Zulfiqar's weblog

Architecture, security & random .Net

«
»

Claim-based-security for ASP.NET Web APIs using DotNetOpenAuth

Posted by zamd on May 4, 2012


Source Code

Recently I worked with a customer assisting them in implementing their Web APIs using the new ASP.NET Web API framework. Their API would be public so obviously security came up as the key concern to address. Claims-Based-Security is widely used in SOAP/WS-* world and we have rich APIs available in .NET Framework in the form of WCF, WIF & ADFS 2.0. Even though we now have this cool library to develop Web APIs, the claims-based-security story for REST/HTTP is still catching up. OAuth 2.0 is almost ready, OpenID Connect is catching up quickly however it would still take sometime before we have WIF equivalent libraries for implementing claims-based-security in REST/HTTP world. DotNetOpenAuth seems to be the most prominent open-source library claiming to support OAuth 2.0 so I decided to give it a go to implement the ‘Resource Owner Password Credentials’ authorization grant. Following diagram shows the solution structure for my target scenario.

clip_image002

1. OAuth 2.0 issuer is an ASP.NET MVC application responsible for issuing token based on OAuth 2.0 ‘Password Credentials’ grant type.

2. Web API Host exposes secured Web APIs which can only be accessed by presenting a valid token issued by the trusted issuer

3. Sample thick client which consumes the Web API

I have used the DotNetOpenAuth.Ultimate NuGet package which is just a single assembly implementing quite a few security protocols. From OAuth 2.0 perspective, AuthorizationServer is the main class responsible for processing the token issuance request, producing and returning a token for valid & authenticated request. The token issuance action of my OAuthIssuerController looks like this:

OAuth 2.0 Issuer

public class OAuthIssuerController : Controller {
    public ActionResult Index()
    {
        var configuration = new IssuerConfiguration {
            EncryptionCertificate = new X509Certificate2(Server.MapPath("~/Certs/localhost.cer")),
            SigningCertificate = new X509Certificate2(Server.MapPath("~/Certs/localhost.pfx"), "a")
        };

        var authorizationServer = new AuthorizationServer(new OAuth2Issuer(configuration));
        var response = authorizationServer.HandleTokenRequest(Request).AsActionResult();

        return response;
    }
}

AuthorizationServer handles all the protocol details and delegate the real token issuance logic to a custom token issuer handler (OAuth2Issuer in following snippet)

Protocol independent issuer
  1. public class OAuth2Issuer : IAuthorizationServer
  2. {
  3.     private readonly IssuerConfiguration _configuration;
  5.     public OAuth2Issuer(IssuerConfiguration configuration)
  6.     {
  7.         if (configuration == null) throw new ArgumentNullException(“configuration”);
  8.         _configuration = configuration;
  9.     }
  11.     public RSACryptoServiceProvider AccessTokenSigningKey
  12.     {
  13.         get
  14.         {
  15.             return (RSACryptoServiceProvider)_configuration.SigningCertificate.PrivateKey;
  16.         }
  17.     }
  19.     public DotNetOpenAuth.Messaging.Bindings.ICryptoKeyStore CryptoKeyStore
  20.     {
  21.         get { throw new NotImplementedException(); }
  22.     }
  24.     public TimeSpan GetAccessTokenLifetime(DotNetOpenAuth.OAuth2.Messages.IAccessTokenRequest accessTokenRequestMessage)
  25.     {
  26.         return _configuration.TokenLifetime;
  27.     }
  29.     public IClientDescription GetClient(string clientIdentifier)
  30.     {
  31.         const string secretPassword = “test1243”;
  32.         return new ClientDescription(secretPassword, new Uri(http://localhost/”), ClientType.Confidential);
  33.     }
  35.     public RSACryptoServiceProvider GetResourceServerEncryptionKey(DotNetOpenAuth.OAuth2.Messages.IAccessTokenRequest accessTokenRequestMessage)
  36.     {
  37.         return (RSACryptoServiceProvider)_configuration.EncryptionCertificate.PublicKey.Key;
  39.     }
  41.     public bool IsAuthorizationValid(DotNetOpenAuth.OAuth2.ChannelElements.IAuthorizationDescription authorization)
  42.     {
  43.         //claims added to the token
  44.         authorization.Scope.Add(“adminstrator”);
  45.         authorization.Scope.Add(“poweruser”);
  47.         return true;
  48.     }
  50.     public bool IsResourceOwnerCredentialValid(string userName, string password)
  51.     {
  52.         return true;
  53.     }
  55.     public DotNetOpenAuth.Messaging.Bindings.INonceStore VerificationCodeNonceStore
  56.     {
  57.         get
  58.         {
  59.             throw new NotImplementedException();
  60.         }
  61.     }
  62. }

Now with my issuer setup, I can acquire access tokens by POSTing following request to the token issuer endpoint

Client

POST /Issuer HTTP/1.1

Content-Type: application/x-www-form-urlencoded; charset=utf-8

scope=http%3A%2F%2Flocalhost%2F&grant_type=client_credentials&client_id=zamd&client_secret=test1243

 

In response, I get 200 OK with following payload

 

HTTP/1.1 200 OK

Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Pragma: no-cache

Content-Type: application/json; charset=utf-8

Server: Microsoft-IIS/7.5

Content-Length: 685

{“access_token”:”gAAAAC5KksmbH0FyG5snks_xOcROnIcPldpgksi5b8Egk7DmrRhbswiEYCX7RLdb2l0siW8ZWyqTqxOFxBCjthjTfAHrE8owe3hPxur7Wmn2LZciTYfTlKQZW6ujlhEv6N4V1HL4Md5hdtwy51_7RMzGG6MvvNbEU8_3GauIgaF7JcbQJAEAAIAAAABR4tbwLFF57frAdPyZsIeA6ljo_Y01u-2p5KTfJ2xa6ZhtEpzmC46Omcvps9MbFWgyz6536_77jx9nE3sePTSeyB5zyLznkGDKhjfWwx3KjbYnxCVCV-n2pqKtry0l8nkMj4MrjqoTXpvd_P0c_VGfVXCsVt7BYOO68QbD-m7Yz9rHIZn-CQ4po0FqS2elDVe9qwu_uATbAmOXlkWsbnFwa6_ZDHcSr2M-WZxHTVFin7vEWO7FxIQStabu_r4_0Mo_xaFlBKp2hl9Podq8ltx7KvhqFS0Xu8oIJGp1t5lQKoaJSRTgU8N8iEyQfCeU5hvynZVeoVPaXfMA-gyYfMGspLybaw7XaBOuFJ20-BZW0sAFGm_0sqNq7CLm7LibWNw”,”token_type”:”bearer”,”expires_in”:”300″,”scope”:”http:\/\/localhost\/ adminstrator poweruser”}

image

DotNetOpenAuth also has a WebServerClient class which can be used to acquire tokens and I have used in my test application instead of crafting raw HTTP requests. Following code snippet generates the same above request/response

Get Access Token
  1. private static IAuthorizationState GetAccessToken()
  2. {
  3.     var authorizationServer = new AuthorizationServerDescription
  4.     {
  5.         TokenEndpoint = new Uri(http://localhost:1960/Issuer”),
  6.         ProtocolVersion = ProtocolVersion.V20
  8.     };
  9.     var client = new WebServerClient(authorizationServer, http://localhost/”);
  10.     client.ClientIdentifier = “zamd”;
  11.     client.ClientSecret = “test1243”;
  13.     var state = client.GetClientAccessToken(new[] { http://localhost/” });
  14.     return state;
  15. }

Ok Now the 2nd part is to use this access token for authentication & authorization when consuming ASP.NET Web APIs.

Web API Client
  1. static void Main(string[] args)
  2. {
  3.     var state = GetAccessToken();
  5.     Console.WriteLine(“Expires = {0}”, state.AccessTokenExpirationUtc);
  6.     Console.WriteLine(“Token = {0}”, state.AccessToken);
  8.     var httpClient = new OAuthHttpClient(state.AccessToken)
  9.     {
  10.         BaseAddress = new Uri(http://localhost:2150/api/values”)
  11.     };
  13.     Console.WriteLine(“Calling web api…”);
  15.     Console.WriteLine();
  17.     var response = httpClient.GetAsync(“”).Result;
  19.     if (response.StatusCode==HttpStatusCode.OK)
  20.         Console.WriteLine(response.Content.ReadAsStringAsync().Result);
  21.     else
  22.         Console.WriteLine(response);
  24.     Console.ReadLine();
  25. }

On line 8, I’m creating an instance of a customized HttpClient passing in the access token. The httpClient would use this access token for all subsequent HTTP requests

OAuth enabled HttpClient
  1. public class OAuthHttpClient : HttpClient
  2. {
  3.     public OAuthHttpClient(string accessToken)
  4.         : base(new OAuthTokenHandler(accessToken))
  5.     {
  7.     }
  9.     class OAuthTokenHandler : MessageProcessingHandler
  10.     {
  11.         string _accessToken;
  12.         public OAuthTokenHandler(string accessToken)
  13.             : base(new HttpClientHandler())
  14.         {
  15.             _accessToken = accessToken;
  17.         }
  18.         protected override HttpRequestMessage ProcessRequest(HttpRequestMessage request, System.Threading.CancellationToken cancellationToken)
  19.         {
  20.             request.Headers.Authorization = new AuthenticationHeaderValue(“Bearer”, _accessToken);
  21.             return request;
  22.         }
  24.         protected override HttpResponseMessage ProcessResponse(HttpResponseMessage response, System.Threading.CancellationToken cancellationToken)
  25.         {
  26.             return response;
  27.         }
  28.     }
  30. }

Relying Party (ASP.NET Web APIs)

Finally on the RP side, I have used standard MessageHandler extensibility to extract and validate the ‘access token’. The OAuth2 message handler also extracts the claims from the access token and create a ClaimsPrincipal which is passed on the Web API implementation for authorization decisions.

OAuth2 Message Handler
  1. public class OAuth2Handler : DelegatingHandler
  2. {
  3.     private readonly ResourceServerConfiguration _configuration;
  5.     public OAuth2Handler(ResourceServerConfiguration configuration)
  6.     {
  7.         if (configuration == null) throw new ArgumentNullException(“configuration”);
  8.         _configuration = configuration;
  9.     }
  11.     protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
  12.     {
  13.         HttpContextBase httpContext;
  14.         string userName;
  15.         HashSet<string> scope;
  17.         if (!request.TryGetHttpContext(out httpContext))
  18.             throw new InvalidOperationException(“HttpContext must not be null.”);
  20.         var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(
  21.                                                     (RSACryptoServiceProvider)_configuration.IssuerSigningCertificate.PublicKey.Key,
  22.                                                     (RSACryptoServiceProvider)_configuration.EncryptionVerificationCertificate.PrivateKey));
  24.         var error = resourceServer.VerifyAccess(httpContext.Request, out userName, out scope);
  26.         if (error != null)
  27.             return Task<HttpResponseMessage>.Factory.StartNew(error.ToHttpResponseMessage);
  29.         var identity = new ClaimsIdentity(scope.Select(s => new Claim(s, s)));
  30.         if (!string.IsNullOrEmpty(userName))
  31.             identity.Claims.Add(new Claim(ClaimTypes.Name, userName));
  33.         httpContext.User = ClaimsPrincipal.CreateFromIdentity(identity);
  34.         Thread.CurrentPrincipal = httpContext.User;
  36.         return base.SendAsync(request, cancellationToken);
  37.     }
  39. }

Inside my Web API, I access the claims information using the standard IClaimsIdentity abstraction.

Accessing claims information
  1. public IEnumerable<string> Get()
  2. {
  3.     if (User.Identity.IsAuthenticated && User.Identity is IClaimsIdentity)
  4.         return ((IClaimsIdentity) User.Identity).Claims.Select(c => c.Value);
  5.     return new string[] { “value1”, “value2” };
  6. }

Fiddler Testing

Once I got the “access token”, I can test few scenarios in fiddler by attaching and tweaking the token when calling my web api.

401 without an “access token”

image

200 OK with a Valid token

image

401 with Expired token

image

401 with Tempered token

image

Source code attached. Please feel free to download and use.

This entry was posted on May 4, 2012 at 6:50 pm and is filed under ASP.NET Web APIs. Tagged: . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

15 Responses to “Claim-based-security for ASP.NET Web APIs using DotNetOpenAuth”

  1. Matt said

    May 29, 2012 at 6:00 pm

    When setting up the issuer, I continue to receive 400 BAD REQUEST {“error”:”invalid_request”}. Any ideas?

    Reply

  2. Micha Demmers said

    June 7, 2012 at 2:33 pm

    doesn’t work if yo use fiddler to try to get an accesstoken. It doesn’t matter what i do but it keeps giving the response “invalid_request”. It only works when using the sample client written in dotnet. Any ideas?

    Reply

  3. jalpesh vadgama said

    June 21, 2012 at 12:47 pm

    Nice job done!!

    Reply

  4. Steven Livingstone (@weblivz) said

    July 4, 2012 at 5:08 pm

    Nice work, but I think this is a demo of oAuth2 “Client Credentials” rather than “Resource Owner Password Credentials”. I think to turn the latter into the former you would need to call ExchangeUserCredentialForToken() on the client and pass the resource owner credentials to get a token. As far as i can see this code will simply verify a client has been registered to access the resource rather than the specific user.

    Reply

  5. bradirby said

    July 11, 2012 at 5:15 pm

    BTW, you must install the Microsoft Windows Identity Foundation for the sample code to work.
    http://msdn.microsoft.com/en-us/evalcenter/dd440951.aspx

    Reply

  6. Alex said

    July 15, 2012 at 1:26 pm

    Thanks for the code. It’s going to help tremendously on a current project. I do have one question – you mentioned you were going to use a password grant. But I do not see that anywhere. Shouldn’t the username/password be passed in as form url encoded parameters to the issuer?

    Reply

  7. Dervanil Junior said

    August 23, 2012 at 7:30 pm

    Hi good sample, but i’m having some trouble, could you help me?
    I need to call the api via JavaScript but i couldn’t find what header i need to set.

    Reply

  8. Adhikesh said

    October 4, 2012 at 7:27 am

    Hi zamd,

    I am getting HTTP 400 Bad Request, when giving request from the fiddler
    Please help me

    Reply

  9. Adhikesh said

    October 8, 2012 at 4:49 am

    This is good sample, how can we make the request for refresh the token? how the parameters looks like?

    Reply

  10. Analysis on Claim-based-security for ASP.NET Web APIs using DotNetOpenAuth « Md. Marufuzzaman's Blog said

    December 9, 2012 at 2:41 pm

    […] short analysis on the “Claim-based-security for ASP.NET Web APIs using DotNetOpenAuth” (http://zamd.net/2012/05/04/claim-based-security-for-asp-net-web-apis-using-dotnetopenauth/?goback=%2…). Few things I tried to short out are listed […]

    Reply

  11. Secure Web Services on Windows Azure Web Sites for Windows Store Applications - Dr. Z's Blog - Site Home - MSDN Blogs said

    December 13, 2012 at 5:51 pm

    […] An example of “Claim-based-security for ASP.NET Web APIs using DotNetOpenAuth” is available from a Microsoft application development manager Zulfiqar Ahmed at http://zamd.net/2012/05/04/claim-based-security-for-asp-net-web-apis-using-dotnetopenauth/ […]

    Reply

  12. Akila Kumarasamy said

    May 8, 2013 at 10:49 pm

    Hi,

    Its a good example, Can I know how to add different claims with the claim type in the OAuthIssuer? Also, the OAuthIssuer throws BAD REQUEST error if the client has the latest nuget package on the DotNetOpenAuth. How can we fix this? Can you please help?

    Reply

  13. J.M. said

    May 16, 2013 at 10:25 pm

    I was a little confused by the code in the Protocal Independent Issuer. The code is loading up a public and private key. I had thought that OAuth did not require SSL. Do I need to buy certificates?

    Reply

  14. Prasad said

    November 19, 2013 at 6:28 pm

    Very nice. Everything works as expected. Only thing is if someone wants to check the passed in user creds and the relying party is a complex system like a CMS, it would be tricky to do this.

    Reply

Leave a Reply to Alex Cancel reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

«
»
 
%d bloggers like this: