ASP.NET WebAPI Security 4: Examples for various Authentication Scenarios
- by Your DisplayName here!
The Thinktecture.IdentityModel.Http repository
includes a number of samples for the various authentication scenarios.
All the clients follow a basic pattern:
Acquire client credential (a single token, multiple tokens, username/password).
Call Service.
The service simply enumerates the claims it finds on the request and returns
them to the client. I won’t show that part of the code, but rather focus on the step
1 and 2.
Basic Authentication
This is the most basic (pun inteneded) scenario. My library contains a class that
can create the Basic Authentication header value. Simply set username and password
and you are good to go.
var client
= new HttpClient {
BaseAddress = _baseAddress };
client.DefaultRequestHeaders.Authorization =
new BasicAuthenticationHeaderValue("alice", "alice");
var response
= client.GetAsync("identity").Result;
response.EnsureSuccessStatusCode();
SAML Authentication
To integrate a Web API with an existing enterprise identity provider like
ADFS, you can use SAML tokens. This is certainly not the most efficient way of calling
a “lightweight service” ;) But very useful if that’s what it takes to get the job
done.
private static string GetIdentityToken()
{
var factory
= new WSTrustChannelFactory(
new WindowsWSTrustBinding(SecurityMode.Transport),
_idpEndpoint);
factory.TrustVersion = TrustVersion.WSTrust13;
var rst
= new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Bearer,
AppliesTo
= new EndpointAddress(Constants.Realm)
};
var token
= factory.CreateChannel().Issue(rst) as GenericXmlSecurityToken;
return token.TokenXml.OuterXml;
}
private static Identity CallService(string saml)
{
var client
= new HttpClient {
BaseAddress = _baseAddress };
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("SAML",
saml);
var response
= client.GetAsync("identity").Result;
response.EnsureSuccessStatusCode();
return response.Content.ReadAsAsync<Identity>().Result;
}
SAML to SWT conversion using the Azure Access Control Service
Another possible options for integrating SAML based identity providers is
to use an intermediary service that allows converting the SAML token to the more compact
SWT (Simple Web Token) format. This way you only need to roundtrip the SAML once and
can use the SWT afterwards.
The code for the conversion uses the ACS OAuth2 endpoint. The OAuth2Client class is
part of my library.
private static string GetServiceTokenOAuth2(string samlToken)
{
var client
= new OAuth2Client(_acsOAuth2Endpoint);
return client.RequestAccessTokenAssertion(
samlToken,
SecurityTokenTypes.Saml2TokenProfile11,
Constants.Realm).AccessToken;
}
SWT Authentication
When you have an identity provider that directly supports a (simple) web
token, you can acquire the token directly without the conversion step. Thinktecture.IdentityServer e.g.
supports the OAuth2 resource owner credential profile to issue SWT tokens.
private static string GetIdentityToken()
{
var client
= new OAuth2Client(_oauth2Address);
var response
= client.RequestAccessTokenUserName("bob", "abc!123", Constants.Realm);
return response.AccessToken;
}
private static Identity CallService(string swt)
{
var client
= new HttpClient {
BaseAddress = _baseAddress };
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer",
swt);
var response
= client.GetAsync("identity").Result;
response.EnsureSuccessStatusCode();
return response.Content.ReadAsAsync<Identity>().Result;
}
So you can see that it’s pretty straightforward to implement various authentication
scenarios using WebAPI and my authentication library. Stay tuned for more client samples!
