I'm looking for a way to use an existing session ID with the ServiceStack ServerEventsClient. I'd like to use server events, but access will need to be limited to authenticated users.
For JsonServiceClient, I have a method in a library referenced by all of our projects which returns an authenticated JsonServiceClient ready to be used. The purpose is to make development a bit faster by keeping all auth info in one place:
public static JsonServiceClient GetAuthenticatedServiceClient()
{
var ServiceClient = new JsonServiceClient(globals.ApiUrl)
{
RequestFilter = request => request.UserAgent = globals.ClientSoftware.ToString()
};
var CookieQuery = (from c in globals.AuthCookieContainer
where c.Name == "ss-id"
where c.Expires > DateTime.Now
select c);
if (CookieQuery.Count() > 0)
{
ServiceClient.CookieContainer.Add(CookieQuery.FirstOrDefault());
}
else
{
throw new Exceptions.ApiNotAuthenticatedException();
}
return ServiceClient;
}
My question is: Is there a way to implement something similar to the above method for ServerEventsClient? I'm trying to avoid sending an Authenticate request, since I've already got an easy way to get to session information on the client.
The ServerEventsClient.ServiceClient used to maintain the CookieContainer for each ServerEvents request is just a JsonServiceClient so you can access its concrete type with just:
var client = (JsonServiceClient)serverEventsClient.ServiceClient;
So you can take the same approach of transferring cookies between any service client.
The ServerEventsClient.Authenticate literally just makes an Authenticate request on the same ServerEventsClient.ServiceClient instance so it gets populated with the returned cookies from a successful response.
Related
I have .NET Web API Project for the fulfillment API as our webhook in my Dialogflow agent. In our Post method of the controller, after getting the request from Dialogflow, I implement the explicit authentication as shown in the Google Cloud documentation for C#.
//jsonFileName is the name of the serviceAccountKey json generated from the Google Cloud Platform that's encrypted internally
public bool AuthExplicit(string projectId, string jsonFileName)
{
try
{
string JsonCredential = DecryptHelper.Decrypt(jsonFileName);
var credential = GoogleCredential.FromJson(JsonCredential).CreateScoped(LanguageServiceClient.DefaultScopes);
var channel = new Grpc.Core.Channel(
LanguageServiceClient.DefaultEndpoint.ToString(),
credential.ToChannelCredentials());
var client = LanguageServiceClient.Create(channel);
AnalyzeSentiment(client);
if (client != null)
{
return true;
}
else
{
return false;
}
}
internal void AnalyzeSentiment(LanguageServiceClient client)
{
var response = client.AnalyzeSentiment(new Document()
{
Content = "Authenticated.",
Type = Document.Types.Type.PlainText
});
var sentiment = response.DocumentSentiment;
string score = $"Score: {sentiment.Score}";
string magnitude = $"Magnitude: {sentiment.Magnitude}";
}
The difference with the code is that after getting the client, when we call the AnalyzeSentiment() method, it doesn't do anything, and the projectId parameter is never used to authenticate. GCP docs are quite confusing, since when there is an AuthExplicit() that uses projectId, it uses it as a parameter for the buckets and only prints this on the console.
It works fine, until we test the service account key with a different agent. Expected output is that authentication would fail, but somehow it still passes.
Once the Post method goes through the AuthExplicit() method, it would only return a boolean. Is this the right way to authenticate? Or is there something else needed to invoke?
The difference with the code is that after getting the client, when we call the AnalyzeSentiment() method, it doesn't do anything,
Does client.AnalyzeSentiment() return an empty response? Does the call hang forever?
It works fine, until we test the service account key with a different agent.
What is a different agent? A different User-Agent header?
Once the Post method goes through the AuthExplicit() method, it would only return a boolean. Is this the right way to authenticate? Or is there something else needed to invoke?
What does 'the Post method' refer to? What is the 'it' that would only return a boolean?
I have two ServiceStack servers X and Y. Server X has functionality to register and authenticate users. It has RegistrationFeature,CredentialsAuthProvider, MemoryCacheClient and MongoDbAuthRepository features to handle the authentication.
Recently, I introduced server Y and GUI forms that talk to server Y to handle another part of my business domain. Server Y needs to make requests to authenticated endpoints on server X.
How do I configure server Y in such a way that when it gets login requests from the GUI forms, it passes that responsibility to Server X which has access to the user information?
I tried implementing a custom CredentialsAuthProvider in server Y like so:
public override bool TryAuthenticate(IServiceBase authService, string userName, string password)
{
// authenticate through server X
try
{
var client = new JsonServiceClient("http://localhost:8088");
var createRequest = new Authenticate
{
UserName = userName,
Password = password,
provider = Name,
};
var authResponse = client.Post(createRequest);
return true;
}
catch (WebServiceException ex)
{
// "Unauthorized
return false;
}
}
but later when I try to make a request from a service in server Y to an authenticated endpoint in server X, I get Unauthorized error.
public class MyServices2 : Service
{
public object Any(TwoPhase request)
{
try
{
// make a request to server X on an authenticated endpoint
var client = new JsonServiceClient("http://localhost:8088");
var helloRequest = new Hello
{
Name = "user of server Y"
};
var response = client.Post(helloRequest);
return new TwoPhaseResponse { Result = $"Server X says: {response.Result}" };
}
catch (WebServiceException e)
{
Console.WriteLine(e);
throw;
}
}
...
}
This is highly dependent on the method of Authentication you choose. If you want to use CredentialsAuthProvider than you must ensure each Server is configured to use the same distributed Caching Provider instance (i.e. any Caching Provider other than MemoryCacheClient). This is because when you're authenticated, the Session Cookie Ids which point to an Authenticated User Session are populated on the Service Client which is sent with each Request. The ServiceStack Instance that receives the Session Cookie Ids would use it to access the Authenticated User Session in the registered caching provider.
If both ServiceStack Services are configured to use the same Caching Provider you could transfer the Session Cookie from the incoming Request to a new Service Client with something like:
Transferring Session Id
public object Any(ClientRequest request)
{
// make a request to server X on an authenticated endpoint
var session = base.SessionAs<AuthUserSession>();
var client = new JsonServiceClient("http://localhost:8088");
client.SetSessionId(session.Id);
var response = client.Post(new Hello {
Name = "user of server Y"
});
return new TwoPhaseResponse { Result = $"Server X says: {response.Result}" };
}
Transferring BasicAuthProvider Credentials
Otherwise if you're using HTTP Basic Auth with the BasicAuthProvider then the UserName/Password is sent with the Request which you can transfer to your internal Service Client with:
var basicAuth = base.Request.GetBasicAuthUserAndPassword();
client.UserName = basicAuth.Value.Key;
client.Password = basicAuth.Value.Value;
client.AlwaysSendBasicAuthHeader = true;
Which will copy the UserName/Password sent on the incoming request and send it with the outgoing Request. But for this to work both ServiceStack Instances must be configured to use the same BasicAuthProvider and User Auth Repository since the downstream Server needs to be able to validate the UserName/Password provided.
Transferring API Key
Likewise you can use the API Key AuthProvider to do something similar but instead of forwarding UserName/Password you can forward an API Key with:
var apikey = base.Request.GetApiKey();
client.BearerToken = apikey.Id;
Again this will need to be configured with the Same ApiKeyAuthProvider and User Auth Repository as the downstream server will require validating the API Key provided.
Using JWT AuthProvider for Stateless Authentication
Otherwise if you don't want each Server to share the same infrastructure dependencies (e.g. Caching Provider / User Auth Repository) I'd look at consider using the JWT Auth Provider which is ideal for this scenarios where Authenticating with one ServiceStack Instance that issues the the JWT Token encapsulates the Users Session and lets you make authenticated Requests to other ServiceStack instances which just need to have a JwtAuthProviderReader registered.
To transfer the JWT Token you can access it with:
var bearerToken = base.Request.GetBearerToken()
?? base.Request.GetCookieValue(Keywords.TokenCookie);
and populate it on the internal Service Client with:
client.BearerToken = bearerToken;
I was tasked with adding logging via external service (using SAML 2.0) to an MVC app (.Net 4.5) that uses SimpleMembership. To be honest I'm not even sure where to start. From what I found on the internet there are few points to the problem. Most of the materials I found dealt with communication with the SAML identity provider (frequently written from scratch). However before I can reach that point I need to make sure I can actually integrate it with the SimpleMembership which we are using.
I suspect for starters I would need something like SAMLWebSecurity (akin to OAuthWebSecurity which we also use). I have found no such thing* on the internet which makes me believe it does not exist (though I wouldn't mind being wrong here). This makes me believe I would have to write it myself, but can I do that without have to write my own membership provider?
*I'm not sure what would be a correct way to call this static class.
I'd recommend that you upgrade to ASP.NET Identity and the OWIN Based authentication middleware. Then you can use Kentor.AuthServices middleware that works with ASP.NET Identity (except that the XSRF-guard has to be commented out until bug #127 has been resolved).
You could also use the SAML classes from Kentor.AuthServices if you have to stick with SimpleMembership, so that you don't have to implement SAML from scratch.
Disclaimer: I'm the author of Kentor.AuthServices, but since it's open source, I'm not making money on people using it.
After discussing it with a colleague I think I figured out the course of actions. Both OAuthWebSecurity and WebSecurity appear to be a part of SimpleMembership, so what I wrote in the question would indicate I want to write a custom membership or reverse engineer SimpleMembership to copy OAuthWebSecurity (which doesn't sound like a fun activity to have).
My best bet here is hijacking the OAuthWebSecurity, by writing a custom client (one which implements the IAuthenticationClient interface). Normally one registers various OAuth clients using OAuthWebSecurity's built in methods (like RegisterFacebookClient). But it is also possible to register those clients using OAuthWebSecurity.RegisterClient which accepts IAuthenticationClient. This way I should be able to add this SAML login without writing a custom membership provider and keep using SimpleMembership.
I managed to do this. Thankfully the identity provider wasn't extremely complicated so all I had to do was redirect to a certain address (I didn't even need to request assertion). After a successful login, the IDP "redirects" the user using POST to my site with the base64 encoded SAMLResponse attached. So all I had to do was to parse and validate the response. I placed the code for this in my custom client (implementing IAuthenticationClient interface).
public class mySAMLClient : IAuthenticationClient
{
// I store the IDP certificate in App_Data
// This can by actually skipped. See VerifyAuthentication for more details
private static X509Certificate2 certificate = null;
private X509Certificate2 Certificate
{
get
{
if (certificate == null)
{
certificate = new X509Certificate2(Path.Combine(HttpContext.Current.ApplicationInstance.Server.MapPath("~/App_Data"), "idp.cer"));
}
return certificate;
}
}
private string providerName;
public string ProviderName
{
get
{
return providerName;
}
}
public mySAMLClient()
{
// This probably should be provided as a parameter for the constructor, but in my case this is enough
providerName = "mySAML";
}
public void RequestAuthentication(HttpContextBase context, Uri returnUrl)
{
// Normally you would need to request assertion here, but in my case redirecting to certain address was enough
context.Response.Redirect("IDP login address");
}
public AuthenticationResult VerifyAuthentication(HttpContextBase context)
{
// For one reason or another I had to redirect my SAML callback (POST) to my OAUTH callback (GET)
// Since I needed to retain the POST data, I temporarily copied it to session
var response = context.Session["SAMLResponse"].ToString();
context.Session.Remove("SAMLResponse");
if (response == null)
{
throw new Exception("Missing SAML response!");
}
// Decode the response
response = Encoding.UTF8.GetString(Convert.FromBase64String(response));
// Parse the response
var assertion = new XmlDocument { PreserveWhitespace = true };
assertion.LoadXml(response);
//Validating signature based on: http://stackoverflow.com/a/6139044
// adding namespaces
var ns = new XmlNamespaceManager(assertion.NameTable);
ns.AddNamespace("samlp", #"urn:oasis:names:tc:SAML:2.0:protocol");
ns.AddNamespace("saml", #"urn:oasis:names:tc:SAML:2.0:assertion");
ns.AddNamespace("ds", #"http://www.w3.org/2000/09/xmldsig#");
// extracting necessary nodes
var responseNode = assertion.SelectSingleNode("/samlp:Response", ns);
var assertionNode = responseNode.SelectSingleNode("saml:Assertion", ns);
var signNode = responseNode.SelectSingleNode("ds:Signature", ns);
// loading the signature node
var signedXml = new SignedXml(assertion.DocumentElement);
signedXml.LoadXml(signNode as XmlElement);
// You can extract the certificate from the response, but then you would have to check if the issuer is correct
// Here we only check if the signature is valid. Since I have a copy of the certificate, I know who the issuer is
// So if the signature is valid I then it was sent from the right place (probably).
//var certificateNode = signNode.SelectSingleNode(".//ds:X509Certificate", ns);
//var Certificate = new X509Certificate2(System.Text.Encoding.UTF8.GetBytes(certificateNode.InnerText));
// checking signature
bool isSigned = signedXml.CheckSignature(Certificate, true);
if (!isSigned)
{
throw new Exception("Certificate and signature mismatch!");
}
// If you extracted the signature, you would check the issuer here
// Here is the validation of the response
// Some of this might be unnecessary in your case, or might not be enough (especially if you plan to use SAML for more than just SSO)
var statusNode = responseNode.SelectSingleNode("samlp:Status/samlp:StatusCode", ns);
if (statusNode.Attributes["Value"].Value != "urn:oasis:names:tc:SAML:2.0:status:Success")
{
throw new Exception("Incorrect status code!");
}
var conditionsNode = assertionNode.SelectSingleNode("saml:Conditions", ns);
var audienceNode = conditionsNode.SelectSingleNode("//saml:Audience", ns);
if (audienceNode.InnerText != "Name of your app on the IDP")
{
throw new Exception("Incorrect audience!");
}
var startDate = XmlConvert.ToDateTime(conditionsNode.Attributes["NotBefore"].Value, XmlDateTimeSerializationMode.Utc);
var endDate = XmlConvert.ToDateTime(conditionsNode.Attributes["NotOnOrAfter"].Value, XmlDateTimeSerializationMode.Utc);
if (DateTime.UtcNow < startDate || DateTime.UtcNow > endDate)
{
throw new Exception("Conditions are not met!");
}
var fields = new Dictionary<string, string>();
var userId = assertionNode.SelectSingleNode("//saml:NameID", ns).InnerText;
var userName = assertionNode.SelectSingleNode("//saml:Attribute[#Name=\"urn:oid:1.2.840.113549.1.9.1\"]/saml:AttributeValue", ns).InnerText;
// you can also extract some of the other fields in similar fashion
var result = new AuthenticationResult(true, ProviderName, userId, userName, fields);
return result;
}
}
Then I just registered my client in App_Start\AuthConfig.cs using OAuthWebSecurity.RegisterClient and then I could reuse my existing external login code (which was originally made for OAUTH). For various reasons my SAML callback was a different action than my OAUTH callback. The code for this action was more or less this:
[AllowAnonymous]
public ActionResult Saml(string returnUrl)
{
Session["SAMLResponse"] = Request.Form["SAMLResponse"];
return Redirect(Url.Action("ExternalLoginCallback") + "?__provider__=mySAML");
}
Additionally OAuthWebSecurity.VerifyAuthentication didn't work with my client too well, so I had to conditionally run my own verification in the OAUTH callback.
AuthenticationResult result = null;
if (Request.QueryString["__provider__"] == "mySAML")
{
result = new mySAMLClient().VerifyAuthentication(HttpContext);
}
else
{
// use OAuthWebSecurity.VerifyAuthentication
}
This probably all looks very weird and might differ greatly in case of your IDP, but thanks to this I was able to reuse most of the existing code for handling external accounts.
I want to show my user feed on my website and what I intend to do is to authenticate my own user account each time a user visits the page, and in that way buypass that the user have to log in to his instagram account.
My problem is that I'm having a hard time retrieving the instagram access token through a HttpWebRequest..
See the following NON working code sample:
HttpWebRequest request = (HttpWebRequest)WebRequest.Create("https://api.instagram.com/oauth/authorize?client_id=xxxxxxxxxxxxxxxxxxxxxx&redirect_uri=http://mywebsite.com&response_type=token");
request.Method = "POST";
request.AllowAutoRedirect = false;
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
string redirectUrl = response.ResponseUri.ToString();
HttpContext.Current.Response.Write(redirectUrl);
HttpContext.Current.Response.End();
If I paste the url in my browser I get a redirect to http://mysite.com/#access_token=xxxxxxxxxxxxxx and everything seems fine, but when I try to execute the code above, I can't retrieve the correct uri due to some in between redirects before the final url.
Any help would be much appriciated..
I recommend you to use Instasharp library. InstaSharp is a C# library that wraps the Instagram API and makes it easy to write applications with Instagram data. It has a very easy method to get access token for a user. Check its API.
Unfortunately the documentation for Instasharp currently provided has a few errors. I.e. The documentation says OAuthInfo, when such a class does not exist.
Here is some code that works for me.
Notice you don't seem to need to pass a User Object at all (not sure why you would need to anyway)
Also note, that the authenticated and non authenticated methods allow you pass different params, count being the most important one. I've noticed that regardless of the count you pass, an arbitrary number of results is returned, e.g. 33 for authenticated and 13 for authenticated for the same search term. InstagramResult is my wrapper class for the object and Config holds the InstagramAuthorisationModel and InstagramAuthorisationModel holds the static keys created when signing up for a developer account.
public class InstagramService : IInstagramService
...
public InstagramConfig Config
{
get{return new InstagramConfig("https://api.instagram.com/v1", "https://api.instagram.com/oauth", InstagramAuthorisationModel.ApplicationId, InstagramAuthorisationModel.Secret, InstagramAuthorisationModel.RedirectUri);}
}
private AuthInfo UserAuthInfo()
{
return new AuthInfo()
{
// User =new UserInfo(){},
Access_Token = GetInstagramAccessToken()
};
}
public string GetInstagramAccessToken()
{
return _socialMediaRepository.GetInstagramAccessToken(_userApiKey);
}
public List<InstagramResult> Search(string searchTag, int count)
{
var auth = UserAuthInfo();
var tags = new InstaSharp.Endpoints.Tags.Authenticated(Config, auth);
var searchresult = tags.Recent(searchTag);
return searchresult.Data.Select(media => new InstagramResult()
{
Media = media,
image = media.Images.LowResolution.Url
})
.ToList();
}
..
Here is how my system is set up:
A web service using ASP.Net web service
The web service has a web method with EnableSession=true
A client which refers to the web service using "Service References" (note: not "Web References")
The app.config of the client has allowCookies=true
On the client side, I have the following code to upload a file to the service
bool res = service.InitiateUpload();
if (res) {
do {
read = stream.Read(buffer, 0, BLOCK_SIZE);
if (read == BLOCK_SIZE)
res = res && service.AppendUpload(buffer);
else if (read > 0)
// other call to AppendUpload, after buffer manipulation
On the server side, I have code that checks if the session id from the call to InitiateUpload is the same as AppendUpload.
[WebMethod(EnableSession=true)]
public bool InitiateUpload() {
lock (theLock) {
if (IsImportGoingOn)
return false;
theImportDataState = new ImportDataState(Session.SessionID);
}
return true;
}
[WebMethod(EnableSession=true)]
public bool AppendUpload(byte[] data) {
lock (theLock) {
if (!IsImportGoingOn)
return false;
if (theImportDataState.session != Session.SessionID)
return false;
theImportDataState.buffer.AddRange(data);
return true;
}
}
The call to AppendUpload returns false, because of the mismatching session ids. Why is that?
As far as I can see, I have the right attributes for the web method, the client has the correct config, and the same instance of the proxy is used. Am I missing something?
The trick is you need to make the service client aware it should care about cookies -- it doesn't by default.
Perhaps a better method would be for the service to pass back a transaction ID the client could use to reference the upload in the future. It would be cleaner in the long run and probably be less work than making the client work with cookies and therefore sessions.
You have to use CookieContainer to retain the session.
private System.Net.CookieContainer CK = new System.Net.CookieContainer();
Then just use this as your service object's CookieContainer.