Web API Preventing Refresh Tokens from Leakage - Implementation - asp.net-web-api

I'm tackling with JWT and their Refresh Tokens and couldn't find a good working example that serve performance and security at the same time.
Performance::
It must not hit the database every time a token refreshed.
Security::
Refresh token should be super secret more than access token because of the long-lifetime.
So I try to implement my own by using a combination of in-memory Cache and expired Token claims:
Step 1.
a) After a successful login an access-token with a unique GUID in JwtRegisteredClaimNames.Jti claim type generated..
b) Then refresh-token generated and save in memoryCache with the associated jti access-token value (unique GUID) as key
c) Both sends to Client App and stored in localStorage.
Step 2.
a)After the access-token expired, both access-token and refresh-token send to refresh controller.
b) Then jti claim in expired token sent to memoryCache as a cache-key to get the refresh-token from memory.
c) After checking the equality of -send refresh-token and -in-memory refresh-token, if equal, a new instance of both access-token and refresh-token generated and sends back to client app.
AuthService.cs
private readonly IConfiguration _configuration;
private readonly IMemoryCache _memoryCache;
private readonly Claim _jtiClaim;
public AuthService(IConfiguration configuration, IMemoryCache memoryCache)
{
_configuration = configuration;
_memoryCache = memoryCache;
_jtiClaim = new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString());
}
public string GenerateAccessToken(IList<Claim> claims)
{
claims.Add(_jtiClaim);
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["JwtConfiguration:JwtKey"]));
var jwtToken = new JwtSecurityToken(
issuer: _configuration["JwtConfiguration:JwtIssuer"],
audience: _configuration["JwtConfiguration:JwtIssuer"],
claims: claims,
notBefore: DateTime.UtcNow,
expires: DateTime.UtcNow.AddMinutes(int.Parse(_configuration["JwtConfiguration:JwtExpireMins"])),
signingCredentials: new SigningCredentials(key, SecurityAlgorithms.HmacSha256)
);
return new JwtSecurityTokenHandler().WriteToken(jwtToken);
}
public string GenerateRefreshToken(ClientType clientType)
{
var randomNumber = new byte[32];
using (var rng = RandomNumberGenerator.Create())
{
rng.GetBytes(randomNumber);
var token = Convert.ToBase64String(randomNumber);
var refreshToken = JsonConvert.SerializeObject(new RefreshToken(token, _jtiClaim.Value, clientType));
_memoryCache.Set(_jtiClaim.Value, refreshToken, new MemoryCacheEntryOptions().SetAbsoluteExpiration(TimeSpan.FromDays(7)));
return token;
}
}
public RefreshToken GetRefreshToken(string jtiKey)
{
if (!_memoryCache.TryGetValue(jtiKey, out string refreshToken)) return null;
_memoryCache.Remove(jtiKey);
return JsonConvert.DeserializeObject<RefreshToken>(refreshToken);
}
public ClaimsPrincipal GetPrincipalFromExpiredToken(string accessToken)
{
var tokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false,
ValidateIssuer = false,
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["JwtConfiguration:JwtKey"])),
ValidateLifetime = false //here we are saying that we don't care about the token's expiration date
};
var tokenHandler = new JwtSecurityTokenHandler();
var principal = tokenHandler.ValidateToken(accessToken, tokenValidationParameters, out var securityToken);
if (!(securityToken is JwtSecurityToken jwtSecurityToken) || !jwtSecurityToken.Header.Alg.Equals(SecurityAlgorithms.HmacSha256, StringComparison.InvariantCultureIgnoreCase))
throw new SecurityTokenException("Invalid token");
return principal;
}
AuthController.cs
private readonly SignInManager<User> _signInManager;
private readonly UserManager<User> _userManager;
private readonly AuthService _authService;
private readonly IMemoryCache _memoryCache;
private readonly DataContext _context;
public AuthController(UserManager<User> userManager, AuthService authService,
SignInManager<User> signInManager, DataContext context)
{
_userManager = userManager;
_authService = authService;
_signInManager = signInManager;
_context = context;
}
[HttpPost]
public async Task<ActionResult> Login([FromBody] LoginDto model)
{
var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, false, false);
if (!result.Succeeded) return BadRequest(new { isSucceeded = result.Succeeded, errors= "INVALID_LOGIN_ATTEMPT" });
var appUser = _userManager.Users.Single(r => r.Email == model.Email);
return Ok(new
{
isSucceeded = result.Succeeded,
accessToken = _authService.GenerateAccessToken(GetClaims(appUser)),
refreshToken = _authService.GenerateRefreshToken(model.ClientType)
});
}
[HttpPost]
public ActionResult RefreshToken([FromBody] RefreshTokenDto model)
{
var principal = _authService.GetPrincipalFromExpiredToken(model.AccessToken);
var jtiKey = principal.Claims.Single(a => a.Type == JwtRegisteredClaimNames.Jti).Value;
var refreshToken = _authService.GetRefreshToken(jtiKey);
if (refreshToken == null)
return BadRequest("Expired Refresh Token");
if (refreshToken.Token != model.RefreshToken)
return BadRequest("Invalid Refresh Token");
return Ok(new
{
isSucceeded = true,
accessToken = _authService.GenerateAccessToken(principal.Claims.SkipLast(1).ToList()),
refreshToken = _authService.GenerateRefreshToken(model.ClientType)
});
}
I'm not sure this is a good implementation for refresh-token cause refresh-token may be compromised in client-app.
Can you suggest me a better solution over this?


If it comes to security then performance is less important. But for a refresh token, being long lived, the times that the database is hit are to be neglected.
An in-memory cache is not the place to store refresh tokens. In case of a shutdown all refresh tokens will become invalid. So you'll need to persist the token anyways.
A policy can be to allow only one refresh token at a time (persisted in the database) and on login or refresh replace the refresh token with the new token, which will invalidate the used refresh token.
One thing you can do to make things safer is to use a fixed expiration time for the refresh token. In that case you'll force the user to login after a fixed time. Limiting the window that the token can be compromised.
The alternative is to make the token less long lived and use a sliding expiration, meaning that each time the refresh token is used, the expiration is reset. In that case it can occur that the user never has to login again, while on refreshing you can do some checks.
Requiring both the access token and the refresh token is not making things safer. As the access token may already be expired (and compromised) and multiple access tokens can exist. Requesting a new access token doesn't invalidate the current token and you don't want to verify the acccess token on each call.
You cannot simply trust the tokens from itself. You'll need to define rules to detect suspicious use of either token. Like check the number of calls per minute, or something like that.
Or you can check the current ip address. For that include the ip address as claim. If the current ip address doesn't match the ip address from the access token then deny access in order to force the client to refresh the access token.
On refresh, if the ip address is unknown (not in the list of known ip addresses for this user) then the user needs to login. If succesful you can add the ip address to the list of validated ip addresses. And you can send a mail to the user that there was a login from another ip address.
You can use in-memory cache to detect doubtful use of the access token. In which case you can revoke the refresh token (just delete it from the database), having the user to login again.

Related

ASP.NET Core MVC How token passing with url is secured

I have looking into code of a web application where token is generated and injected into url instead of auth cookie for each request token is passed with url to accessed secured action. The web application is using token instead of auth cookie. Token life is one day.
This is a sample url
http://localhost:48000/ACX/Default/Login?token=8kzRLdW8lQVIS0MrtlqdZJbmz9p22l33u1wspGOmLgCgEy2MG5XZ0JG1ovVZGiNX7KpAfBVn3
of that web application where token is passing through url.
This code is generating the token which would valid up to 24 hours:
public IActionResult Login([FromBody]LoginModel user)
{
if (user == null)
{
return BadRequest("Invalid request");
}
if (user.UserName == "johncitizen" && user.Password == "abc#123")
{
var secretKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("KeyForSignInSecret#1234"));
var signinCredentials = new SigningCredentials(secretKey, SecurityAlgorithms.HmacSha256);
var tokeOptions = new JwtSecurityToken(
issuer: "http://localhost:2000",
audience: "http://localhost:2000",
claims: new List<Claim>(),
expires: DateTime.Now.AddMinutes(1440), // valid till 24 hours
signingCredentials: signinCredentials
);
var tokenString = new JwtSecurityTokenHandler().WriteToken(tokeOptions);
return Ok(new { Token = tokenString });
}
else
{
return Unauthorized();
}
}
My question is: when token is passed through the URL, then any other person can get the URL and impersonate the user. I guess passing token through URL is not secure.
What can we do as a result token would be secure passing through URL? I want to change flow bit in such a way that if another user copy and paste the same URL, then he will not be able to access protected resource. So how to achieve and secure long life token?
Please guide me with approach in details. Thanks

You can try to use IDataProtectionProvider protect your data.
Configure in your program.cs:
builder.Services.AddDataProtection();
Or you can also specify algorithms (using Microsoft.AspNetCore.DataProtection) used for encryption and validation, like this:
builder.Services.AddDataProtection()
.UseCryptographicAlgorithms(new AuthenticatedEncryptionSettings()
{
EncryptionAlgorithm = EncryptionAlgorithm.AES_256_GCM,
ValidationAlgorithm = ValidationAlgorithm.HMACSHA256
});
Then inject IDataProtectionProvider into your controller, Create your own key And create Create encryption and decryption methods:
public class HomeController : Controller
{
//Inject IDataProtectionProvider into your controller
private readonly IDataProtectionProvider _dataProtectionProvider;
//create your own key
private const string Key = "my-very-long-key-of-no-exact-size";
public HomeController(ILogger<HomeController> logger, IDataProtectionProvider dataProtectionProvider)
{
_logger = logger;
_dataProtectionProvider = dataProtectionProvider;
}
public IActionResult Login([FromBody]LoginModel user)
{
//...............
var tokenString = new JwtSecurityTokenHandler().WriteToken(tokeOptions);
var keytoken = Encrypt(tokenString);
return Ok(new { Token = keytoken });
//...............
}
//encryption methods
public string Encrypt(string input)
{
var protector = _dataProtectionProvider.CreateProtector(Key);
return protector.Protect(input);
}
//decryption methods
public string Decrypt(string output)
{
var protector = _dataProtectionProvider.CreateProtector(Key);
return protector.Unprotect(output);
}
}
Now, Token has been encrypted.
Even if someone else gets your toke, Because they don't have the key, So they can't decrypt the token.

bearer token: what kind of ClaimsIdentity has to be used in GrantResourceOwnerCredentials?

This is my scenario:
I’m building a ASP Net MVC Application that communicates with a WebApi. Sometimes, I need a WebApiClient to get some data from WebApi controllers. In order to authorize my WebApiClient with current logged user credentials, I want to use access tokens with OAuth2.
My idea was to generate a token during login and add generated token in a Claim. In order to do so, in AccountController:
Login(LoginViewModel model){
[...]
var signinm = HttpContext.GetOwinContext().Get<ApplicationSignInManager>();
var ident = signinm.CreateUserIdentity(user);
//Generate token
BearerToken token = await (new TokenApi()).GetToken(model.UserName, model.Password);
//Store generated token in a claim
ident.AddClaim(new Claim(WebApiClient.API_TOKEN_KEY,
Newtonsoft.Json.JsonConvert.SerializeObject(token)));
[…]
//Finally sign in
HttpContext.GetOwinContext().Authentication.SignIn(authProp, ident);
}
My main questions are regarding the method GrantResourceOwnerCredentials in
ApplicationOAuthProvider:
public class ApplicationOAuthProvider : OAuthAuthorizationServerProvider
{
[...]
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>();
ApplicationUser user = await userManager.FindAsync(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
ClaimsIdentity identity = await userManager.CreateIdentityAsync(
user,
DefaultAuthenticationTypes.ExternalBearer);
AuthenticationProperties properties = CreateProperties(user.UserName);
AuthenticationTicket ticket = new AuthenticationTicket(identity, properties);
context.Validated(ticket);
}
[...]
}
Do I have to generate this claimsIdentity and with which type of DefaultAuthenticationTypes: Cookie or ExternalBearer? Both seem to work.
Since HttpContext.GetOwinContext().Authentication.SignIn(...) is already performed in Login, it is not necessary to signIn also in GrantResourceOwnerCredentials, am I wrong?
Thank you for your help.

HttpClient always do Basic Authentication check after provide an authorization header?

The web api control, UserControl, has two methods, RetrieveUserID which needs Basic Authorization check
[HttpGet]
[Route("RetrieveUserID/{strUsername}")]
[Authorize]
public string RetrieveUserID(string strUsername)
{
//retrieve userID and return it
......
return strUserID;
}
Another method, FailAuthenticationReason, is used if fail to retrieve userID, it returns the detail fail info such as wrong username, wrong password, account is locked out, etc. which doesn't need to do any authentication check
[HttpGet]
[Route("FailAuthenticationReason/{strUsername}")]
public string FailAuthenticationReason(string strUsername)
{
//retrieve detail failed reason
......
return strFailedReason;
}//End of
It works well when I use a browser to check them. But when I use it in my app, after I provide the authorization header and fail to retrieve userID because of incorrect username and/or password, it also do the authorization check when it call FailAuthenticationReason
var authData = string.Format("{0}:{1}", entUsername.Text,entPassword.Text);
var authHeaderValue = Convert.ToBase64String(Encoding.UTF8.GetBytes(authData));
App.httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", authHeaderValue);
var uri = new Uri(string.Format(App.strWebAPIURI + "/RetrieveUserID/{0}", entUsername.Text));
try
{
var response = await App.httpClient.GetAsync(uri);
if (response.IsSuccessStatusCode)
{
......
}
else
{
//Fail to pass authorization
uri = new Uri(string.Format(App.strWebAPIURI + "/FailAuthenticationReason/{0}", entUsername.Text));
response = await App.httpClient.GetAsync(uri);
......
}
How can the program call FailAuthenticationReason without the authorization check?

Custom Claims lost on Identity re validation

I'm implementing Asp.NET MVC application with Identity 2.x Authentication and Authorization model.
During LogIn process I add Custom Claims (not persisted in the DB!), deriving from data passed in the LogIn from, to the Identity and I can correctly access them later on, until the identity gets regenerated.
[HttpPost]
[AllowAnonymous]
[ValidateHeaderAntiForgeryToken]
[ActionName("LogIn")]
public async Task<JsonResult> Login(LoginViewModel model, string returnUrl)
{
if (!ModelState.IsValid)
return Json(GenericResponseViewModel.Failure(ModelState.GetErrors("Inavlid model", true)));
using (var AppLayer = new ApplicationLayer(new ApplicationDbContext(), System.Web.HttpContext.Current))
{
GenericResponseViewModel LogInResult = AppLayer.Users.ValidateLogInCredential(ref model);
if (!LogInResult.Status)
{
WebApiApplication.ApplicationLogger.ExtWarn((int)Event.ACC_LOGIN_FAILURE, string.Join(", ", LogInResult.Msg));
return Json(LogInResult);
}
ApplicationUser User = (ApplicationUser)LogInResult.ObjResult;
// In case of positive login I reset the failed login attempts count
if (UserManager.SupportsUserLockout && UserManager.GetAccessFailedCount(User.Id) > 0)
UserManager.ResetAccessFailedCount(User.Id);
//// Add profile claims for LogIn
User.Claims.Add(new ApplicationIdentityUserClaim() { ClaimType = "Culture", ClaimValue = model.Culture });
User.Claims.Add(new ApplicationIdentityUserClaim() { ClaimType = "CompanyId", ClaimValue = model.CompanyId });
ClaimsIdentity Identity = await User.GenerateUserIdentityAsync(UserManager, DefaultAuthenticationTypes.ApplicationCookie);
AuthenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = true }, Identity);
WebApiApplication.ApplicationLogger.ExtInfo((int)Event.ACC_LOGIN_SUCCESS, "LogIn success", new { UserName = User.UserName, CompanyId = model.CompanyId, Culture = model.Culture });
return Json(GenericResponseViewModel.SuccessObj(new { ReturnUrl = returnUrl }));
}
}
The validation process is defined in the OnValidationIdentity which I havn't done much to customize. When the validationInterval goes by (...or better said the half way to the validationInterval) Identity gets re generatd and Custom Claims are lost.
// Enable the application to use a cookie to store information for the signed in user
// and to use a cookie to temporarily store information about a user logging in with a third party login provider
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(1d),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager, DefaultAuthenticationTypes.ApplicationCookie))
},
/// TODO: Expire Time must be reduced in production do 2h
ExpireTimeSpan = TimeSpan.FromDays(100d),
SlidingExpiration = true,
CookieName = "RMC.AspNet",
});
I think I should some how be able to pass the current Claims to the GenerateUserIdentityAsync so that I can re add Custom Clims, but I don't know how to.
public async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<ApplicationUser, string> manager, string authenticationType)
{
// Note the authenticationType must match the one defined in CookieAuthenticationOptions.AuthenticationType
var userIdentity = await manager.CreateIdentityAsync(this, authenticationType);
// Add custom user claims here
// ????????????????????????????
return userIdentity;
}
Any help is appreciated.
Thanks

Problem solved (it seemms), I post my solution since I havn't found may appropriate answers and I think it might be useful to others.
The right track was found in an answer to the question Reuse Claim in regenerateIdentityCallback in Owin Identity in MVC5
I just had modify a little the code since the UserId in my case is of type string and not Guid.
Here is my code:
In Startup.Auth.cs
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
//OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
// validateInterval: TimeSpan.FromMinutes(1d),
// regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager, DefaultAuthenticationTypes.ApplicationCookie))
OnValidateIdentity = context => SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser, string>(
validateInterval: TimeSpan.FromMinutes(1d),
regenerateIdentityCallback: (manager, user) => user.GenerateUserIdentityAsync(manager, context.Identity),
getUserIdCallback: (ci) => ci.GetUserId()).Invoke(context)
},
/// TODO: Expire Time must be reduced in production do 2h
//ExpireTimeSpan = TimeSpan.FromDays(100d),
ExpireTimeSpan = TimeSpan.FromMinutes(2d),
SlidingExpiration = true,
CookieName = "RMC.AspNet",
});
NOTE: Please note that in my sample ExpireTimeSpan and validateInterval are ridiculously short since the purpose here was to cause the most frequest re validation for testing purposes.
In IdentityModels.cs goes the overload of GenerateUserIdentityAsync that takes care of re attaching all custom claims to the Identity.
/// Generates user Identity based on Claims already defined for user.
/// Used fro Identity re validation !!!
/// </summary>
/// <param name="manager"></param>
/// <param name="CurrentIdentity"></param>
/// <returns></returns>
public async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<ApplicationUser, string> manager, ClaimsIdentity CurrentIdentity)
{
// Note the authenticationType must match the one defined in CookieAuthenticationOptions.AuthenticationType
var userIdentity = await manager.CreateIdentityAsync(this, DefaultAuthenticationTypes.ApplicationCookie);
// Re validate existing Claims here
userIdentity.AddClaims(CurrentIdentity.Claims);
return userIdentity;
}
It works. Not really sure if it is the best solution, but in case anyone has better approaches please feel free to improve my answer.
Thanks.
Lorenzo
ADDENDUM
After some time using it I found out that what implemented in GenerateUserIdentityAsync(...) might give problems if used in conjunction with #Html.AntiForgeryToken(). My previous implementation would keep adding already existing Claims at each revalidation. This confuses AntiForgery logic that throws error. To prevent that I've re implemnted it this way:
/// <summary>
/// Generates user Identity based on Claims already defined for user.
/// Used fro Identity re validation !!!
/// </summary>
/// <param name="manager"></param>
/// <param name="CurrentIdentity"></param>
/// <returns></returns>
public async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<ApplicationUser, string> manager, ClaimsIdentity CurrentIdentity)
{
// Note the authenticationType must match the one defined in CookieAuthenticationOptions.AuthenticationType
var userIdentity = await manager.CreateIdentityAsync(this, DefaultAuthenticationTypes.ApplicationCookie);
// Re validate existing Claims here
foreach (var Claim in CurrentIdentity.Claims) {
if (!userIdentity.HasClaim(Claim.Type, Claim.Value))
userIdentity.AddClaim(new Claim(Claim.Type, Claim.Value));
}
return userIdentity;
}
}
ADDENDUM 2
I had to refine further me mechanism because my previosu ADDENDUM would lead in some peculiar cases to same problem described during re-validation.
The key to the current definitive solution is to Add Claims that I can clearly identify and Add only those during re-validation, without having to try to distinguish betweeb native ones (ASP Identity) and mine.
So now during LogIn I add the following custom Claims:
User.Claims.Add(new ApplicationIdentityUserClaim() { ClaimType = "CustomClaim.CultureUI", ClaimValue = UserProfile.CultureUI });
User.Claims.Add(new ApplicationIdentityUserClaim() { ClaimType = "CustomClaim.CompanyId", ClaimValue = model.CompanyId });
Note the Claim Type which now starts with "CustomClaim.".
Then in re-validation I do the following:
public async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<ApplicationUser, string> manager, ClaimsIdentity CurrentIdentity)
{
// Note the authenticationType must match the one defined in CookieAuthenticationOptions.AuthenticationType
var userIdentity = await manager.CreateIdentityAsync(this, DefaultAuthenticationTypes.ApplicationCookie);
// Re validate existing Claims here
foreach (var Claim in CurrentIdentity.FindAll(i => i.Type.StartsWith("CustomClaim.")))
{
userIdentity.AddClaim(new Claim(Claim.Type, Claim.Value));
// TODO devo testare perché va in loop la pagina Err500 per cui provoco volontariamente la duplicazioen delle Claims
//userIdentity.AddClaims(CurrentIdentity.Claims);
}
return userIdentity;
}
userIdentity does not contain the Custom Claims, while CurrentIdentity does contain both, but the only one I have to "re attach" to the current Identity are my custom one.
So far it is working fine, so I'll mark this as teh answer.
Hope it helps !
Lorenzo

Ohh lord i got tired of trying to get this to work, i just modified the SecurityStampValidator to take a context that i could pull the Identity out of to update accordingly in my User class. as far as i can tell there is no way to directly extend it. Updating claims from manager.CreateIdentityAsync(this, DefaultAuthenticationTypes.ApplicationCookie); had no affect using GenerateUserIdentityAsync
var validator = MySecurityStampValidator
.OnValidateIdentity<ApplicationUserManager, ApplicationUser, Guid>(
validateInterval: TimeSpan.FromSeconds(2),
regenerateIdentityCallback: (manager, user, claims) => user.UpdateUserIdentityAsync(claims),
getUserIdCallback: (id) => id.GetUserGuid());
var cookieAuthenticationOptions = new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
Provider = new CookieAuthenticationProvider
{
// Not called on signin
OnValidateIdentity = validator
}
};
And then copied the owin class but added the context to it that would be passed into my regenerateIdentityCallback
static class MySecurityStampValidator
{
public static Func<CookieValidateIdentityContext, Task> OnValidateIdentity<TManager, TUser, TKey>(
TimeSpan validateInterval,
Func<TManager, TUser, ***ClaimsIdentity***, Task<ClaimsIdentity>> regenerateIdentityCallback,
Func<ClaimsIdentity, TKey> getUserIdCallback)
where TManager : UserManager<TUser, TKey>
where TUser : class, IUser<TKey>
where TKey : IEquatable<TKey>
{
......
And then in my user i just
public override async Task<ClaimsIdentity> UpdateUserIdentityAsync(ClaimsIdentity userIdentity)
{
userIdentity.RemoveClaim(CustomClaimTypes.CLAIM1);
userIdentity.RemoveClaim(CustomClaimTypes.CLAIM2);
if (Access1Service.GetService().UserHasAccess(Id))
{
userIdentity.AddClaim(new Claim(CustomClaimTypes.CLAIM1, "1"));
}
if (Access2Service.GetService().UserHasAccess(Id))
{
userIdentity.AddClaim(new Claim(CustomClaimTypes.CLAIM2, "1"));
}
return userIdentity;
}

Generate Access Token In Web Api action method using OWIN and IIS host

I'm trying to generate a token inside Web Api action method based on the code below:
private JObject GeneratePaymentTokenResponse(string email, bool rememberMe)
{
//var tokenExpiration = rememberMe ? TimeSpan.FromDays(14) : TimeSpan.FromMinutes(30);
var tokenExpiration = rememberMe ? TimeSpan.FromMinutes(30) : TimeSpan.FromMinutes(5);
ClaimsIdentity identity = new ClaimsIdentity("CustomType", ClaimTypes.Email, ClaimTypes.Role);
identity.AddClaim(new Claim(ClaimTypes.Email, email));
var props = new AuthenticationProperties()
{
IssuedUtc = DateTime.UtcNow,
ExpiresUtc = DateTime.UtcNow.Add(tokenExpiration)
};
var ticket = new AuthenticationTicket(identity, props);
var accessToken = Startup.OAuthBearerOptions.AccessTokenFormat.Protect(ticket);
JObject tokenResponse = new JObject(
new JProperty("email", email),
new JProperty("customToken", accessToken),
new JProperty("expiresIn", tokenExpiration.TotalSeconds),
new JProperty("issuedUtc", ticket.Properties.IssuedUtc),
new JProperty("expiresUtc", ticket.Properties.ExpiresUtc)
);
return tokenResponse;
}
The OAuthBeaerOptions object is coming from the Startup class as the below:
public static OAuthBearerAuthenticationOptions OAuthBearerOptions { get; private set; }
OAuthBearerOptions = new OAuthBearerAuthenticationOptions();
// Token Consumption (Resource Server)
app.UseOAuthBearerAuthentication(OAuthBearerOptions);
Now when I try to pass a valid access token but has been expired and call AccessTokenFormat.Unprotect as the code below
Microsoft.Owin.Security.AuthenticationTicket ticket = Startup.OAuthBearerOptions.AccessTokenFormat.Unprotect(paymentToken);
if ((ticket == null) || (!ticket.Identity.IsAuthenticated))
{
actionContext.Response = CreateForbiddenResponse(actionContext);
return Task.FromResult<object>(null);
}
I'm receiving a valid ticket and the value of ticket.Identity.IsAuthenticated is true even that token is expired.
Currently I'm using the latest version (3.0.1) of Microsoft.Owin.Security assembly
I would appreciate any clue on how to set the expiry date for this token?

I'm receiving a valid ticket and the value of ticket.Identity.IsAuthenticated is true even that token is expired.
That's totally intended: Unprotect will return a ticket with a valid ClaimsIdentity even if it is expired. Since ClaimsIdentity.IsAuthenticated only ensures the ClaimsIdentity.AuthenticationType property is not null, it's not a reliable way to ensure the ticket is not expired.
Actually, it's up to you to determine whether the ticket is still valid and return an error if necessary (which is exactly what the bearer middleware does internally when receiving an access token: https://github.com/jchannon/katanaproject/blob/master/src/Microsoft.Owin.Security.OAuth/OAuthBearerAuthenticationHandler.cs#L68-L73)
if (ticket.Properties.ExpiresUtc.HasValue &&
ticket.Properties.ExpiresUtc.Value < DateTimeOffset.Now)
{
return Task.FromResult<object>(null);
}

Resources