Giters

RodrigoPereyraDiaz / aspnet-authentication-simpletoken

Middleware that allows to extract token from authenticated requests, delegate it to an appropriated ISecurityTokenValidator and generate and AuthenticationTicket.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

SimpleToken Authentication Middleware

This package allows to extract token from authenticated requests and delegate it to an appropriated ISecurityTokenValidator and generate and AuthenticationTicket.

Behavior

Token extraction details

This middleware tries to support almost RFC 6750 and some licenses based on GitHub behavior. But does not support Form-Encoded Body Parameter (http://tools.ietf.org/html/rfc6750#section-2.2).

There are three methods of sending tokens:

  • Authorization Request Header Field.

    See RFC6750 Section 2.1

    For example:

     GET /resource HTTP/1.1
 Host: server.example.com
 Authorization: Bearer mF_9.B5f-4.1JqM

    It accepts Bearer schema name, but also OAuth2 and Token.

  • URI Query Parameter

    See RFC6750 Section 2.1

    For example https://server.example.com/resource?access_token=mF_9.B5f-4.1JqM&p=q:

     GET /resource?access_token=mF_9.B5f-4.1JqM HTTP/1.1
 Host: server.example.com

  • Basic Authentication with any username and token

    See GitHub Basic Authentication Via OAuth Tokens

    For example:

     $ curl -u user:317F632427BCDA059B19EF241705BD2F https://server.example.com/resource

    Or

     GET /resource
 Host: server.example.com
 Authorization: basic dXNlcjozMTdGNjMyNDI3QkNEQTA1OUIxOUVGMjQxNzA1QkQyRg==

The WWW-Authenticate Response Header Field

When a protected resource is requested but request does not include authentication credentials or does not contain an access token that enables access it includes the HTTP "WWW-Authenticate" response header field.

For example:

  • Request:

    GET /resource
Host: server.example.com

  • Response

    Status Code: 401 Unauthorized
Content-Length: 436
Content-Type: application/json; charset=utf-8
Date: Fri, 11 Sep 2015 16:41:50 GMT
WWW-Authenticate: Bearer

Usage

It is necessary to register all valid ISecurityTokenValidator classes and add the middleware to ApplicationBuilder using UseSimpleTokenAuthentication.

Example:

public class Startup
{
	public void ConfigureServices(IServiceCollection services)
	{
		services.AddMvc();
		services.AddTransient<ISecurityTokenValidator, MyCustomTokenValidator>();
	}

    public void Configure(IApplicationBuilder app)
	{
		app.UseSimpleTokenAuthentication(o =>
		{
			o.AutomaticAuthentication = true;
		});
		app.UseMvc();
	}
}

Internally, when the token is not valid or there are not any registered any capable ISecurityTokenValidator, an AuthenticationException is thrown.

About

Middleware that allows to extract token from authenticated requests, delegate it to an appropriated ISecurityTokenValidator and generate and AuthenticationTicket.

License:GNU Lesser General Public License v3.0

Languages

Language:C# 100.0%