Handling AuthenticationFailureResult on client side - asp.net-web-api

I am using pretty much this approach to secure our api with tokens. Not sure, how to handle token expiry response on client side. I have seen two options on api side -
Challenge
WWW-Authenticate header
Let's say my client is requesting for contacts list but their token is expired as it was issued 30 mins ago (our current token age). What do we do now?
Not a good experience if we ask for credentials again
use a do-while loop until we have a successful response. Our client is a plugin so we can store user's credentials in db.
try\catch could be a possibility too
Implementing IdentityServer and refresh tokens would be a overkill for us at this point.

There are several ways you can deal this getting new tokens after they expire. Its not a good experience asking for credentials every time the token expires. Some of the ways to achieve this is to use MemoryCache or text file to store your token then keep reading from it. Once the token expires get a new one and replace the one you stored earlier. Sample code below
public async Task<string> GetToken(HttpClient client)
{
Token token;
MemoryCache memCache = MemoryCache.Default;
var resource = memCache.Get(Settings.TokenKey);
if (resource.IsNotNull())
{
token = (Token)resource;
if (token != null && token.Expires < DateTime.Now)
{
token = await RequestNewToken(client);
return token.AccessToken;
}
}
token = await RequestNewToken(client);
return token.AccessToken;
}
private async Task<Token> RequestNewToken(HttpClient client)
{
var tokenRequestContent = GetTokenRequestContent();
var tokenResponse = client.PostAsync(Settings.TokenUrl, tokenRequestContent).Result;
Token token = null;
MemoryCache memCache = MemoryCache.Default;
if (tokenResponse.IsSuccessStatusCode)
{
token = await tokenResponse.Content.ReadAsAsync<Token>();
memCache.Add(Settings.TokenKey, token, DateTimeOffset.UtcNow.AddHours(2));
}
else
{
var error = await tokenResponse.Content.ReadAsStringAsync();
Console.WriteLine(error);
}
if (token == null) throw new NullReferenceException("Token is null");
return token;
}
private FormUrlEncodedContent GetTokenRequestContent()
{
var credentials = new List<KeyValuePair<string, string>>
{
new KeyValuePair<string, string>("grant_type", Settings.Password),
new KeyValuePair<string, string>("userName", Settings.Username),
new KeyValuePair<string, string>("password", Settings.UserPassword)
};
return new FormUrlEncodedContent(credentials);
}
Settings is just a static class that holds your constants.

Related

Secure Web API Post Method with Username and Password

I have a Web API service hosted in Microsoft Azure. I need a certain POST method to be only accessible with one unique username and password.
I understand the [Authorize] method does a token based authentication but its not tied to a single username and password. In my app, the web api also does the login authentication, so anyone who registers can access this post method if im not mistaken. (Please correct me if im wrong)
I am new to this could you guide me the right way please.
This is my WebAPI Post method i want to secure access to with specific unique username&pass:
[AllowAnonymous]
[HttpPost, Route("send")]
public async Task<NotificationOutcome> Post([FromBody]string message)
{
string hubName = "myHub";
string hubNameDefaultShared = "myHubNameDefaultShared";
NotificationHubClient hub = NotificationHubClient
.CreateClientFromConnectionString(hubNameDefaultShared, hubName, enableTestSend: true);
string installationId = string.Empty;
var templateParams = new Dictionary<string, string>
{
["messageParam"] = message
};
NotificationOutcome result = null;
if (string.IsNullOrWhiteSpace(installationId))
{
result = await hub.SendTemplateNotificationAsync(templateParams).ConfigureAwait(false);
}
else
{
result = await hub.SendTemplateNotificationAsync(templateParams, "$InstallationId:{" + installationId + "}").ConfigureAwait(false);
}
return result;
}
And this is how I currently access the POST Method:
var client = new RestClient("myWebApiRouteName");
var request = new RestRequest(Method.POST);
request.AddHeader("Postman-Token", "46c23eba-8ca6-4ede-b4fe-161473dc063a");
request.AddHeader("cache-control", "no-cache");
request.AddHeader("Content-Type", "application/json");
request.AddParameter("undefined", messageBody, ParameterType.RequestBody);
try
{
IRestResponse response = client.Execute(request);
Console.WriteLine(response.Content);
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}

ASP.NET Core Secure Api

I have an ASP.NET Core project that has a Web API for mobile device (Xamarin).
I want to secure the api with ASP.NET Core identity, but the problem is when I authenticate a device and authenticated successfully, in another request it not still authenticated:
[HttpPost]
public async Task<IActionResult> Post([FromBody] LogIn l)
{
var user = await userManager.FindByEmailAsync(l.username);
if(user == null)
{
user = await userManager.FindByNameAsync(l.username);
}
if(user != null)
{
await signInManager.SignOutAsync();
Microsoft.AspNetCore.Identity.SignInResult result = await signInManager.PasswordSignInAsync(user, l.password, false, false);
if (result.Succeeded)
{
await signInManager.RememberTwoFactorClientAsync(user);
return Ok("Success");
}
}
return Ok(HttpStatusCode.BadRequest);
}
The code that needs to authorize to return data :
[HttpGet("{id}")]
[Authorize]
public async Task<IActionResult> Get(int id)
{
var b = _context.Books.FirstOrDefault(o => o.BookId == id);
return Ok(b);
}
I read about token and jwt but I don't know how to use them. Any Idea how to secure the API and make the device authenticated once they log in?
I know it's late, but I think the idea is to login the user, and return a token that's then saved to the client's(Xamarin Android/iOS for your case) local storage/Sharedpreferences. The saved token can then be used for subsequent Web API calls for authentication without the need to login. It can then be cleared when a user logs out. For JWT, you can restructure your login function as follows:
var token = await GetJwtSecurityToken(user);
return Ok(new
{
token = new JwtSecurityTokenHandler().WriteToken(token),
expiration = token.ValidTo
});
The GetJwtSecurityToken() can look like this depending on your needs:
private async Task<JwtSecurityToken> GetJwtSecurityToken(ApplicationUser user)
{
var userClaims = await _userManager.GetClaimsAsync(user);
return new JwtSecurityToken(
//issuer: "http://localhost:****/",
//audience: "http://localhost:****/",
audience: "http://localhost:****/",
claims: GetTokenClaims(user).Union(userClaims),//Combine user & claims
//expires: DateTime.UtcNow.AddMinutes(10),
signingCredentials: new SigningCredentials(new SymmetricSecurityKey(System.Text.Encoding.ASCII.GetBytes("x%u<-Q.#w^:qF]2Hz4")), SecurityAlgorithms.HmacSha256)
);
}
The GetTokenClaims() function can look like:
private static IEnumerable<Claim> GetTokenClaims(ApplicationUser user)
{
return new List<Claim>
{
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
new Claim("UserName", user.UserName),
new Claim("Email", user.Email),
new Claim(JwtRegisteredClaimNames.Sub, user.Id),
new Claim("FirstName", user.FirstName)
//Other user info
};
}
You can then save this token in local storage/Sharedpreferences, and use it to authenticate your API calls. You can research on: How to decode JWT token in Xamarin, OpenId..
Let me know how it goes.

Web app and web api authentication in same application

I have a web app MVC,using auth0 owin regular web app cookie based authentication.
This web app also has webapis which is used internally in the application. However i have a requirement to call this webapis from outside the application. So i created a restclient and tried to implement jwtbearerauthentication in application (but cookie based on authentication still in place).
Now when i call the webapi from other application it validates the bearer token gives no error however it redirects to login page due to cookie based authentication.
startup file:
public partial class Startup
{
private IPlatform platform;
public void ConfigureAuth(IAppBuilder app, IPlatform p, IContainer container)
{
platform = p;
// Enable the application to use a cookie to store information for the signed in user
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
ExpireTimeSpan = System.TimeSpan.FromDays(2),
SlidingExpiration = true
});
// Use a cookie to temporarily store information about a user logging in with a third party login provider
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
var provider = new Auth0.Owin.Auth0AuthenticationProvider
{
OnReturnEndpoint = (context) =>
{
// xsrf validation
if (context.Request.Query["state"] != null && context.Request.Query["state"].Contains("xsrf="))
{
var state = HttpUtility.ParseQueryString(context.Request.Query["state"]);
AntiForgery.Validate(context.Request.Cookies["__RequestVerificationToken"], state["xsrf"]);
}
return System.Threading.Tasks.Task.FromResult(0);
},
OnAuthenticated = (context) =>
{
var identity = context.Identity;
//Add claims
var authenticationManager = container.Resolve<IAuthenticationManager>();
authenticationManager.AddClaims(identity);
if (context.Request.Query["state"] != null)
{
authenticationManager.AddReturnUrlInClaims(identity, context.Request.Query["state"]);
}
return System.Threading.Tasks.Task.FromResult(0);
}
};
var issuer = "https://" + ConfigurationManager.AppSettings["auth0:Domain"] + "/";
var audience = ConfigurationManager.AppSettings["auth0:ClientId"];
var secret = TextEncodings.Base64.Encode(TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["auth0:ClientSecret"]));
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
AllowedAudiences = new[] { audience },
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret)
}
});
app.UseAuth0Authentication(
clientId: platform.ServerRole.GetConfigurationSettingValue("auth0:ClientId"),
clientSecret: platform.ServerRole.GetConfigurationSettingValue("auth0:ClientSecret"),
domain: platform.ServerRole.GetConfigurationSettingValue("auth0:Domain"),
provider: provider);
}
}
webapiconfig file:
public static void Register(HttpConfiguration config)
{
// Web API routes
config.MapHttpAttributeRoutes();
config.Routes.MapHttpRoute("DefaultApi", "api/{controller}/{id}", new {id = RouteParameter.Optional});
config.Filters.Add(new AuthorizeAttribute());
ODataConfig.Setup(config);
var clientID = WebConfigurationManager.AppSettings["auth0:ClientId"];
var clientSecret = WebConfigurationManager.AppSettings["auth0:ClientSecret"];
config.MessageHandlers.Add(new JsonWebTokenValidationHandler()
{
Audience = clientID,
SymmetricKey = clientSecret
});
}
Currently creating the jwt token from below code and posting using postman in header just to check if it works.. but redirects to login page.
string token = JWT.Encode(payload, secretKey, JwsAlgorithm.HS256);
I suspect what's happening is that your call to the API has a bearer token which fails validation (or there is no Authorize token at all), your API controller has an Authorize attribute, which, since there is no valid ClaimsPrincipal on the call throws 401. Auth0AuthenticationProvider picks that and assumes the call was to UI so redirects for user authentication. You may want to add an override in the Oauth0Provider to trap OnRedirectToIdP (or something like that), inspect the request and if it is to API, abot further handling and return Unauthorized.
Remove any [Authorize] from your API and see whether it works then. Also make sure your startup does not require Authorize for all controllers.
You may want to remove the authn part of your code (cookie and Oauth2Provider) and see whether you are getting to the API then.
A few years late i know, but i recently came across the same requirement in a project, and found this sample put together by a dev at Auth0.
https://github.com/auth0-samples/aspnet-core-mvc-plus-webapi
The example in the link allows for cookie authentication OR token authentication for the API endpoints.
The key takeaway for me was using attributes on your routes to tell the pipline what authentication mechanism to use. In my case i wanted cookie authentication for the UI and token authentication for the endpoints. i had no requirement to use both for any single area of the project.
controller:
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
[HttpGet]
[Route("api")]
public string TestAuth()
{
return "All good " + this.User.FindFirst(ClaimTypes.NameIdentifier).Value + ". You only get this message if you are authenticated.";
}

How to add claims to access token get from IdentityServer3 using resource owner flow with javascript client

I use the resource owner flow with IdentityServer3 and send get token request to identity server token endpoint with username and password in javascript as below:
function getToken() {
var uid = document.getElementById("username").value;
var pwd = document.getElementById("password").value;
var xhr = new XMLHttpRequest();
xhr.onload = function (e) {
console.log(xhr.status);
console.log(xhr.response);
var response_data = JSON.parse(xhr.response);
if (xhr.status === 200 && response_data.access_token) {
getUserInfo(response_data.access_token);
getValue(response_data.access_token);
}
}
xhr.open("POST", tokenUrl);
var data = {
username: uid,
password: pwd,
grant_type: "password",
scope: "openid profile roles",
client_id: 'client_id'
};
var body = "";
for (var key in data) {
if (body.length) {
body += "&";
}
body += key + "=";
body += encodeURIComponent(data[key]);
}
xhr.setRequestHeader("Authorization", "Basic " + btoa(client_id + ":" + client_secret));
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send(body);
}
The access token is returned from identity server and user is authenticated. Then I use this token to send request to my Web Api.
The problem is that when I check if the user is assigned a role, I find the claim doesn't exist.
[Authorize]
// GET api/values
public IEnumerable<string> Get()
{
var id = RequestContext.Principal as ClaimsPrincipal;
bool geek = id.HasClaim("role", "Geek"); // false here
bool asset_mgr = id.HasClaim("role", "asset_manager"); // false here
return new string[] { "value1", "value2" };
}
Here is how the client is defined in identity server.
new Client
{
ClientName = "Client",
ClientId = "client_id",
Flow = Flows.ResourceOwner,
RequireConsent = false,
AllowRememberConsent = false,
AllowedScopes = new List<string>
{
"openid",
"profile",
"roles",
"sampleApi"
},
AbsoluteRefreshTokenLifetime = 86400,
SlidingRefreshTokenLifetime = 43200,
RefreshTokenUsage = TokenUsage.OneTimeOnly,
RefreshTokenExpiration = TokenExpiration.Sliding,
ClientSecrets = new List<Secret>
{
new Secret("4C701024-0770-4794-B93D-52B5EB6487A0".Sha256())
},
},
and this is how the user is defined:
new InMemoryUser
{
Username = "bob",
Password = "secret",
Subject = "1",
Claims = new[]
{
new Claim(Constants.ClaimTypes.GivenName, "Bob"),
new Claim(Constants.ClaimTypes.FamilyName, "Smith"),
new Claim(Constants.ClaimTypes.Role, "Geek"),
new Claim(Constants.ClaimTypes.Role, "Foo")
}
}
How can I add claims to the access_token in this case? Thanks a lot!
I have just spent a while figuring this out myself. #leastprivilege's comment on Yang's answer had the clue, this answer is just expanding on it.
It's all down to how the oAuth and OIDC specs evolved, it's not an artefact of IdentityServer (which is awesome).
Firstly, here is a fairly decent discussion of the differences between identity tokens and access tokens: https://github.com/IdentityServer/IdentityServer3/issues/2015 which is worth a read.
With Resource Owner flow, like you are doing, you will always get an Access Token. By default and per the spec, you shouldn't include claims in that token (see the above link for why). But, in practice, it is very nice when you can; it saves you extra effort on both client and server.
What Leastprivilege is referring to is that you need to create a scope, something like this:
new Scope
{
Name = "member",
DisplayName = "member",
Type = ScopeType.Resource,
Claims = new List<ScopeClaim>
{
new ScopeClaim("role"),
new ScopeClaim(Constants.ClaimTypes.Name),
new ScopeClaim(Constants.ClaimTypes.Email)
},
IncludeAllClaimsForUser = true
}
And then you need to request that scope when you ask for the token. I.e. your line
scope: "openid profile roles", should change to scope: "member", (well, I say that - scopes play a dual role here, as far as I can see - they are also a form of control, i.e. the client is asking for certain scopes and can be rejected if it is not allowed those but that is another topic).
Note the important line that eluded me for a while, which is Type = ScopeType.Resource (because Access Tokens are about controlling access to resources). This means it will apply to Access Tokens and the specified claims will be included in the token (I think, possibly, against spec but wonderfully).
Finally, in my example I have included both some specific claims as well as IncludeAllClaimsForUser which is obviously silly, but just wanted to show you some options.
I find I can achieve this by replacing the default IClaimsProvider of IdentityServerServiceFactory.
The cusomized IClaimsProvider is as below:
public class MyClaimsProvider : DefaultClaimsProvider
{
public MaccapClaimsProvider(IUserService users) : base(users)
{
}
public override Task<IEnumerable<Claim>> GetAccessTokenClaimsAsync(ClaimsPrincipal subject, Client client, IEnumerable<Scope> scopes, ValidatedRequest request)
{
var baseclaims = base.GetAccessTokenClaimsAsync(subject, client, scopes, request);
var claims = new List<Claim>();
if (subject.Identity.Name == "bob")
{
claims.Add(new Claim("role", "super_user"));
claims.Add(new Claim("role", "asset_manager"));
}
claims.AddRange(baseclaims.Result);
return Task.FromResult(claims.AsEnumerable());
}
public override Task<IEnumerable<Claim>> GetIdentityTokenClaimsAsync(ClaimsPrincipal subject, Client client, IEnumerable<Scope> scopes, bool includeAllIdentityClaims, ValidatedRequest request)
{
var rst = base.GetIdentityTokenClaimsAsync(subject, client, scopes, includeAllIdentityClaims, request);
return rst;
}
}
Then, replace the IClaimsProvider like this:
// custom claims provider
factory.ClaimsProvider = new Registration<IClaimsProvider>(typeof(MyClaimsProvider));
The result is that, when the request for access token is sent to token endpoint the claims are added to the access_token.
Not only that I tried other methods, I tried all possible combinations of scopes etc. All I could read in the access token was "scope", "scope name", for Resource Flow there were no claims I have added period.
I had to do all this
Add custom UserServiceBase and override AuthenticateLocalAsync since I have username/password there and I need both to fetch things from the database
Add claims that I need in the same function (this on itself will not add claim to Access Token, however you will able to read them in various ClaimsPrincipal parameters around)
Add custom DefaultClaimsProvider and override GetAccessTokenClaimsAsync where ClaimsPrincipal subject contains the claims I previously set, I just take them out and put again into ølist of claims for the result.
I guess this last step might be done overriding GetProfileDataAsync in the custom UserServiceBase, but the above just worked so I did not want to bother.
The general problem is not how to set claims, it is where you populate them. You have to override something somewhere.
This here worked for me since I needed data from a database, someone else should populate claims elsewhere. But they are not going to magically appear just because you nicely set Scopes and Claims Identity Server configurations.
Most of the answers say not a word about where to set the claim values properly. In each particular override you have done, the passed parameters, when they have claims, in the function are attached to identity or access token.
Just take care of that and all will be fine.

How do I prevent this Google Analytics C# DotNetOpenAuth ProtocolException?

I'm using the Google APIs for .NET. I'm following the example project Simple OAuth2 but I keep getting a Protocol Exception from DotNetOpenAuth.
Here's what I have now:
public static void Main( string[] args )
{
// Register the authenticator.
NativeApplicationClient provider = new NativeApplicationClient(
GoogleAuthenticationServer.Description, gaAppId, gaSecret );
OAuth2Authenticator<NativeApplicationClient> auth = new OAuth2Authenticator<NativeApplicationClient>(
provider, GetAuthorization );
AnalyticsService analyticsService =
new AnalyticsService( new BaseClientService.Initializer {
Authenticator = auth,
ApplicationName = #"Test Application",
} );
DataResource.GaResource.GetRequest request = analyticsService.Data.Ga.Get(
gaId, #"2013-09-04", #"2013-09-18", "ga:totalEvents" );
GaData data = request.Execute();
Console.ReadKey();
}
private static IAuthorizationState GetAuthorization( NativeApplicationClient arg )
{
// Get the auth URL:
IAuthorizationState state =
new AuthorizationState( new[] {AnalyticsService.Scopes.AnalyticsReadonly.GetStringValue()} );
state.Callback = new Uri( NativeApplicationClient.OutOfBandCallbackUrl );
// Retrieve the access token by using the authorization code:
return arg.ProcessUserAuthorization( authCode, state );
}
Notes:
I'm using the Analytics API in this code because that's what I need. I get the same error when using the Tasks API as described in the sample.
The authentication code is a refresher token generated by the process as defined in the example code. The error comes in both cases (request a new token, or re-use an old one.)
The ProtocolException that is triggered by DotNetOpenAuth is there because accounts.google.com returns an error: invalid request.
Here's what the OAuth request looks like:
Aplication/x-www-form-urlencoded; charset=utf-8
User-Agent: DotNetOpenAuth/4.3.1.13153
Host: accounts.google.com
Cache-Control: no-store,no-cache
Pragma: no-cache
Content-Length: 148
Connection: Keep-Alive
code=REDACTED&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&grant_type=authorization_code
And this is what the Google returns:
HTTP/1.1 400 Bad Request
IRRELEVANT_HEADERS
{
"error" : "invalid_request"
}
I'm at a bit of a loss here as to why this happend and how I can solve this. I can't find any other working C# examples. It seems to be a different kind of error than the one in this thread. Is there any of you who knows how I can fix this?
I studied the examples provided by peleyal some more and managed to find the issue. The problem was that I wasn't actually storing a refresh-token, I was storing an authentication token. I should've used the authentication token to generate the refresh token.
Here's the full solution in a simplified manner for future reference. The differences can be found in the GetAuthorization function, which now correctly saves the refresh token and opens a browser window to request the authorization when a refresh token is not yet available.
private static refreshToken = null;
public static void Main( string[] args )
{
// Register the authenticator.
NativeApplicationClient provider = new NativeApplicationClient(
GoogleAuthenticationServer.Description, gaAppId, gaSecret );
OAuth2Authenticator<NativeApplicationClient> auth = new OAuth2Authenticator<NativeApplicationClient>(
provider, GetAuthorization );
AnalyticsService analyticsService = new AnalyticsService( new BaseClientService.Initializer {
Authenticator = auth,
ApplicationName = #"Test Application",
} );
DataResource.GaResource.GetRequest request = analyticsService.Data.Ga.Get( gaId, #"2013-09-04",
#"2013-09-18", #"ga:totalEvents" );
GaData data = request.Execute();
Console.ReadKey();
}
private static IAuthorizationState GetAuthorization( NativeApplicationClient arg )
{
// Get the auth URL:
IAuthorizationState state = new AuthorizationState(
new[] {AnalyticsService.Scopes.AnalyticsReadonly.GetStringValue()} );
state.Callback = new Uri( NativeApplicationClient.OutOfBandCallbackUrl );
if( !string.IsNullOrEmpty( refreshToken ) ) {
try {
state.RefreshToken = refreshToken;
arg.RefreshToken( state );
} catch {
refreshToken = null;
}
}
// If the refresh token is empty, request a new one by opening
// a browser window. Allows the user to paste its authorization token
// and saves the refresh token.
if( string.IsNullOrEmpty( refreshToken ) ) {
Uri authUri = arg.RequestUserAuthorization( state );
// Request authorization from the user (by opening a browser window):
Process.Start( authUri.ToString() );
Console.Write( " Authorization Code: " );
string authCode = Console.ReadLine();
Console.WriteLine();
// Retrieve the access token by using the authorization code:
state = arg.ProcessUserAuthorization( authCode, state );
refreshToken = state.RefreshToken;
}
return state;
}

Resources