object>(null);
}
async Task<ClaimsIdentity> TryGetPrincipalFromBasicCredentials(string credentials,
BasicAuthenticationMiddleware.CredentialValidationFunction validate)
{
string pair;
try
{
pair = Encoding.UTF8.GetString(
Convert.FromBase64String(credentials));
}
catch (FormatException)
{
return null;
}
catch (ArgumentException)
{
return null;
}
var ix = pair.IndexOf(':');
if (ix == -1)
{
return null;
}
var username = pair.Substring(0, ix);
var pw = pair.Substring(ix + 1);
return await validate(username, pw);
}
Then in Startup.Auth I declare the following delegate for validating authentication (simply checks if the user exists and if the password is right and generates the associated ClaimsIdentity)
public void ConfigureAuth(IAppBuilder app)
{
app.CreatePerOwinContext(DbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
Func<string, string, Task<ClaimsIdentity>> validationCallback = (string userName, string password) =>
{
using (DbContext dbContext = new DbContext())
using(UserStore<ApplicationUser> userStore = new UserStore<ApplicationUser>(dbContext))
using(ApplicationUserManager userManager = new ApplicationUserManager(userStore))
{
var user = userManager.FindByName(userName);
if (user == null)
{
return null;
}
bool ok = userManager.CheckPassword(user, password);
if (!ok)
{
return null;
}
ClaimsIdentity claimsIdentity = userManager.CreateIdentity(user, DefaultAuthenticationTypes.ApplicationCookie);
return Task.FromResult(claimsIdentity);
}
};
var basicAuthOptions = new BasicAuthenticationOptions("KMailWebManager", new BasicAuthenticationMiddleware.CredentialValidationFunction(validationCallback));
app.UseBasicAuthentication(basicAuthOptions);
// Configure the application for OAuth based flow
PublicClientId = "self";
OAuthOptions = new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/Token"),
Provider = new ApplicationOAuthProvider(PublicClientId),
//If the AccessTokenExpireTimeSpan is changed, also change the ExpiresUtc in the RefreshTokenProvider.cs.
AccessTokenExpireTimeSpan = TimeSpan.FromHours(2),
AllowInsecureHttp = true,
RefreshTokenProvider = new RefreshTokenProvider()
};
// Enable the application to use bearer tokens to authenticate users
app.UseOAuthBearerTokens(OAuthOptions);
}
However, even with settings the Request.User in Handler's AuthenticationAsyncCore method the [Authorize] attribute does not work as expected: responding with error 401 unauthorized every time I try to use the Basic Authentication scheme.
Any idea on what is going wrong?
I found out the culprit, in the WebApiConfig.cs file the 'individual user' template inserted the following lines.
//// Web API configuration and services
//// Configure Web API to use only bearer token authentication.
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
Thus we also have to register our BasicAuthenticationMiddleware
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
config.Filters.Add(new HostAuthenticationFilter(BasicAuthenticationOptions.BasicAuthenticationType));
where BasicAuthenticationType is the constant string "Basic" that is passed to the base constructor of BasicAuthenticationOptions
public class BasicAuthenticationOptions : AuthenticationOptions
{
public const string BasicAuthenticationType = "Basic";
public BasicAuthenticationMiddleware.CredentialValidationFunction CredentialValidationFunction { get; private set; }
public BasicAuthenticationOptions( BasicAuthenticationMiddleware.CredentialValidationFunction validationFunction)
: base(BasicAuthenticationType)
{
CredentialValidationFunction = validationFunction;
}
}
I have created an MVC 4 application which targets .NET 4.0. After deploying to my production server, it will show the login page but will not redirect to the default page. However, when I add debugging, I can see that the authentication process works but then the error I am getting is an error that says it can't find my View for my Error Page and then shows my Error Page. It just seems that it will not go to my "Home/Index" page - even when I remove the authorize attribute. Of course the application works in development. Additionally, it will not go to my register page or forgot login page.
My Login Controller looks like this:
[HttpPost]
[AllowAnonymous]
[ValidateAntiforgeryToken]
public ActionResult Login(LoginViewModel model, string returnUrl)
{
if(ModelStat.IsValid && _userService.Login(model.UserId, model.Password))
{
var user = _userService.GetUser(model.UserId);
var loggedInUser = new LoggedInUser
{
// Build the user for custom IPrincipal
};
var userData = JsonConvert.SerializeObject(loggedInUser);
var compressData = StringCompression.Compress(userData);
var authTicket = new FormsAuthenticationTicket(
1,
user.UserId,
DateTime.Now,
DateTime.Now.AddHours(1),
false,
compressData);
var encTicket = FormsAuthentication.Encrypt(authTicket);
if(encTicket != null)
{
var faCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket)
{
HttpOnly = true
};
Response.Cookies.Add(faCookie);
}
user.LastActivityDate = DateTime.Now;
user.LastLoginDate = DateTime.Now;
_userService.UpdateUser(user);
_uow.Commit();
return Url.IsLocalUrl(returnUrl) ? (ActionResult)Redirect(returnUrl) : RedirectToAction("Index", "Home");
}
return View(model);
and in my Global.asax:
protected void Application_PostAuthenticateRequest(object sender, EventArgs e)
{
var authCookie = Request.Cookies[FormsAuthentication.FormsCookieName];
if(authCookie != null)
{
var decompressedData = StringCompression.Decompress(authTicket.UserData);
var loggedInUser = JsonConvert.DesrializeObject<LoggedInUser>(decompressedData);
var currrentUser = new CustomPrincipal(authTicket.Name)
{
// Build the CustomPrincipal from the loggedInUser
};
if(HttpContext.Current.User.Identity.IsAuthenticated)
{
HttpContext.Current.User = currentUser;
}
}
}
I hope that this is enough to give someone an idea of what I may be doing wrong. Somehow I feel that it is something small that I am missing. Thanks in advance.
~InDireStraits
Update:
After more troubleshooting, it would seem that the issue may have something to do with the fact that I am using a BaseController for specifying permissions but I am still baffled as to why the application works as intended in my development environment but not in production. To verify my IIS settings I installed the default MVC4 App to production which does not have .NET 4.5, and it runs. I am using VS 2012 so I do have 4.5. Could I somehow be introducing .NET 4.5 classes or functionality even if this targets .NET 4.0? At any rate, here is my BaseController code:
public class BaseController: Controller
{
private string _actionKey;
private const string PermisisionList = "permissionList";
private Dictionary<string, string> _requiredActionPermissions;
private static readonly IControllerActionService<ControllerAction> _actionService;
protected new CustomPrincipal User
{
get
{
return HttpContext.User as CustomPrincipal;
}
}
public BaseController(IControllerActionService<ControllerAction> actionService)
{
_actionService = actionService;
}
protected override void OnActionExecuting(ActionExecutingContext filterContext)
{
// Check to see if the PermissionList is loaded and load if necessary
if(!CacheLayer.Exists(PermissionList))
{
_requiredActionPermissions = _actionService.GetControllerActionDictionary();
CacheLayer.Add(_requiredActionPermissions, PermissionList);
}
else
{
_requiredActionPermission = CacheLayer.Get<Dictionary<string, string>>(PermissionList);
}
// Get the Controller/Action of the current request
_actionKey = string.Format("{0}-{1}", filterContext.ActionDescriptor.ControllerDescriptor.ControllerName, filterContext.ActionDescriptor.ActionName);
// If the user is authenticated, grab the permissions
if(filterContext.HttpContext.User.Identity.IsAuthenticated)
{
var userPermissions = User.Permissions;
if(!_requiredActionPermissions.Values.Any(a=>a.Equals(_actionKey, StringComparison.OrdinalIgnoreCase)))
{
return;
}
if(userPermissions.Contains(_requiredActionsPermissions.FirstOrDefault(x=>x.Value == _actionKey).Key))
{
return;
}
filterContext.Result = new RedirectResult("~/Error/ErrorUnauthorized");
return;
}
if(!filterContext.HttpContext.User.Identity.IsAuthenticated)
{
if(!_requiredActionPermissions.Values.Any(a=>a.Equals(_actionKey, StringComparison.OrdinalIgnoreCase)))
{
return;
}
}
if(filterContext.HttpContext.Request.Url == null)
{
return;
}
if(filterContext.HttpContext.Request.Url.AbsolutePath == FormsAuthentication.LoginUrl)
{
return;
}
var redirectUrl = string.Format("?returnUrl={0}", filterContext.HttpContext.Request.Url.PathAndQuery);
filterContext.HttpContext.Response.Redirect(FormsAuthentication.LoginUrl + redirectUrl, true);
}
UPDATE 2: Installed .NET 4.52 on Staging Server and the application now works as intended. The problem is that I will not be able to install this on the production server. I don't understand what it is that 4.5 is fixing that 4.0 does not seem to facilitate. HELLLLLLPPP!!!!!!
The answer can be found here. To summarize, I added an extra parameter to my route config that worked in 4.5 but not in 4.0. Will follow up on the linked question. Thanks
In following this tutorial (modifying it to use an application-based auth string rather than their user model), have the following TokenValidationAttribute defined and set this attribute on WebAPI controllers in order to verify that the API request came within my web application:
public class TokenValidationAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(HttpActionContext actionContext)
{
string token;
try
{
token = actionContext.Request.Headers.GetValues("Authorization-Token").First();
}
catch (Exception)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.BadRequest)
{
Content = new StringContent("Missing Authorization-Token")
};
return;
}
try
{
var crypto = new SimpleCrypto.PBKDF2(); // type of encryption
var authPart = ConfigurationManager.AppSettings["AuthorizationTokenPart"];
var authSalt = GlobalVariables.AuthorizationSalt;
var authToken = GlobalVariables.AuthorizationToken;
if (authToken == crypto.Compute(authPart, authSalt))
{
// valid auth token
}
else
{
// invalid auth token
}
//AuthorizedUserRepository.GetUsers().First(x => x.Name == RSAClass.Decrypt(token));
base.OnActionExecuting(actionContext);
}
catch (Exception ex)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
Content = new StringContent("Unauthorized User")
};
return;
}
}
}
In my login class, I have the following method defined that returns a User object if valid:
private User IsValid(string username, string password)
{
var crypto = new SimpleCrypto.PBKDF2(); // type of encryption
using (var db = new DAL.DbContext())
{
var user = db.Users
.Include("MembershipType")
.FirstOrDefault(u => u.UserName == username);
if (user != null && user.Password == crypto.Compute(password, user.PasswordSalt))
{
return user;
}
}
return null;
}
As you can see, the user login validation method doesn't make a WebAPI call that would be to ~/api/User (that part works).
1) How do I generate a request with with auth token (only site-generated API requests are valid)? These could be direct API calls from code-behind, or JavaScript-based (AngularJS) requests to hydrate some objects.
2) I'm not entirely clear on what base.OnActionExecuting(actionContext); . What do I do if the token is valid/invalid?
i think the best practices to send authorization header is by added it on request header
request.Headers.Add("Authorization-Token",bla bla bla);
you can create webrequest or httprequest
maybe you should start from http://rest.elkstein.org/2008/02/using-rest-in-c-sharp.html
or http://msdn.microsoft.com/en-us/library/debx8sh9%28v=vs.110%29.aspx.
in my opinion in order to create proper login security and request you should apply a standard such as openid or oauth
cheers
I did something like this, LoginSession contains my token and is static (in my case its a shared service (not static))
public HttpClient GetClient()
{
var client = new HttpClient
{
Timeout = new TimeSpan(0, 0, 2, 0),
BaseAddress = new Uri(GetServiceAddress())
};
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
if (LoginSession.Token != null)
{
client.DefaultRequestHeaders.TryAddWithoutValidation("Authorization", String.Format("Bearer {0}", LoginSession.Token.AccessToken));
}
return client;
}
notice this line:
client.DefaultRequestHeaders.TryAddWithoutValidation("Authorization", String.Format("Bearer {0}", LoginSession.Token.AccessToken));
I'm making JSON-based AJAX requests and, with MVC controllers have been very grateful to Phil Haack for his Preventing CSRF with AJAX and, Johan Driessen's Updated Anti-XSRF for MVC 4 RC. But, as I transition API-centric controllers to Web API, I'm hitting issues where the functionality between the two approaches is markedly different and I'm unable to transition the CSRF code.
ScottS raised a similar question recently which was answered by Darin Dimitrov. Darin's solution involves implementing an authorization filter which calls AntiForgery.Validate. Unfortunately, this code does not work for me (see next paragraph) and - honestly - is too advanced for me.
As I understand it, Phil's solution overcomes the problem with MVC AntiForgery when making JSON requests in the absence of a form element; the form element is assumed/expected by the AntiForgery.Validate method. I believe that this may be why I'm having problems with Darin's solution too. I receive an HttpAntiForgeryException "The required anti-forgery form field '__RequestVerificationToken' is not present". I am certain that the token is being POSTed (albeit in the header per Phil Haack's solution). Here's a snapshot of the client's call:
$token = $('input[name=""__RequestVerificationToken""]').val();
$.ajax({
url:/api/states",
type: "POST",
dataType: "json",
contentType: "application/json: charset=utf-8",
headers: { __RequestVerificationToken: $token }
}).done(function (json) {
...
});
I tried a hack by mashing together Johan's solution with Darin's and was able to get things working but am introducing HttpContext.Current, unsure whether this is appropriate/secure and why I can't use the provided HttpActionContext.
Here's my inelegant mash-up.. the change is the 2 lines in the try block:
public Task<HttpResponseMessage> ExecuteAuthorizationFilterAsync(HttpActionContext actionContext, CancellationToken cancellationToken, Func<Task<HttpResponseMessage>> continuation)
{
try
{
var cookie = HttpContext.Current.Request.Cookies[AntiForgeryConfig.CookieName];
AntiForgery.Validate(cookie != null ? cookie.Value : null, HttpContext.Current.Request.Headers["__RequestVerificationToken"]);
}
catch
{
actionContext.Response = new HttpResponseMessage
{
StatusCode = HttpStatusCode.Forbidden,
RequestMessage = actionContext.ControllerContext.Request
};
return FromResult(actionContext.Response);
}
return continuation();
}
My questions are:
Am I correct in thinking that Darin's solution assumes the existence of a form element?
What's an elegant way to mash-up Darin's Web API filter with Johan's MVC 4 RC code?
Thanks in advance!
You could try reading from the headers:
var headers = actionContext.Request.Headers;
var cookie = headers
.GetCookies()
.Select(c => c[AntiForgeryConfig.CookieName])
.FirstOrDefault();
var rvt = headers.GetValues("__RequestVerificationToken").FirstOrDefault();
AntiForgery.Validate(cookie != null ? cookie.Value : null, rvt);
Note: GetCookies is an extension method that exists in the class HttpRequestHeadersExtensions which is part of System.Net.Http.Formatting.dll. It will most likely exist in C:\Program Files (x86)\Microsoft ASP.NET\ASP.NET MVC 4\Assemblies\System.Net.Http.Formatting.dll
Just wanted to add that this approach worked for me also (.ajax posting JSON to a Web API endpoint), although I simplified it a bit by inheriting from ActionFilterAttribute and overriding the OnActionExecuting method.
public class ValidateJsonAntiForgeryTokenAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(HttpActionContext actionContext)
{
try
{
var cookieName = AntiForgeryConfig.CookieName;
var headers = actionContext.Request.Headers;
var cookie = headers
.GetCookies()
.Select(c => c[AntiForgeryConfig.CookieName])
.FirstOrDefault();
var rvt = headers.GetValues("__RequestVerificationToken").FirstOrDefault();
AntiForgery.Validate(cookie != null ? cookie.Value : null, rvt);
}
catch
{
actionContext.Response = actionContext.Request.CreateErrorResponse(HttpStatusCode.Forbidden, "Unauthorized request.");
}
}
}
Extension method using Darin's answer, with a check for the presence of the header. The check means that the resulting error message is more indicative of what's wrong ("The required anti-forgery form field "__RequestVerificationToken" is not present.") versus "The given header was not found."
public static bool IsHeaderAntiForgeryTokenValid(this HttpRequestMessage request)
{
try
{
HttpRequestHeaders headers = request.Headers;
CookieState cookie = headers
.GetCookies()
.Select(c => c[AntiForgeryConfig.CookieName])
.FirstOrDefault();
var rvt = string.Empty;
if (headers.Any(x => x.Key == AntiForgeryConfig.CookieName))
rvt = headers.GetValues(AntiForgeryConfig.CookieName).FirstOrDefault();
AntiForgery.Validate(cookie != null ? cookie.Value : null, rvt);
}
catch (Exception ex)
{
LogHelper.LogError(ex);
return false;
}
return true;
}
ApiController Usage:
public IHttpActionResult Get()
{
if (Request.IsHeaderAntiForgeryTokenValid())
return Ok();
else
return BadRequest();
}
An implementation using AuthorizeAttribute:
using System;
using System.Linq;
using System.Net.Http;
using System.Web;
using System.Web.Helpers;
using System.Web.Http;
using System.Web.Http.Controllers;
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
public class ApiValidateAntiForgeryToken : AuthorizeAttribute {
public const string HeaderName = "X-RequestVerificationToken";
private static string CookieName => AntiForgeryConfig.CookieName;
public static string GenerateAntiForgeryTokenForHeader(HttpContext httpContext) {
if (httpContext == null) {
throw new ArgumentNullException(nameof(httpContext));
}
// check that if the cookie is set to require ssl then we must be using it
if (AntiForgeryConfig.RequireSsl && !httpContext.Request.IsSecureConnection) {
throw new InvalidOperationException("Cannot generate an Anti Forgery Token for a non secure context");
}
// try to find the old cookie token
string oldCookieToken = null;
try {
var token = httpContext.Request.Cookies[CookieName];
if (!string.IsNullOrEmpty(token?.Value)) {
oldCookieToken = token.Value;
}
}
catch {
// do nothing
}
string cookieToken, formToken;
AntiForgery.GetTokens(oldCookieToken, out cookieToken, out formToken);
// set the cookie on the response if we got a new one
if (cookieToken != null) {
var cookie = new HttpCookie(CookieName, cookieToken) {
HttpOnly = true,
};
// note: don't set it directly since the default value is automatically populated from the <httpCookies> config element
if (AntiForgeryConfig.RequireSsl) {
cookie.Secure = AntiForgeryConfig.RequireSsl;
}
httpContext.Response.Cookies.Set(cookie);
}
return formToken;
}
protected override bool IsAuthorized(HttpActionContext actionContext) {
if (HttpContext.Current == null) {
// we need a context to be able to use AntiForgery
return false;
}
var headers = actionContext.Request.Headers;
var cookies = headers.GetCookies();
// check that if the cookie is set to require ssl then we must honor it
if (AntiForgeryConfig.RequireSsl && !HttpContext.Current.Request.IsSecureConnection) {
return false;
}
try {
string cookieToken = cookies.Select(c => c[CookieName]).FirstOrDefault()?.Value?.Trim(); // this throws if the cookie does not exist
string formToken = headers.GetValues(HeaderName).FirstOrDefault()?.Trim();
if (string.IsNullOrEmpty(cookieToken) || string.IsNullOrEmpty(formToken)) {
return false;
}
AntiForgery.Validate(cookieToken, formToken);
return base.IsAuthorized(actionContext);
}
catch {
return false;
}
}
}
Then just decorate your controller or methods with [ApiValidateAntiForgeryToken]
And add to the razor file this to generate your token for javascript:
<script>
var antiForgeryToken = '#ApiValidateAntiForgeryToken.GenerateAntiForgeryTokenForHeader(HttpContext.Current)';
// your code here that uses such token, basically setting it as a 'X-RequestVerificationToken' header for any AJAX calls
</script>
If it helps anyone, in .net core, the header's default value is actually just "RequestVerificationToken", without the "__". So if you change the header's key to that instead, it'll work.
You can also override the header name if you like:
services.AddAntiforgery(o => o.HeaderName = "__RequestVerificationToken")