Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, December 3, 2015 6:05 PM
There is a good article on how to share cookies between ASP.NET 4.x and ASP.NET 5 applications (http://docs.asp.net/en/latest/security/data-protection/compatibility/cookie-sharing.html), but is there a similar way to share Bearer Tokens?
For instance, I have a central authentication server that hands out bearer tokens that is written in ASP .NET 4.5.1 with Identity Framework 2.x. My dependent application, written in ASP .NET 5, will get a bearer token from the central authentication server and use that bearer token for calling protected endpoints (using claims) in the dependent application. How can I get the two applications to share the bearer token (i.e. so the dependent application can parse the bearer token)? I already followed the article for sharing cookies between them and that is working well.
Thank you.
All replies (7)
Friday, December 4, 2015 5:28 PM âś…Answered
I was able to parse the bearer token in my ASP .NET 5 application. I'm not claiming this is the absolute best method, but it works and is straight forward.
First, follow this article on how to share cookies between ASP.NET 4.x and ASP.NET 5 applications.
In your ASP .NET 4.5.1 authentication server, use the following code in your Startup.Auth file
DataProtectionProvider dataProtectionProvider = new DataProtectionProvider(new DirectoryInfo("<Your Keys Path Here>"), configure => configure.ProtectKeysWithDpapi(true));
IDataProtector dataProtector = dataProtectionProvider.CreateProtector("<Your Purpose Here>");
OAuthOptions = new OAuthAuthorizationServerOptions
{
//...Shortened for brevity
AccessTokenFormat = new AspNet5TicketDataFormat(new DataProtectorShim(dataProtector), "<Your Purpose Here>"),
AuthorizationCodeFormat = new AspNet5TicketDataFormat(new DataProtectorShim(dataProtector), "<Your Purpose Here>"),
RefreshTokenFormat = new AspNet5TicketDataFormat(new DataProtectorShim(dataProtector), "<Your Purpose Here>"),
};
In your ASP .NET 5 application, add a new middleware class
public class OAuth4BearerTokenAuthentication
{
private const string BearerIdentifier = "Bearer";
private const string Purpose = "<Your Purpose Here>"; // This must match the authentication server.
private readonly RequestDelegate _next;
public OAuth4BearerTokenAuthentication(RequestDelegate next)
{
_next = next;
}
public async Task Invoke(HttpContext context)
{
if (!context.User.Identity.IsAuthenticated)
{
try
{
StringValues authorizeHeader = context.Request.Headers["Authorization"];
if (authorizeHeader != StringValues.Empty)
{
string token = authorizeHeader.FirstOrDefault();
if (token?.StartsWith(BearerIdentifier, StringComparison.OrdinalIgnoreCase) ?? false)
{
token = token.Replace(BearerIdentifier, string.Empty).TrimStart();
DataProtectionProvider provider = new DataProtectionProvider(new DirectoryInfo("<Your Keys Path Here>"), configure => configure.ProtectKeysWithDpapi(true));
IDataProtector dataProtector = provider.CreateProtector(Purpose);
string jsonResult = dataProtector.Unprotect(token);
TicketSerializer serializer = new TicketSerializer();
AuthenticationTicket ticket = serializer.Deserialize(Encoding.UTF8.GetBytes(jsonResult));
context.User = ticket.Principal;
}
}
}
catch (Exception ex)
{
// Log the error or do whatever you want with it.
}
}
await _next(context);
}
}
Make sure to add this middleware in your Startup file.
Thursday, December 3, 2015 7:15 PM
Hi,
Are you using the OAuth4 authorization server that comes with Katana?
Best,
Maher
Thursday, December 3, 2015 7:28 PM
Yes, that is being used in the auth server. I used this article as a guide: http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
Thursday, December 3, 2015 7:45 PM
You have 2 options: updating the authorization server to use a custom format class relying on the new data protection block (since it has completely changed).Or creating a new middleware to validate the access tokens issued by your authorization server, using the old data protection system. By default, ASP.NET 5 only supports JWT tokens.
Thursday, December 3, 2015 8:06 PM
Thank you for the quick response. I've already updated the authorization server to use a custom format class to share cookies (http://docs.asp.net/en/latest/security/data-protection/compatibility/cookie-sharing.html). I wasn't sure what to do in the ASP .NET 5 application to read the bearer token. For cookies, the article gave code examples for how to register the cookie authentication middleware to read the cookie. I was hoping for something similar for this situation. I'm sure it's something simple I'm overlooking.
Thank you
Thursday, December 3, 2015 8:23 PM
The other approach is to look into using IdentityServer as your token service.
Thursday, December 3, 2015 8:57 PM
Unfortunately I cannot swap out the authentication server. There's a lot of custom code around authenticating organizations along with authenticating users. I'll have to look into the suggestion of writing custom middleware to parse the Bearer Token.
Thank you.