The Web API V2 user authentication template provides a popular application for user authentication scenarios such as. User name password admit using a local account (including creating users, setting up and changing passwords) and using third-party authentication methods, such as Facebook,google, etc. – the connection to an external account is included locally All of this is done by using a OAUTH2 authentication service.
To make all that happen the template combines quite a bit of new stuff Together:owin, Katana authentication Midd Leware, ASP, OAuth2 and a bunch of new authentication related Attributes...and I must admit figuring out ex actly What's going on is a bit of a challenge. Quotes constantly came to mind while digging through the source code and writing down my notes. One was: complexity are the natural enemy of security –and the other one were: shit ' shard. So enjoy.
To achieve this, the templates assemble a number of technologies: OWIN, Katana certified middleware, ASP. NET identity, OAuth2, and some new authentication-related features ... it must be noted that this is a challenge.
In this post I want to focus on the general setup of the Katana authentication middleware, the following posts would deal W ITH the local account features and the external authentication.
in Katana, every authentication middleware "registers" itself with the system. For that it needs a "name" –or technically speaking an AuthenticationType . Using that name, some code like a framework can call into the authentication component. This was done using the Iauthenticationmanager interface which hangs off the authentication & Nbsp;property on the owincontext . It features methods like SignIn , signout , authenticateasync or Challenge . Each of these methods require an AuthenticationType as a hint which middleware would do the actual work.
In katana, each authentication middleware registers itself in the system, so it needs a name, or technically, a type of authentication. With this name, the code would like a framework to invoke the authentication component. Use the Iauthenticationmanager interface to process authentication properties in Owincontext, such as: Signin,signout,authenticateasync , or Challenge. Each method requires OH one authentication type as an indication of how specific it works.
One built-in mechanism that uses the authentication Manager are the newhostauthenticationfilter in Web API v2–wi ll come to that later. Let ' s first has a look which authentication middleware gets actually wired up (see also Startup.Auth.cs).
An built-in mechanism uses the authentication manager, which is the new hostauthenticationfilter in the Web API V2. We first look at how the authentication middleware is connected (refer to Startup.Auth.cs).
For the implicit flow and the interaction with Google and friends, "browser tech" are needed (think Web views in native app s, or the browser itself for JS) –this is where the cookie come in:
In the implicit process and interaction with Google and friends, you need the support of the front-end technology (consider the local app's Web page or the browser's JS), that is, the use of cookies.
App. Usecookieauthentication (new cookieauthenticationoptions ());
This is the adds supports for classic cookie based authentication. The authentication type is simply called cookie or in code the middleware is referenced usingcookieauthentic Ationdefaults.authenticationtype.
This call will increase support for classic cookie-based authentication. The authentication type is simply called a cookie or this uses the usingCookieauthenticationdefaults.authenticationtypein the middleware.
App. Useexternalsignincookie (defaultauthenticationtypes. Externalcookie);
The second cookie middleware registers itself as Externalcookie (or Defaultauthenticationtypes.externalcookie). This cookie was used to temporarily store information about a user logging In with a third party login provider
This cookie middleware registers itself as a Externalcookie(or Defaultauthenticationtypes.externalcookie) into the system. This cookie is used for temporary storage user login information for use with third-party login providers.
Further there is one authentication middleware registered for every external login provider your want to support (authentic ation types:google, Facebook, Twitter and Microsoft):
You need to register a certified middleware (authentication type: Google, Facebook, Twitter, and Microsoft) for each external login provider you want to support:
App. Usefacebookauthentication (appId: "178 ... 455″,appsecret: "F43...f");
App. Usegoogleauthentication ();
Ok–next up are all the plumbing to support token-based Authentication–we need a token producer and consumer. Hidden behind the following line of code:
OK, next up is the token-based authentication support, we need a token producer and a consumer. These will be hidden in the following code to execute:
App. Useoauthbearertokens (oauthoptions);
This extension method actually registers three middlewares behind the covers:
This extension method actually registers three middleware:
- OAUTH2 authorization server to deal with resource owner flow and implicit flow token requests. Application specific logic is encapsulated in theApplicationoauthproviderclass which we'll have a closer look in The next post.
The OAuth2 authentication server handles the resource owner process and the implicit token acquisition process. The application specifies the logic of wrapping Applicationoauthproviderclass, which we will discuss in detail in the next article.
- token-based authentication for local accounts using an authentication type of Bearer(or oauthdefault.authent Icationtype). This middleware only accepts claims where the issuer have been set to LOCAL authority.
Token-based authentication for local accounts uses an authentication type of bearer (or oauthdefault.authenticationtype). This middleware only accepts claims (declaration) where the issuer is set to local authority
- token-based Authentication for external accounts (resulting from a authentication handshake with an external login provid ER). It uses an authentication type ofexternalbearer (or defaultauthenticationtypes.externalbearer) /c9>and only accepts claims where the issuer are not LOCAL Authority (important technical detail–keep, in The back of your mind).
Token-based authentication of external accounts (results from an authentication handshake with an external login provider). He uses the authentication type ofexternalbearer (or Defaultauthenticationtypes.externalbearer) and only accepts claims that the issuer is not locally certified (important technical details)
With the. Setup you can now control which authentication type are required to access which parts of the API surface–let m e give you some examples:
With these steps, you can now control the type of authentication you need to access the API, such as
In the general Web API requires token-based authentication using local accounts (Bearer). This is what you find the following and lines of code in WebApiConfig.cs:
General WEBAPI require token-based authentication with a local account (Bearer). This is why you need to find the following two lines of code in the WebApiConfig.cs file:
Config. Suppressdefaulthostauthentication ();
Config. Filters.add (
New Hostauthenticationfilter (Oauthdefaults.authenticationtype));
Let's say you ' d want to also accept tokens resulting from external authentication–but require an authenticated principal , the following would work (e.g. on a controller or action):
You can also get tokens from external authentication, but require a certification principle, and the following code can work (such as a controller or action)
[Authorize]
[Hostauthentication (Defaultauthenticationtypes.externalbearer)]
If you want to override the global setting and only accept an application cookies if present (a technique used in the Accou NT Controller–more on, the next post) –you could do this:
If you want to overwrite the global configuration and allow only one application cookie, you can do this:
[Overrideauthentication]
[Hostauthentication (Defaultauthenticationtypes.externalcookie)]
[AllowAnonymous]
Translation: WEBAPI Authentication-user authentication OAuth parsing