Open source Owin authentication support and cross-domain support

http://identitymodel.codeplex.com/

https://identityserver.github.io/

Windows Identity Foundation

6.1.7600.16394

Windows identity Foundation enables. NET developers to externalize Identity logic from their application, improving Develo Per productivity, enhancing application security, and enabling interoperable Federation. Enjoy greater productivity, applying the same tools and programming model to build on-premises software as well as cloud s Ervices. Create more secure applications by reducing custom implementations and using a single simplified identity model based on C Laims. Enjoy greater flexibility in application deployment through interoperability based on industry standard protocols, Allowin G Applications and identity infrastructure services to communicate via claims.

To install Windows Identity Foundation, run the following command in the package Manager Console

CORS support for WebAPI, MVC and IIS with Thinktecture.identitymodel

My second contribution to the Thinktecture.identitymodel Security Library is a full-featured CORS implementation. Many other sample implementations only emit the access-control-allow-origin headers, but there's more to it than t Hat. The implementation in Thinktecture.identitymodel follows the website of working Draft 3 from April 2012. There is a rich-configuration API to control the various settings, that's involved with CORS. These settings include which resource you want to configure, which origins is allowed, which HTTP methods is allowed, WH Ich request and/or response headers is allowed and is a cookie allowed.

In this first release there are support for WebAPI, ASP. NET MVC and IIS. For WebAPI Configure your settings per controller. For MVC You can configure the settings per controller or for specific controller actions. For IIS Configure the settings per URL. If there ' s enough interest, then perhaps in a future version I can add support for WCF REST and WCF Data Services.

I won ' t bother explaining CORS since there is already enough posts on it elsewhere. Instead I ' ll just show how to get started with the library. First, reference the NuGet package. Next, depending on the type of application (WebAPI, MVC or IIS) you need to configure what you want CORS support. Below shows each of the different environments:

WebAPI

In WebAPI the implementation is a delegating handler. This allows the CORS settings to being global or per-route (which is forthcoming POST-RC). For example if were to configure it globally then in  Global.asax ' s  application_start & Nbsp;you would has a call out to the configuration class passing the global  httpconfiguration  object ( This follows the new style of factoring out configuration to separate classes in the  app_start  folder):

123456

protected void Application_Start(){   ...   CorsConfig.RegisterCors(GlobalConfiguration.Configuration);}

And then in App_start/corsconfig.cs:

123456789101112131415161718

public class CorsConfig{   public static void RegisterCors(HttpConfiguration httpConfig)   {      WebApiCorsConfiguration corsConfig = newWebApiCorsConfiguration();      // this adds the CorsMessageHandler to the HttpConfiguration‘s      // MessageHandlers collection      corsConfig.RegisterGlobal(httpConfig);      // this allow all CORS requests to the Products controller      // from the http://foo.com origin.      corsConfig         .ForResources("Products")         .ForOrigins("http://foo.com")         .AllowAll();   }}

In WebAPI resources is identified by the controller name as on the above example forthe ' products ' controller.

Mvc

In MVC-need to register a HttpModule to enable CORS support, so in Web. config:

123456

<system.webServer>   <modules runAllManagedModulesForAllRequests="true">      <add name="MvcCorsHttpModule"         type="Thinktecture.IdentityModel.Http.Cors.Mvc.MvcCorsHttpModule"/>   </modules></system.webServer>

And then again in Global.asax you would configure the settings:

1234567891011121314

protected void Application_Start(){   ...   RegisterCors(MvcCorsConfiguration.Configuration);}private void RegisterCors(MvcCorsConfiguration corsConfig){   corsConfig      .ForResources("Products.GetProducts")      .ForOrigins("http://foo.com")      .AllowAll();}

In MVC resources can either is identified just by the controller name (with just "controller" for the Resource NA Me) or by the Controller and action (as with the above sample withthe "controller.action" syntax).

Iis

In IIS need to register a HttpModule (different than the one for MVC), so in Web. config:

123456

<system.webServer>   <modules>      <add name="CorsHttpModule"         type="Thinktecture.IdentityModel.Http.Cors.IIS.CorsHttpModule"/>   </modules></system.webServer>

And then again in Global.asax you would configure the settings:

1234567891011121314

protected void Application_Start(object sender, EventArgs e){   ...   ConfigureCors(UrlBasedCorsConfiguration.Configuration);}void ConfigureCors(CorsConfiguration corsConfig){   corsConfig      .ForResources("~/Handler1.ashx")      .ForOrigins("http://foo.com", "http://bar.com")      .AllowAll();}

In IIS resources is identified by the application relative path (thus the "~/path/resource"syntax).

Other Configuration Options

While the above samples show a minimal amount of code to get CORS-enabled and running in your app, these is some of the L East restrictive settings. Typically more thought should go to the settings and so there are a rich API for configuring the various CORS settings. Here is some more examples:

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061

public static void ConfigureCors(CorsConfiguration corsConfig){   // this allows http://foo.com to do GET or POST on Values1 controller   corsConfig      .ForResources("Values1")      .ForOrigins("http://foo.com")      .AllowMethods("GET", "POST");   // this allows http://foo.com to do GET and POST, pass cookies and   // read the Foo response header on Values2 controller   corsConfig      .ForResources("Values2")      .ForOrigins("http://foo.com")      .AllowMethods("GET", "POST")      .AllowCookies()      .AllowResponseHeaders("Foo");   // this allows http://foo.com and http://foo.com to do GET, POST,   // and PUT and pass the Content-Type header to Values3 controller   corsConfig      .ForResources("Values3")      .ForOrigins("http://foo.com", "http://bar.com")      .AllowMethods("GET", "POST", "PUT")      .AllowRequestHeaders("Content-Type");   // this allows http://foo.com to use any method, pass cookies, and   // pass the Content-Type, Foo and Authorization headers, and read   // the Foo response header for Values4 and Values5 controllers   corsConfig      .ForResources("Values4", "Values5")      .ForOrigins("http://foo.com")      .AllowAllMethods()      .AllowCookies()      .AllowRequestHeaders("Content-Type", "Foo", "Authorization")      .AllowResponseHeaders("Foo");   // this allows all methods and all request headers (but no cookies)   // from all origins to Values6 controller   corsConfig      .ForResources("Values6")      .AllowAllOriginsAllMethodsAndAllRequestHeaders();   // this allows all methods (but no cookies or request headers)   // from all origins to Values7 controller   corsConfig      .ForResources("Values7")      .AllowAllOriginsAllMethods();   // this allows all CORS requests from origin http://bar.com   // for all resources that have not been explicitly configured   corsConfig      .ForOrigins("http://bar.com")      .AllowAll();   // this allows all CORS requests to all other resources that don’t   // have an explicit configuration. This opens them to all origins, all   // HTTP methods, all request headers and cookies. This is the API to use   // to get started, but it’s a sledgehammer in the sense that *everything*   // is wide-open.   corsConfig.AllowAll();}

Of course, feedback is welcome. Enjoy.

Edit: Common configuration issues when enabling CORS on IIS.

Open source Owin authentication support and cross-domain support