I am validating a token stored on cookies, so I created a class
public class VIEWAuthorizeAttribute : AuthorizeAttribute
then I overrode the OnAuthorization class
public override void OnAuthorization(AuthorizationContext filterContext)
{
var cookie = filterContext.HttpContext.Request.Cookies.Get("Profile"); //This is working
if (cookie != null && IsValidToken(cookie["Token"]))
{
return;
}
HandleUnauthorizedRequest(filterContext);
}
That works fine for MVC Controllers, but when I try to do something similar for web api controller, I am not able to get the cookies from the request.
public override void OnAuthorization(HttpActionContext actionContext)
{
var foo = actionContext.Request.Headers.Cookies; //that is not working
if (Authorize(actionContext))
{
return;
}
HandleUnauthorizedRequest(actionContext);
}
actionContext.Request.Headers does not have a method Cookies, I also tried with actionContext.Request.Headers.GetCookies("Bar") like this answer, but Header does not have that GetCookies method.
Any idea?
string Authentication = string.Empty;
if (actionContext.Request.Headers.Contains("Cookie_Phone"))
{
Authentication = actionContext.Request.Headers.GetValues("Cookie_Phone")?.FirstOrDefault();
}
To use this extension method the namespace System.Net.Http is needed.
Also, pay attention on the GetCookies(string name) is an extension method that returns any cookie header present in the request that contain a cookie state whose name that matches the specified value. It returns a CookieHeaderValue that contains a collection of CookieValueCollection instances. So you need extra enumeration to get a CookieState by name that contains a value.
Here is the valid code:
public async Task AuthenticateAsync(
HttpAuthenticationContext context,
CancellationToken cancellationToken)
{
var request = context.Request;
var token = request.Headers
.GetCookies("token").FirstOrDefault()
?.Cookies.FirstOrDefault(x=>x.Name == "token")
?.Value;
if (string.IsNullOrEmpty(token))
{
context.ErrorResult = new AuthenticationFailureResult(
"The token is missing.",
request);
return;
}
var principal = await SomeAuthentication(token);
if (principal == null)
{
context.ErrorResult = new AuthenticationFailureResult(
"The principal has not been resolved.",
request);
return;
}
context.Principal = principal;
}
Related
We have an IAuthorizationFilter and we can use it to authorize requests.
But there is one problem with it. I have to support multiple authorization filters, e.g.:
BearerTokenAuthorizationFilter
ApiKeyAuthorizationFilter
I would get behavior like this:
Firstly, BearerTokenAuthorizationFilter checks if authorization header starts with Bearer. If not, then if another authorization filter is applicable for current action, then let's run this another authorization filter. If there's no, then return an "HTTP 401 Unauthorized" error.
And the same with ApiKeyAuthorizationFilter. At the start, it checks if authorization header starts with Basic. If not, checks if another authorization filter exists and if yes then run it. Otherwise, return "HTTP 401 Unauthorized" error.
And to prevent infinite loop we need somehow store information that specific authorization filter was already performed.
It's easy to do in AuthenticationHandler. We can return AuthenticateResult.NoResult() when specific AuthenticationHandler is not applicable to handle this requests and another will run. If all were performed, then return 401 Unauthorized.
So I would have similar mechanism as exists for AuthenticationHandler (AuthenticateResult.NoResult()). How can I achieve this using AuthorizationFilter?
I think for your requirement,there should be three filters
Scheme Filter -Check if the auth scheme is correct ,if not correct,return fail
BearerTokenAuthorizationFilter -if the scheme is "Bearer",If yes then check the claims from the string ,return fail if claims are not correct
ApiKeyAuthorizationFilter -if the scheme is "Basic",If yes then check the user /Password from the string return fail if user /Password are not correct
I tried as below:
public class SchemeFilter : IAuthorizationFilter
{
private readonly string[] Schemes = new string[] { "Bearer", "Basic"};
private bool exist { get; set; }=false;
public void OnAuthorization(AuthorizationFilterContext context)
{
if (context.HttpContext.Request.Headers.ContainsKey("Authorization"))
{
var str = context.HttpContext.Request.Headers["Authorization"].ToString();
foreach (var scheme in Schemes)
{
exist=str.StartsWith(scheme);
if (exist)
{
break;
}
}
}
if (!exist)
{
context.Result = new UnauthorizedResult();
}
}
}
public class BasicFilter : IAuthorizationFilter
{
private readonly string Scheme = "Basic";
public void OnAuthorization(AuthorizationFilterContext context)
{
var check=context.HttpContext.Request.Headers.TryGetValue("Authorization", out var value);
if ( value[0].StartsWith(Scheme))
{
var basicstr = value[0];
//modify the logical here yourself
if (basicstr != "Basic expectedbasicstr")
{
context.Result = new UnauthorizedResult();
}
}
}
}
public class BearerFilter : IAuthorizationFilter
{
private readonly string Scheme = "Bearer";
public void OnAuthorization(AuthorizationFilterContext context)
{
var check = context.HttpContext.Request.Headers.TryGetValue("Authorization", out var value);
if ( value[0].StartsWith(Scheme))
{
var bearerstr = value[0];
//modify the logical here yourself
if (bearerstr != "Bearer expectedbearerstr")
{
context.Result = new UnauthorizedResult();
}
}
}
}
The result:
Multiple AuthorizeAttribute instances are processed by MVC as if they were joined with AND. If you want an OR behaviour you will need to implement your own logic for checks. Preferably implement AuthAttribute
There are two ways
Create custom Auth filter to implement your logic (Recommended)
Make your main endpoint receives the request, extract the type and redirect it to respective action for the type of authentication. So now you can look into headers and route to proper auth filter.
i think you can do a Policy based Authorization. So for this, you have to write a custom policy. you can check for multiple cases within a single policy
its explained here
https://learn.microsoft.com/en-us/aspnet/core/security/authorization/iauthorizationpolicyprovider?view=aspnetcore-7.0
i have done a similar thing using custom policies like below
public sealed class CompanyAccessRequirementHandler : AuthorizationHandler<CompanyAccessRequirement>
{
private readonly ILoggedInUserService _loggedInUserService;
private readonly IUserSecurityRespository _userSecurityRespository;
public CompanyAccessRequirementHandler(ILoggedInUserService loggedInUserService, IUserSecurityRespository userSecurityRespository)
{
_loggedInUserService = loggedInUserService;
_userSecurityRespository = userSecurityRespository;
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, CompanyAccessRequirement requirement)
{
if (context.User.Identity!.IsAuthenticated is false)
{
context.Fail();
return;
}
var userEmail = _loggedInUserService.UserEmail;
if (userEmail is null)
{
context.Fail();
return;
}
var user = await _userSecurityRespository.GetUser(context.User);
if (user is null)
{
context.Fail();
return;
}
var isSuperAdmin = _loggedInUserService.UserId == AppConstants.SuperAdmin.SuperUserId.ToString();
if (isSuperAdmin)
{
context.Succeed(requirement);
return;
}
var hasAccessToCompany = await _userSecurityRespository.HasAccessToCompanies(user.Id, _loggedInUserService.CompanyIds);
if (hasAccessToCompany)
{
context.Succeed(requirement);
return;
}
else
{
context.Fail();
}
}
Here is my code. I have written login to validate the token, for valid token return user object. but unable to find way to make it available across controllers.
I don't want to use Identity.
public class CustomAuthorize : AuthorizeAttribute
{
private const string AUTH_TOKEN = "AuthToken";
public override Task OnAuthorizationAsync(HttpActionContext actionContext, CancellationToken cancellationToken)
{
AllowAnonymousAttribute allowAnonymousAttribute = actionContext.ActionDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().FirstOrDefault();
if (allowAnonymousAttribute != null)
{
return Task.FromResult<object>(null);
}
if (actionContext.Request.Headers.Contains(AUTH_TOKEN))
{
var authToken = actionContext.Request.Headers.GetValues(AUTH_TOKEN).First();
var user = Utility.GetUserByToken(authToken);
if (user != null)
{
//
// how to make this `user` object available across the controllers
//
return Task.FromResult<object>(null);
}
else
{
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized, new CustomError() { Code = 100, Message = "Invalid Access Token" });
return Task.FromResult<object>(null);
}
}
else
{
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized, new CustomError() { Code = 100, Message = "Invalid Access Token" });
return Task.FromResult<object>(null);
}
}
}
Please help...
Your Question is a bit unclear - I assume you are referring to this line:
var user = Utility.GetUserByToken(authToken);
If so, then I might have a solution. So the fundamental problem is that you cannot simply save this variable where you currently are in the current controller, you need to understand the context you are working in - Every time a different user makes a request a different user models get created in the current controller. To have access to the user model across my app whenever a user makes a request, I do the following:
First you need to hook into the request receiving process of ASP.NET. This can be done inside the Global.asax.cs file, but I prefer to keep it clean and create a PartialGlobal class and mark the Global.asax.cs as partial.
From
public class MvcApplication : System.Web.HttpApplication
To
public partial class MvcApplication : System.Web.HttpApplication
Then create the PartialGlobal Class:
public partial class MvcApplication
{
protected void Application_PostAuthenticateRequest(Object sender, EventArgs e)
{
var request = HttpContext.Current.Request;
var authHeader = request.Headers["Authorization"];
//For API users
if (authHeader != null)
{
var authHeaderVal = AuthenticationHeaderValue.Parse(authHeader);
if (authHeaderVal.Scheme.Equals("Basic", StringComparison.OrdinalIgnoreCase))
{
if (!string.IsNullOrEmpty(authHeaderVal.Parameter))
{
AuthenticateUser(authHeaderVal.Parameter);
}
}
}
//For Regular Website Users
else
{
HttpCookie authCookie = request.Cookies[FormsAuthentication.FormsCookieName];
if (authCookie != null)
{
//Extract the forms authentication cookie
FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);
// If caching userData field then extract
var userModel = UsersBLL.DeserializeObject(authTicket.UserData);
var principal = new UserPrincipal(userModel);
SetPrincipal(principal);
}
}
}
private static bool AuthenticateUser(string credentials)
{
var model = UsersBLL.DecryptToken(credentials);
if (!model.RefUser.HasValue)
{
return false;
}
SetPrincipal(new UserPrincipal(model));
return true;
}
private static void SetPrincipal(UserPrincipal principal)
{
Thread.CurrentPrincipal = principal;
if (HttpContext.Current != null)
{
HttpContext.Current.User = principal;
}
}
}
The UserPrincipal Class:
public class UserPrincipal : IPrincipal
{
public IIdentity Identity { get; private set; }
//Just a class with details like name,age etc.
public UserModel Model { get; set; }
public UserPrincipal(UserModel model)
{
this.Model = model;
this.Identity = new GenericIdentity(model.Email);
}
}
Note the line in the PartialGLobal class: var model = UsersBLL.DecryptToken(credentials);. Here I simply use a method I created to de-crypt my token string so it can be deserialized, you probably won't have/need this.
The essential part is this last step of the PartialGlobal class:
private static void SetPrincipal(UserPrincipal principal)
{
Thread.CurrentPrincipal = principal;
if (HttpContext.Current != null)
{
HttpContext.Current.User = principal;
}
}
If you have the context know about your user, you can access it anywhere by simply calling:
var principal = (UserPrincipal)HttpContext.Current.User;
One way is to Extend the ApiController which is what your controllers are using as the base class.
Define a CustomController
public class CustomController : ApiController
{
projected User _user;
}
For all the other controller use this as a base class and the _user object should be accessible from all the controllers.
I have an ASP.NET Web API 2 application that uses Windows Authentication for all the controllers. I have a need now for some controllers to use Basic Authentication.
I know it is not possible to enable both Anonymous and Windows Authentications, but is it possible to enable Windows Authentication for some controllers and Basic Authentication for some others?
UPDATE:
Implemented a filter as shown on the article EdSF shared
Here is what I have so far:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false)]
public class BasicAuthenticationFilter : AuthorizationFilterAttribute
{
private bool _active = true;
private const string ValidUsername = #"Test";
private const string ValidPassword = #"T3st";
public BasicAuthenticationFilter()
{
}
public BasicAuthenticationFilter(bool active)
{
_active = active;
}
public override void OnAuthorization(HttpActionContext actionContext)
{
if (_active)
{
var identity = ParseAuthorizationHeader(actionContext);
if (identity == null)
{
Challenge(actionContext);
return;
}
if (!OnAuthorizeUser(identity.Name, identity.Password, actionContext))
{
Challenge(actionContext);
return;
}
var principal = new GenericPrincipal(identity, null);
Thread.CurrentPrincipal = principal;
if (HttpContext.Current != null)
{
HttpContext.Current.User = principal;
}
base.OnAuthorization(actionContext);
}
}
protected virtual bool OnAuthorizeUser(string username, string password, HttpActionContext actionContext)
{
if (string.IsNullOrWhiteSpace(username) || string.IsNullOrWhiteSpace(password) ||
!username.Equals(ValidUsername) || !password.Equals(ValidPassword))
{
return false;
}
return true;
}
protected virtual BasicAuthenticationIdentity ParseAuthorizationHeader(HttpActionContext actionContext)
{
string authHeader = null;
var auth = actionContext.Request.Headers.Authorization;
if (auth != null && auth.Scheme == "Basic")
{
authHeader = auth.Parameter;
}
if (string.IsNullOrEmpty(authHeader)) return null;
authHeader = Encoding.Default.GetString(Convert.FromBase64String(authHeader));
var tokens = authHeader.Split(':');
if (tokens.Length < 2) return null;
return new BasicAuthenticationIdentity(tokens[0], tokens[1]);
}
private void Challenge(HttpActionContext actionContext)
{
var host = actionContext.Request.RequestUri.DnsSafeHost;
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized);
actionContext.Response.Headers.Add("WWW-Authenticate", string.Format("Basic realm=\"{0}\"", host));
}
}
BasicAuthenticationIdentity Class:
public class BasicAuthenticationIdentity : GenericIdentity
{
public BasicAuthenticationIdentity(string name, string password)
: base(name, "Basic")
{
Password = password;
}
public string Password { get; set; }
}
Also, decorated my controller with the Basic Authentication Filter:
[BasicAuthenticationFilter]
[RoutePrefix("api/BasicAuth")]
public class BasicAuthController : ApiController
{
//[BasicAuthenticationFilter]
[HttpGet]
public IHttpActionResult TestBasicAuth()
{
return Ok("success");
}
}
When I make a call to api/BasicAuth from Fiddler I got back 401, but it only returns the following challenges:
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
At this point Fiddler tries it again but this time instead of passing Basic Authorization Scheme, it passes Negotiate. This one fails also.
Then, when Fiddler finally tries the third time, my filter actually gets the request, but since authorization scheme is Negotiate instead of Basic, my filter returns Unauthorized also.
Is there a way to force the controller to just use the BasicAuthenticationFilter?
Thanks in advance
You can - because BASIC AUTH credentials are sent in HTTP Headers (base64 encoded only). You don't have to "enable" anything at the application level and handle HTTP requests to your API endpoints "manually" (by inspecting headers).
e.g. Basic Auth Header: Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
See this example that creates an AuthorizationFilter that can be applied to Controller or Action, or even globally if needed...
Hth.
I am using MVC 4 Web Api and I want the users to be authenticated, before using my service.
I have implemented an authorization message handler, that works just fine.
public class AuthorizationHandler : DelegatingHandler
{
private readonly AuthenticationService _authenticationService = new AuthenticationService();
protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
IEnumerable<string> apiKeyHeaderValues = null;
if (request.Headers.TryGetValues("X-ApiKey", out apiKeyHeaderValues))
{
var apiKeyHeaderValue = apiKeyHeaderValues.First();
// ... your authentication logic here ...
var user = _authenticationService.GetUserByKey(new Guid(apiKeyHeaderValue));
if (user != null)
{
var userId = user.Id;
var userIdClaim = new Claim(ClaimTypes.SerialNumber, userId.ToString());
var identity = new ClaimsIdentity(new[] { userIdClaim }, "ApiKey");
var principal = new ClaimsPrincipal(identity);
Thread.CurrentPrincipal = principal;
}
}
return base.SendAsync(request, cancellationToken);
}
}
The problem is, that I use forms authentication.
[HttpPost]
public ActionResult Login(UserModel model)
{
if (ModelState.IsValid)
{
var user = _authenticationService.Login(model);
if (user != null)
{
// Add the api key to the HttpResponse???
}
return View(model);
}
return View(model);
}
When I call my api:
[Authorize]
public class TestController : ApiController
{
public string GetLists()
{
return "Weee";
}
}
The handler can not find the X-ApiKey header.
Is there a way to add the user's api key to the http response header and to keep the key there, as long as the user is logged in?
Is there another way to implement this functionality?
I found the following article http://www.asp.net/web-api/overview/working-with-http/http-cookies
Using it I configured my AuthorizationHandler to use cookies:
public class AuthorizationHandler : DelegatingHandler
{
private readonly IAuthenticationService _authenticationService = new AuthenticationService();
protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
var cookie = request.Headers.GetCookies(Constants.ApiKey).FirstOrDefault();
if (cookie != null)
{
var apiKey = cookie[Constants.ApiKey].Value;
try
{
var guidKey = Guid.Parse(apiKey);
var user = _authenticationService.GetUserByKey(guidKey);
if (user != null)
{
var userIdClaim = new Claim(ClaimTypes.Name, apiKey);
var identity = new ClaimsIdentity(new[] { userIdClaim }, "ApiKey");
var principal = new ClaimsPrincipal(identity);
Thread.CurrentPrincipal = principal;
}
}
catch (FormatException)
{
}
}
return base.SendAsync(request, cancellationToken);
}
}
I configured my Login action result:
[HttpPost]
public ActionResult Login(LoginModel model)
{
if (ModelState.IsValid)
{
var user = _authenticationService.Login(model);
if (user != null)
{
_cookieHelper.SetCookie(user);
return RedirectToAction("Index", "Home");
}
ModelState.AddModelError("", "Incorrect username or password");
return View(model);
}
return View(model);
}
Inside it I am using the CookieHelper, that I created. It consists of an interface:
public interface ICookieHelper
{
void SetCookie(User user);
void RemoveCookie();
Guid GetUserId();
}
And a class that implements the interface:
public class CookieHelper : ICookieHelper
{
private readonly HttpContextBase _httpContext;
public CookieHelper(HttpContextBase httpContext)
{
_httpContext = httpContext;
}
public void SetCookie(User user)
{
var cookie = new HttpCookie(Constants.ApiKey, user.UserId.ToString())
{
Expires = DateTime.UtcNow.AddDays(1)
};
_httpContext.Response.Cookies.Add(cookie);
}
public void RemoveCookie()
{
var cookie = _httpContext.Response.Cookies[Constants.ApiKey];
if (cookie != null)
{
cookie.Expires = DateTime.UtcNow.AddDays(-1);
_httpContext.Response.Cookies.Add(cookie);
}
}
public Guid GetUserId()
{
var cookie = _httpContext.Request.Cookies[Constants.ApiKey];
if (cookie != null && cookie.Value != null)
{
return Guid.Parse(cookie.Value);
}
return Guid.Empty;
}
}
By having this configuration, now I can use the Authorize attribute for my ApiControllers:
[Authorize]
public class TestController : ApiController
{
public string Get()
{
return String.Empty;
}
}
This means, that if the user is not logged in. He can not access my api and recieves a 401 error. Also I can retrieve the api key, which I use as a user ID, anywhere in my code, which makes it very clean and readable.
I do not think that using cookies is the best solution, as some user may have disabled them in their browser, but at the moment I have not found a better way to do the authorization.
From your code samples it doesn't seem like you're using Web Forms. Might you be using Forms Authentication? Are you using the Membership Provider inside your service to validate user credentials?
You can use the HttpClient class and maybe its property DefaultRequestHeaders or an HttpRequestMessage from the code that will be calling the API to set the headers.
Here there are some examples of HttpClient:
http://www.asp.net/web-api/overview/web-api-clients/calling-a-web-api-from-a-net-client
I've implemented my own Authorize attribute, and I notice that it queries to check permissions when I use [Authorize].
Is there any way I can get that permission and use it in the current controller that applies the Authorize attribute without having to rewrite and requery the code in the controller?
Yes, you can. If you implemented your Authorize attribute as an ActionFilterAttribute you can use the ViewData collection to store information like this :
public class RequireRegistrationActionFilter : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
HttpRequestBase request = filterContext.HttpContext.Request;
HttpResponseBase response = filterContext.HttpContext.Response;
if (request != null &&
response != null)
{
bool isAuthenticated = request.IsAuthenticated;
filterContext.Controller.ViewData["IsAuthenticated"] = isAuthenticated;
if (!isAuthenticated)
{
string url = String.Format(
"/?ReturnUrl={0}",
HttpUtility.UrlEncode(request.Url.ToString()));
response.Redirect(url);
}
}
}
}
In the anoteated controller's acrion you can access the field with:
bool isAuthenticated = (bool)(ViewData["IsAuthenticated"] ?? false);