All geek questions in one place

How do I get claims included in my AuthTicket in a web API authentication service?

I have a web API with an auth service for a WPF client configured as follows:

public static class WebApiConfig { public static void Register(HttpConfiguration config) { config.SuppressDefaultHostAuthentication(); config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType)); ... } }

and

 public partial class Startup { public void ConfigureAuth(IAppBuilder app) { ... OAuthOptions = new OAuthAuthorizationServerOptions { TokenEndpointPath = new PathString("/Token"), Provider = new ApplicationOAuthProvider(PublicClientId), ApplicationCanDisplayErrors = true, AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"), AccessTokenExpireTimeSpan = TimeSpan.FromDays(14), AllowInsecureHttp = true, // TODO Make false to deploy }; app.UseOAuthAuthorizationServer(OAuthOptions); } }

I only use the /Token endpoint so far, because it at least provides me with a carrier token. The ticket that I receive upon successful authentication has issuance and expiration dates, a carrier token and my username.

How to get user complaints (and possibly roles)? Is there something I can do here, or can I sit and request them via the API, after authorization, and populate them, and the Auth Ticket in something like a Principal object for a WPF client?

Can I include some Identity components in a WPF application to help with claims extraction from the token and any suggestions on how I should do this?

+5
source share
2 answers

I think it’s quite dangerous to let the client decrypt the token. If they can do this, an attacker can change the token and claims inside. If you do not check the validity of the claims (possibly because they are provided by a third party), this can lead to an escalation of privileges and compromise of your application.

If the client application requires requirements - perhaps for the layout of the user interface, you can provide them separately to the token. One way to do this is with ActionFilterAttribute , to write a complaint about a custom HTTP header. If claims are faked here, this only affects the client, since you will check the protected claims inside the token before processing any request.

 public AddClaimsAttribute : System.Web.Http.Filters.ActionFilterAttribute { var principal = actionExecutedContext.ActionContext.RequestContext.Principal as ClaimsPrincipal; if (principal != null) { var claims = principal.Claims.Select(x => x.Type + ":" + x.Value).ToList(); actionExecutedContext.Response.Content.Headers.Add("Claims", String.Join(",", claims)); } }

Then your client should simply check this header and analyze it.

This is a basic example, you can format it as JSON or add a series of custom headers "IsAdmin", "IsEditingUser", etc.

Since this is a filter, you can apply it globally to every request, every action on the controller or a specific action as necessary.

+3
source

You can easily achieve this by adding user roles in response to the token. To do this, you need to update the CreateProperties method in the ApplicationOAuthProvider.cs class

  public static AuthenticationProperties CreateProperties(User user) { //get only roles ids //to do: retrieve user roles names var roles = string.Join(",", user.Roles.Select(t => t.RoleId).ToArray()); //expose phone in response var phone = user.PhoneNumber; IDictionary<string, string> data = new Dictionary<string, string> { { "userName", user.UserName }, { "userId", user.Id }, { "roles", roles}, { "phone", phone} }; return new AuthenticationProperties(data); }

In response to the postman, you can see 3 new properties: userId, roles, and phone. Be useful for null values ​​when you add new properties.

enter image description here

+2
source

Source: https://habr.com/ru/post/1259774/

More articles:


All Articles