Recently I worked with a customer assisting them in implementing their Web APIs using the new ASP.NET Web API framework. Their API would be public so obviously security came up as the key concern to address. Claims-Based-Security is widely used in SOAP/WS-* world and we have rich APIs available in .NET Framework in the form of WCF, WIF & ADFS 2.0. Even though we now have this cool library to develop Web APIs, the claims-based-security story for REST/HTTP is still catching up. OAuth 2.0 is almost ready, OpenID Connect is catching up quickly however it would still take sometime before we have WIF equivalent libraries for implementing claims-based-security in REST/HTTP world. DotNetOpenAuth seems to be the most prominent open-source library claiming to support OAuth 2.0 so I decided to give it a go to implement the ‘Resource Owner Password Credentials’authorization grant. Following diagram shows the solution structure for my target scenario.

1. OAuth 2.0 issuer is an ASP.NET MVC application responsible for issuing token based on OAuth 2.0 ‘Password Credentials’ grant type.

2. Web API Host exposes secured Web APIs which can only be accessed by presenting a valid token issued by the trusted issuer

3. Sample thick client which consumes the Web API

I have used the DotNetOpenAuth.Ultimate NuGet package which is just a single assembly implementing quite a few security protocols. From OAuth 2.0 perspective, AuthorizationServer is the main class responsible for processing the token issuance request, producing and returning a token for valid & authenticated request. The token issuance action of my OAuthIssuerController looks like this:

OAuth 2.0 Issuer

public class OAuthIssuerController : Controller {

    public ActionResult Index()

    {

        var configuration = new IssuerConfiguration {

            EncryptionCertificate = new X509Certificate2(Server.MapPath("~/Certs/localhost.cer")),

            SigningCertificate = new X509Certificate2(Server.MapPath("~/Certs/localhost.pfx"), "a")

        };

        var authorizationServer = new AuthorizationServer(new OAuth2Issuer(configuration));

        var response = authorizationServer.HandleTokenRequest(Request).AsActionResult();

        return response;

    }

}

AuthorizationServer handles all the protocol details and delegate the real token issuance logic to a custom token issuer handler (OAuth2Issuer in following snippet)

Protocol independent issuer
public class OAuth2Issuer : IAuthorizationServer

{

    private readonly IssuerConfiguration _configuration;

    public OAuth2Issuer(IssuerConfiguration configuration)

    {

        if (configuration == null) throw new ArgumentNullException(“configuration”);

        _configuration = configuration;

    }

    public RSACryptoServiceProvider AccessTokenSigningKey

    {

        get

        {

            return (RSACryptoServiceProvider)_configuration.SigningCertificate.PrivateKey;

        }

    }

    public DotNetOpenAuth.Messaging.Bindings.ICryptoKeyStore CryptoKeyStore

    {

        get { throw new NotImplementedException(); }

    }

    public TimeSpan GetAccessTokenLifetime(DotNetOpenAuth.OAuth2.Messages.IAccessTokenRequest accessTokenRequestMessage)

    {

        return _configuration.TokenLifetime;

    }

    public IClientDescription GetClient(string clientIdentifier)

    {

        const string secretPassword = “test1243″;

        return new ClientDescription(secretPassword, new Uri(“http://localhost/”), ClientType.Confidential);

    }

    public RSACryptoServiceProvider GetResourceServerEncryptionKey(DotNetOpenAuth.OAuth2.Messages.IAccessTokenRequest accessTokenRequestMessage)

    {

        return (RSACryptoServiceProvider)_configuration.EncryptionCertificate.PublicKey.Key;

    }

    public bool IsAuthorizationValid(DotNetOpenAuth.OAuth2.ChannelElements.IAuthorizationDescription authorization)

    {

        //claims added to the token

        authorization.Scope.Add(“adminstrator”);

        authorization.Scope.Add(“poweruser”);

        return true;

    }

    public bool IsResourceOwnerCredentialValid(string userName, string password)

    {

        return true;

    }

    public DotNetOpenAuth.Messaging.Bindings.INonceStore VerificationCodeNonceStore

    {

        get

        {

            throw new NotImplementedException();

        }

    }

}

Now with my issuer setup, I can acquire access tokens by POSTing following request to the token issuer endpoint

Client

POST /Issuer HTTP/1.1

Content-Type: application/x-www-form-urlencoded; charset=utf-8

scope=http%3A%2F%2Flocalhost%2F&grant_type=client_credentials&client_id=zamd&client_secret=test1243

In response, I get 200 OK with following payload

HTTP/1.1 200 OK

Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Pragma: no-cache

Content-Type: application/json; charset=utf-8

Server: Microsoft-IIS/7.5

Content-Length: 685

{“access_token”:”gAAAAC5KksmbH0FyG5snks_xOcROnIcPldpgksi5b8Egk7DmrRhbswiEYCX7RLdb2l0siW8ZWyqTqxOFxBCjthjTfAHrE8owe3hPxur7Wmn2LZciTYfTlKQZW6ujlhEv6N4V1HL4Md5hdtwy51_7RMzGG6MvvNbEU8_3GauIgaF7JcbQJAEAAIAAAABR4tbwLFF57frAdPyZsIeA6ljo_Y01u-2p5KTfJ2xa6ZhtEpzmC46Omcvps9MbFWgyz6536_77jx9nE3sePTSeyB5zyLznkGDKhjfWwx3KjbYnxCVCV-n2pqKtry0l8nkMj4MrjqoTXpvd_P0c_VGfVXCsVt7BYOO68QbD-m7Yz9rHIZn-CQ4po0FqS2elDVe9qwu_uATbAmOXlkWsbnFwa6_ZDHcSr2M-WZxHTVFin7vEWO7FxIQStabu_r4_0Mo_xaFlBKp2hl9Podq8ltx7KvhqFS0Xu8oIJGp1t5lQKoaJSRTgU8N8iEyQfCeU5hvynZVeoVPaXfMA-gyYfMGspLybaw7XaBOuFJ20-BZW0sAFGm_0sqNq7CLm7LibWNw”,”token_type”:”bearer”,”expires_in”:”300″,”scope”:”http:\/\/localhost\/ adminstrator poweruser”}

DotNetOpenAuth also has a WebServerClient class which can be used to acquire tokens and I have used in my test application instead of crafting raw HTTP requests. Following code snippet generates the same above request/response

Get Access Token
private static IAuthorizationState GetAccessToken()

{

    var authorizationServer = new AuthorizationServerDescription

    {

        TokenEndpoint = new Uri(“http://localhost:1960/Issuer”),

        ProtocolVersion = ProtocolVersion.V20

    };

    var client = new WebServerClient(authorizationServer, “http://localhost/”);

    client.ClientIdentifier = “zamd”;

    client.ClientSecret = “test1243″;

    var state = client.GetClientAccessToken(new[] { “http://localhost/” });

    return state;

}

Ok Now the 2nd part is to use this access token for authentication & authorization when consuming ASP.NET Web APIs.

Web API Client
static void Main(string[] args)

{

    var state = GetAccessToken();

    Console.WriteLine(“Expires = {0}”, state.AccessTokenExpirationUtc);

    Console.WriteLine(“Token = {0}”, state.AccessToken);

    var httpClient = new OAuthHttpClient(state.AccessToken)

    {

        BaseAddress = new Uri(“http://localhost:2150/api/values”)

    };

    Console.WriteLine(“Calling web api…”);

    Console.WriteLine();

    var response = httpClient.GetAsync(“”).Result;

    if (response.StatusCode==HttpStatusCode.OK)

        Console.WriteLine(response.Content.ReadAsStringAsync().Result);

    else

        Console.WriteLine(response);

    Console.ReadLine();

}

On line 8, I’m creating an instance of a customized HttpClient passing in the access token. The httpClient would use this access token for all subsequent HTTP requests

OAuth enabled HttpClient
public class OAuthHttpClient : HttpClient

{

    public OAuthHttpClient(string accessToken)

        : base(new OAuthTokenHandler(accessToken))

    {

    }

    class OAuthTokenHandler : MessageProcessingHandler

    {

        string _accessToken;

        public OAuthTokenHandler(string accessToken)

            : base(new HttpClientHandler())

        {

            _accessToken = accessToken;

        }

        protected override HttpRequestMessage ProcessRequest(HttpRequestMessage request, System.Threading.CancellationToken cancellationToken)

        {

            request.Headers.Authorization = new AuthenticationHeaderValue(“Bearer”, _accessToken);

            return request;

        }

        protected override HttpResponseMessage ProcessResponse(HttpResponseMessage response, System.Threading.CancellationToken cancellationToken)

        {

            return response;

        }

    }

}

Relying Party (ASP.NET Web APIs)

Finally on the RP side, I have used standard MessageHandler extensibility to extract and validate the ‘access token’. The OAuth2 message handler also extracts the claims from the access token and create a ClaimsPrincipal which is passed on the Web API implementation for authorization decisions.

OAuth2 Message Handler
public class OAuth2Handler : DelegatingHandler

{

    private readonly ResourceServerConfiguration _configuration;

    public OAuth2Handler(ResourceServerConfiguration configuration)

    {

        if (configuration == null) throw new ArgumentNullException(“configuration”);

        _configuration = configuration;

    }

    protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)

    {

        HttpContextBase httpContext;

        string userName;

        HashSet<string> scope;

        if (!request.TryGetHttpContext(out httpContext))

            throw new InvalidOperationException(“HttpContext must not be null.”);

        var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(

                                                    (RSACryptoServiceProvider)_configuration.IssuerSigningCertificate.PublicKey.Key,

                                                    (RSACryptoServiceProvider)_configuration.EncryptionVerificationCertificate.PrivateKey));

        var error = resourceServer.VerifyAccess(httpContext.Request, out userName, out scope);

        if (error != null)

            return Task<HttpResponseMessage>.Factory.StartNew(error.ToHttpResponseMessage);

        var identity = new ClaimsIdentity(scope.Select(s => new Claim(s, s)));

        if (!string.IsNullOrEmpty(userName))

            identity.Claims.Add(new Claim(ClaimTypes.Name, userName));

        httpContext.User = ClaimsPrincipal.CreateFromIdentity(identity);

        Thread.CurrentPrincipal = httpContext.User;

        return base.SendAsync(request, cancellationToken);

    }

}

Inside my Web API, I access the claims information using the standard IClaimsIdentity abstraction.

Accessing claims information
public IEnumerable<string> Get()

{

    if (User.Identity.IsAuthenticated && User.Identity is IClaimsIdentity)

        return ((IClaimsIdentity) User.Identity).Claims.Select(c => c.Value);

    return new string[] { “value1″, “value2″ };

}

Fiddler Testing

Once I got the “access token”, I can test few scenarios in fiddler by attaching and tweaking the token when calling my web api.

401 without an “access token”

200 OK with a Valid token

401 with Expired token

401 with Tempered token

Source code attached. Please feel free to download and use.

Original Post by ZulfiqarAhmed on May4th, 2012

Here: http://zamd.net/2012/05/04/claim-based-security-for-asp-net-web-apis-using-dotnetopenauth/

最新文章

  1. 网络原因导致 npm 软件包 node-sass / gulp-sass 安装失败的处理办法
  2. 用Action的属性接受参数
  3. PHP curl超时问题
  4. 数学符号“s.t.”的意义
  5. javascript Date 总结
  6. [ActionScript 3.0] AS3中的位图(BitmapData)应用
  7. MFC线程(三):线程同步事件(event)与互斥(mutex)
  8. java登录密码效验
  9. JavaScript实现登录窗口的拖拽
  10. 使用openSSL开源工具进行SSL/TLS 安全测试
  11. Oracle 查询字段不包含多个字符串方法
  12. 怎么简单高效破解MyEclipse10、获取注册码
  13. MySQL数据类型--与MySQL零距离接触2-6数据表
  14. 自定义MVC框架之工具类-图像处理类
  15. 精挑细选 8款HTML5/jQuery应用助网站走向高上大
  16. android加载gif图片
  17. vue学习之node.js
  18. SOE 部署错误 ClassFactory cannot supply requested class问题及解决方案
  19. 「Linux」centos7更新python3.6后yum报错问题
  20. 盲注脚本2.基于bool

热门文章

  1. @JsonFormat时间不对
  2. 【Linux高频命令专题(9)】ls
  3. java--依赖、关联、聚合和组合之间区别的理解
  4. BitMask 使用参考
  5. IE6-IE11兼容性问题列表及解决办法
  6. Map.putAll方法——追加另一个Map对象到当前Map集合(转)
  7. javascript精确计算
  8. jquery.pagination.js分页插件的使用
  9. 04-语言入门-04-Fibonacci数
  10. tuxedo入门