Best IT Recipes

How are media tokens stored on the server side in Web API 2?

I am configuring bearer token authentication in Web API 2, and I do not understand how (or where) the token carrier is stored on the server side. Here is the relevant code:

Startup:

public partial class Startup { public static OAuthAuthorizationServerOptions OAuthOptions { get; private set; } public static Func<UserManager<IdentityUser>> UserManagerFactory { get; set; } public static string PublicClientId { get; private set; } static Startup() { PublicClientId = "self"; UserManagerFactory = () => new UserManager<IdentityUser>(new UserStore<IdentityUser>()); OAuthOptions = new OAuthAuthorizationServerOptions { TokenEndpointPath = new PathString("/Token"), Provider = new ApplicationOAuthProvider(PublicClientId, UserManagerFactory), AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"), AccessTokenExpireTimeSpan = TimeSpan.FromDays(14), AllowInsecureHttp = true }; } public void ConfigureAuth(IAppBuilder app) { // Enable the application to use a cookie to store information for the signed in user app.UseCookieAuthentication(new CookieAuthenticationOptions()); // Use a cookie to temporarily store information about a user logging in with a third party login provider app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie); app.UseOAuthBearerTokens(OAuthOptions); } }

WebApiConfig:

 public class WebApiConfig { public static void ConfigureWebApi() { Register(GlobalConfiguration.Configuration); } public static void Register(HttpConfiguration http) { AuthUtil.ConfigureWebApiToUseOnlyBearerTokenAuthentication(http); http.Routes.MapHttpRoute("ActionApi", "api/{controller}/{action}", new {action = Actions.Default}); } }

AuthUtil:

 public class AuthUtil { public static string Token(string email) { var identity = new ClaimsIdentity(Startup.OAuthOptions.AuthenticationType); identity.AddClaim(new Claim(ClaimTypes.Name, email)); var ticket = new AuthenticationTicket(identity, new AuthenticationProperties()); var currentUtc = new SystemClock().UtcNow; ticket.Properties.IssuedUtc = currentUtc; ticket.Properties.ExpiresUtc = currentUtc.Add(TimeSpan.FromMinutes(30)); var token = Startup.OAuthOptions.AccessTokenFormat.Protect(ticket); return token; } public static void ConfigureWebApiToUseOnlyBearerTokenAuthentication(HttpConfiguration http) { http.SuppressDefaultHostAuthentication(); http.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType)); } }

LoginController:

 public class LoginController : ApiController { ... public HttpResponseMessage Post([FromBody] LoginJson loginJson) { HttpResponseMessage loginResponse; if (/* is valid login */) { var accessToken = AuthUtil.Token(loginJson.email); loginResponse = /* HTTP response including accessToken */; } else { loginResponse = /* HTTP response with error */; } return loginResponse; } }

Using the code above, I can log in and save the client token on the client side in a cookie, and then make calls to the controllers marked with [Login], and it allows me.

My questions:

  • Where / how is the carrier token stored on the server side? This seems to be happening through one of the OWIN calls, but I can't tell where.

  • Can I transfer media tokens to the server-side server database so that they can remain in place after restarting the web API server?

  • If the answer to No. 2 is no, is there anyway a client to support its carrier token and reuse it even after the web API drops and returns? Although this may be rare in production, it can often happen with local testing.

+55
authentication asp.net-web-api owin
Jan 13 '14 at 22:01
source share
4 answers

  • They are not stored on the server side - they are issued to the client, and the client presents them on every call. They are verified because they are signed by the owin host security key. On the SystemWeb host, this security key is the machineKey parameter from web.config.

  • This is not necessary if the security key used by the owin host does not change during server reboot.

  • The client can hold the token as long as the token is valid.

+85
Jan 14 '14 at 18:28
source share

For those who are looking for how to install web.config, here is an example

 <system.web> <machineKey validation="HMACSHA256" validationKey="64-hex" decryption="AES" decryptionKey="another-64-hex"/> </system.web>

It requires both validationKey and decriptionkey to work.

And here's how to generate the keys https://msdn.microsoft.com/en-us/library/ms998288.aspx

+3
Apr 18 '17 at 18:36 on
source share

To add to this, the token can be stored on the server side using the SessionStore property for CookieAuthenticationOptions. I would not advocate for this, but there, if your tokens become excessively large.

This is an IAuthenticationSessionStore so you can implement your own media.

+2
Dec 17 '14 at 11:10
source share

By default, the token is not stored on the server. Only your client has this and sends it through the authorization header to the server.

If you used the default template provided by Visual Studio, the following IAppBuilder extension is called in the Startup ConfigureAuth method: app.UseOAuthBearerTokens (OAuthOptions).

0
Jun 14 '19 at 10:05
source share


More articles:


All Articles