If a client accessing an endpoint implemented as an ASP.NET Web API Controller over HTTPS provides a client certificate, that certificate is available through Request.GetClientCertificate. However, I'm wondering: is it possible to get information provided in the form of claims-based model that was integrated with the security model in .NET 4.5?
The main reason I'd like to do this is that I need different clients to be able to authenticate in different ways to access the same services, so I'd prefer to abstract away from specifics such as certificates. I want my controller to be able to base its decisions on the claims for the current user without concerning itself about the provenance of those claims.
I know there's a X509CertificateClaimSet type, which makes it seem like the natural flow would be:
Client certificate passed via TLS/SSL gets represented as an X509CertificateClaimSet through some sort of token mapping process (similar to how the incoming cookie generated by the federated provider you can use for ACS gets handled by the SessionSecurityTokenHandler
A claims transformation module (something derived from ClaimsAuthenticationManager and configured with a <claimsAuthenticationManager> element) inspects the claim set that came from the certificate, and transforms that into non-token-specific application-specific claims
The handler looks for the application-specific claims.
There's even a X509SecurityTokenHandler, which sounds like it should do this. However, as far as I can tell, that's designed for scenarios where the certificate-based authentication is handled within the messages being sent - it doesn't appear to have any support for the scenario where the proof of ownership of the certificate happened at the transport level, i.e. as part of the TLS/SSL handshake.
I'm wondering whether I need to write my own module to do this. In theory, it looks like it might be a case of just handling the AuthenticateRequest event, looking in the request for the certificate, constructing a X509CertificateClaimSet from the certificate if it's present. But...then what? Do I just create my own ClaimsPrincipal and replace the existing user? Or is there some 'correct' way to add the claims I've discovered to the set? (A client certificate is not necessarily the only source of claims - my application is already using claims that come from integration with ACS. Is there a standard mechanism for ensuring that all possible sources of claims are correctly merged?)
It looks likethe SessionAuthenticationModule (SAM) is the identity model component that currently provides a claims principal, and it just replaces the one that was previously in the context and also the current thread's user. But it appears to provide extensibility - if you override its ValidateSessionToken, that returns the set of ClaimsIdentity objects that make up the principal. So in theory, I could override that and add any additional claims at that point.
But I'm not sure that's the way to go. As far as I can tell, the SAM does this after the ClaimsAuthenticationManager has done its claims transformation. Or is claims transformation the wrong model to go with here?
Have a look here: client cert auth and claims generation is part of Thinktecture.IndetityModel.
If I were you, I would externalize the authentication - let some other services provide the authentication and just return SAML tokens with required claims.
This way, in your application you don't really think of certificates, you just expect some concrete claims from federated identity providers.
Then, you implement one of your identity providers to actually accept certificates but the outgoing SAML hides this implementation detail and translates the certificate to a claim set useful to your application.
Related
I work for a company that supports many applications, but for ease for users has an OAuth OIDC Single-Sign-On (IdentityServer4) so they can log in once and access many applications of ours. I have no problem configuring authorization to this OAuth with the returned JWT/Access Token.
But because our support footprint is so large, we have been told to handle roles, and user permissions at the application level. Here is where I am asking for feedback. I am currently developing a new API in .Net Core 6 (newbie to building APIs), and am wondering best practice for connecting a essentially third party OAuth, but also utilizing roles and permissions specific to the application.
The Identity Server returns a JWT/Access Token that is passed to API in form of bearer, but I need a mapping on the .net core backend to map the User contained in the JWT with a user within the application. Then the application can have separate mappings for roles/permissions, and utilize those roles as restrictions within the API, but I am not sure what best practice would be for this that also maintains the best security, while also achieving best performance. My thought was creating a middleware that creates and overrides userIdentity, but with that happening each call seems like unnecessary overhead. The other option is dual auth with cookie based auth that is set once, but am just unsure of best way, or what others have had success with. I know this must be a common flow that I am overthinking. Any insight is greatly appreciated.
It is common in many mature business systems to integrate identity and business data as you describe. There are two main techniques:
Identity system reaches out to business data at the time of token issuance, to get custom claims to include in access tokens. This Curity article explains the approach.
APIs look up custom claims, eg from a database, when an access token is first received, then cache custom claims for subsequent requests with the same access token. See this .NET code of mine for one way to do this.
In both cases the end result should be that the API business logic gets a useful ClaimsPrincipal that enables the correct authorization, as in this example class.
Finally, from an information disclosure viewpoint, aim to avoid returning detailed claims in JWTs to internet clients. It is common to use opaque access tokens instead, as a privacy preserving pattern.
I have an Angular Single Page Application (SPA) talking to my ASP.NET API.
The API is protected by my own Oauth2 server (IdentityServer4).
One of my customers (let's call him X) wants SSO: Their users on my platform would sign in on their server instead of using the login form in my app that connects to my IdentityServer.
Each customer has its own subdomain for the Angular SPA (e.g. x.myapp.com). Therefore I can easily redirect X's users to their server's authorization page to approve my API, based on the hostname.
However the API itself uses one common hostname for all customers(api.myapp.com). Customers are distinguished by the Origin header of the API call (x.myapp.com) during the login call (and a few other unprotected calls) and by the Bearer token for protected calls to the API.
How does my API introspect the Bearer access token? Who should know which server to query ?
Is it the responsibility of the API server? Or can I tell my IdentityServer about X's oauth2 server ?
X's users would also be defined on my platform since we need specific info (such as config of roles on the platform). My current setup implies specific claims (such as user id) that allow my API to know what the user can do. Obviously, X's server will not provide the same claims. How can I connect the dots ? e.g. get some standard claim from X's server (username, email, whatever) and match it to my list of users.
Note: This question is similar but the answer is not accepted and seems to imply that the provider of both identity servers is the same (not the case here).
Formatting my comments as an answer:
From reading your question it's pretty much clear to me that you could benefit from what is know as Federated identity.
As you said, one of your customer want to achieve SSO - They want users to login using their existing accounts and be able to user your systems normally.
Since you already have an IdentityServer in your domain, what you can do is delegate the login part to the customer's side (whatever they do it). This is illustrated in the Identity server documentation Federation Gateway.
Basically, the approach is that upon hitting the "login" button in your front-end, you would redirect the users to your Identity Server passing some special params (prompt and acr_values for ex) which in turn, tells identity server to redirect the user's to the external Identity provider (the customer's). After a successful login, you have a chance in Identity Server to augment the claims, maybe using something they returned or anything really. Then the process is as normal - you return a JWT Token generated by your Identity Server
The benefit of doing this is:
Your SPA/API doesn't have to change. You will still work with your own bearer tokens and can continue doing authN/AuthZ as before.
You have a chance to add claims that might indicate where this user is coming from if needed
If your customer's server changes, you don't have to worry much, apart from maybe some tweaks related to returned claims
They don't necessarily need to use OpenId/OAuth on their side for this to work
Useful things you probably will need is some params to pass during the call to the authorize endpoint in Identity Server. (acr_values and prompt).
You can also check this in the quickstarts, by looking at Sign-in with external providers (which is pretty similar to what you want)
Now to your individual points:
Your Identity Server should be the "bridge" between you and the customer's "identity provider".
Upon a login from an external provider (X), you need to somehow identify the user on your platform. You could use email or, even better, if X is already using OpenId/OAuth they might give you the sub claim which is the user id on their side. At this point you need some sort of agreement with them otherwise this might be flaky/unreliable for both sides.
In a more "advanced note" you could also add to your tokens some sort of claim that tells you who is the source provider of this user. Here the source provider would be X. This is useful because you might want, for example, configure allowed identity providers in your app, or maybe enable features only for certain providers. Like, ppl logging in with Google might only see certain parts of the app.
Migrating an SPA web app (Angular) and ASP Core Web API from Auth0 auth provider to Identity framework due to some requirements and limitations.
Until now everything was handled by auth0 and I didn't give it a much thought about the whole process of authentication. I would simply redirect users to auth0 hosted login page where it'd handle everything, callback with access token and I would use it for calls to API where API would just verify the JWT.
Now that I need to do this all manually, I am a bit confused. I want to have multiple authentication options: either Email/Password or OIDC auth providers like Google/Github.
I can get access token from these OIDC providers without much problem. But what do I do exactly with it, or to be more precise how do I configure Identity framework to handle the rest, without doing a lot of manual work? All users have quite a bit of additional data inside Identity framework user classes and I'm not fully sure how do i connect that to OIDC tokens.
Sorry for a bit abstract question, I think I'm missing some small detail, but at the moment I'm just really confused.
A lot of this is in place already, so to test the OIDC tokens, you just need them to be accepted by your consuming API.
To do so, you need to do some configuring, probably the same as you did for Auth0. Since the dependency here of the external providers, I'll post a link:
MSDN Google Auth
To accept them, you'll need the following steps:
register your API with the exteral provider
use the, provider dependent, instructions to set it up in your API.
The providers are additional to the one you have in placed and are referenced by Identity as ExternalProviders
In general, it's pretty easy. Possible some things are left out, since I don't know your exact use case.
So you are using an Identity Provider, previously Auth0, and now another (or custom) one.
Just for sanity a recap of your use case:
You trust the Identity Provider so every token signed by this provider is valid.
Your Identity Provider (and the external ones e.g; Facebook, Google etc) are responsible for their own user management.
Your own Identity Provider needs to handle specific authentication methods, tested against a corporate UserStore. These need to be managed, possibly with AD, Identity username/password or something similar.
Your Identity Provider provides authentication through JWTs
You also want to use external Identity Providers like Facebook etc.
So, as for the setup, you must do the following:
Implement (or reuse, or use ActiveDirectory or any other) user management tools, if you need to perform some management on them. This means password recovery and all that stuff, which is available in a lot of standard libraries (I think it comes out of the box in Identity)
Define clients, scopes and claims throughout your system(s). Possibly there is some effort to be made.
Make sure the JWT's are accepted as authentication throughout your system (this was already in place) and the proper claims are assigned when called for the correct client.
Register your API with the external providers
Setup your API to accept the external JWT tokens (needs some setup with secrets and API keys)
A lot of this is already in place in the Identity framework. There is an article about it here.
If you are willing to do a good exercise (and a lot of work), you could also try to implement things fully customized with IdentityServer4
I have a Backbone based app, which uses a Spring based backend.
The backend is secured using Spring security's implementation of http basic authentication and the user credentials are passed to the server in each request in accordance to REST.
Is there a secure way to store the credentials in the client?
I have tried several server based approaches, like remember-me feature, but it doesn't work with basic authentication, nor does it fit the definition of REST.
I've used cookies to hold on to user credentials object and that doesn't work too badly for the most part, although it can get a bit messy, and I'm not 100% sure how secure it is.
Store your user authentication in a cookie, and check for it when the router gets initialized. If the data is there, throw your authentication information onto your global application object app.user or something of the like.
I want to create a authorization mechanism for an application based on WebAPI and AngularJs.
I've seen some articles, which use BasicHttpAuthentication, but i really don't like the whole idea of sending username, and password on every request. The more it doesn't fit for me is because i want to use OpenId authentication, where you don't have username/password pair.
I'm thinking about a solution, but I don't really know how to implement it. The concept is that user is authenticated as in an usual Web application - posts a form with user / password or selects an OpenId provider. If the user is authenticated succesfully, it is placed in a static object, which stores the User object for a certain ammount of time. Next a usertoken is generated and passed to the Client Application. The client passes the token on each request to the server, if the user exists in the above mentioned static object with the appropriate authentication token it is authorized to get the data.
Firstly - Do you think this is a good approach to the problem?
Secondly - How should I pass the authentication token, WITHOUT using cookies? I guess it should sit in the request headers, like in BasicHttpAuthentication but, I really dont' know how to handle it.
BasicHttpAuthentication
I'm with you on feeling dirty about caching the username and password on the client and forever transferring it with every request. Another aspect of Basic authentication that might work against you is the lack of sign-off. Other than changing the password, you can't "invalidate" a basic authentication session. Tokens on the other hand, will typically offer an expiration date, and if you want server-side invalidation you can check the issue date and say "any tokens older than issue date xyz are invalid".
Server State
You mention "If the user is authenticated successfully, it is placed in a static object". But this is independent of the token? This sounds like you're wanting to implement server state management of authentication sessions, but this isn't strictly necessary. The token itself should be sufficient for user authentication, managing server state is another potential obstacle. Server state can become difficult to manage when you factor app-pool recycles or web-farm environments (what if you want two services to share the same authentication token, but not require communication with a central "authentication server" for storing the state / session?)
Passing Authentication Token
Headers is definitely a good place for it. Really, where else is there? Cookies, Headers, Message. Other than a browser client, cookies don't make a lot of sense, and including it in the message can muddy your message formatting a bit, so headers is the only remaining option that makes much sense in my view.
Client Implementation
You've not specified, but I suspect you're interested in calling the service from .NET? In which case System.Net.Http.HttpClient could be your friend. In particular, the DefaultRequestHeaders collection. You can use this to add a custom header to store your authentication token.
Server Implementation
When researching ASP.NET authentication recently, I learned a lot about customisation by examining the Mixed Authentication Disposition ASP.NET Module (MADAM). I wasn't interested in using MADAM as-is, but learning about it from that article and examining the source code gave me a lot of ideas of how I could insert my own authentication module into the web stack.