ASP.NET WebAPI Security 4: Examples for various Authentication Scenarios

Posted by Your DisplayName here! on Least Privilege See other posts from Least Privilege or by Your DisplayName here!
Published on Wed, 14 Mar 2012 07:55:36 GMT Indexed on 2012/03/18 18:19 UTC
Read the original article Hit count: 409

Filed under:

The Thinktecture.IdentityModel.Http repository includes a number of samples for the various authentication scenarios.

All the clients follow a basic pattern:

  1. Acquire client credential (a single token, multiple tokens, username/password).
  2. Call Service.

The service simply enumerates the claims it finds on the request and returns them to the client. I won’t show that part of the code, but rather focus on the step 1 and 2.

Basic Authentication
This is the most basic (pun inteneded) scenario. My library contains a class that can create the Basic Authentication header value. Simply set username and password and you are good to go.

var client
= new HttpClient {
BaseAddress = _baseAddress };
client.DefaultRequestHeaders.Authorization =
new BasicAuthenticationHeaderValue("alice", "alice"
);

var response = client.GetAsync("identity").Result;
response.EnsureSuccessStatusCode();

 

SAML Authentication
To integrate a Web API with an existing enterprise identity provider like ADFS, you can use SAML tokens. This is certainly not the most efficient way of calling a “lightweight service” ;) But very useful if that’s what it takes to get the job done.

private static string GetIdentityToken()
{

   
var factory = new WSTrustChannelFactory
(
       
new WindowsWSTrustBinding(SecurityMode
.Transport),
        _idpEndpoint);
    factory.TrustVersion =
TrustVersion
.WSTrust13;

   
var rst = new RequestSecurityToken
    {
        RequestType =
RequestTypes
.Issue,
        KeyType =
KeyTypes
.Bearer,
        AppliesTo = new EndpointAddress(Constants
.Realm)
    };

   
var token = factory.CreateChannel().Issue(rst) as GenericXmlSecurityToken
;
   
return
token.TokenXml.OuterXml;
}

private static Identity CallService(string
saml)
{
    var client = new HttpClient { BaseAddress = _baseAddress };
    client.DefaultRequestHeaders.Authorization =
new AuthenticationHeaderValue("SAML"
, saml);

   
var response = client.GetAsync("identity"
).Result;
    response.EnsureSuccessStatusCode();

   
return response.Content.ReadAsAsync<Identity>().Result;
}

 

SAML to SWT conversion using the Azure Access Control Service
Another possible options for integrating SAML based identity providers is to use an intermediary service that allows converting the SAML token to the more compact SWT (Simple Web Token) format. This way you only need to roundtrip the SAML once and can use the SWT afterwards.

The code for the conversion uses the ACS OAuth2 endpoint. The OAuth2Client class is part of my library.

private static string GetServiceTokenOAuth2(string samlToken)
{

   
var client = new OAuth2Client
(_acsOAuth2Endpoint);
   
return
client.RequestAccessTokenAssertion(
        samlToken,
       
SecurityTokenTypes
.Saml2TokenProfile11,
       
Constants.Realm).AccessToken; }

 

SWT Authentication
When you have an identity provider that directly supports a (simple) web token, you can acquire the token directly without the conversion step. Thinktecture.IdentityServer e.g. supports the OAuth2 resource owner credential profile to issue SWT tokens.

private static string GetIdentityToken()
{
    var client = new OAuth2Client(_oauth2Address);
   
var response = client.RequestAccessTokenUserName("bob", "abc!123", Constants
.Realm);

   
return
response.AccessToken;
}

private static Identity CallService(string
swt)
{
    var client = new HttpClient { BaseAddress = _baseAddress };
    client.DefaultRequestHeaders.Authorization =
new AuthenticationHeaderValue("Bearer"
, swt);

   
var response = client.GetAsync("identity"
).Result;
    response.EnsureSuccessStatusCode();

   
return response.Content.ReadAsAsync<Identity>().Result;
}

 

So you can see that it’s pretty straightforward to implement various authentication scenarios using WebAPI and my authentication library. Stay tuned for more client samples!

© Least Privilege or respective owner

Related posts about WebAPI