Provides an AuthenticationHandler which supports HMAC authentication in an ASP.NET Core project.
Usage:
- Get your HMAC authenticated clients, for example from the
appsettings.jsonfile. For HMAC authentication, anAppIdand anApiKeyis required for each client which should get access.
var hmacAuthenticatedApps = this.Configuration
.GetSection("Authentication")
.GetSection("HmacAuthenticatedApps")
.Get<HmacAuthenticationClientConfiguration[]>()
.ToDictionary(e => e.AppId, e => e.ApiKey);{
"Authentication": {
"HmacAuthenticatedApps": [
{
"AppId": "<some-app-id>",
"ApiKey": "<some-api-key>"
}
]
}
}- Enable HMAC authentication in
Startup.csin theConfigureServicesmethod:
services
.AddAuthentication(o =>
{
o.DefaultScheme = HmacAuthenticationDefaults.AuthenticationScheme;
})
.AddHmacAuthentication(HmacAuthenticationDefaults.AuthenticationScheme, "HMAC Authentication", o =>
{
o.MaxRequestAgeInSeconds = HmacAuthenticationDefaults.MaxRequestAgeInSeconds;
o.HmacAuthenticatedApps = hmacAuthenticatedApps;
});- Add
MemoryCache(from Microsoft.Extensions.Caching.Memory) inStartup.csin theConfigureServicesmethod. TheMemoryCacheis used by the HMACAuthenticationHandlerto determine replay attacks.
services.AddMemoryCache();- Enable authentication in
Startup.csin theConfiguremethod:
app.UseAuthentication();- Optional: Specify HMAC as the authentication scheme for certain controllers:
[Authorize(AuthenticationSchemes = HmacAuthenticationDefaults.AuthenticationScheme)]
[Route("api/[controller]")]
public class HomeController : Controller
{
// ...
}Provides a DelegatingHandler for adding an HMAC authorization header to HTTP requests.
Instantiate your HttpClient instance with the ApiKeyDelegatingHandler.
Make sure, that you don't create new HttpClient instances for every request (see also this blog post for details):
new HttpClient(new ApiKeyDelegatingHandler(appId, apiKey));Or in case your WebAPI client is another ASP.NET WebAPI (>= ASP.NET Core 2.1), register your HttpClient in the Startup.cs for example as follows:
services.AddTransient(sp => new ApiKeyDelegatingHandler(appId, apiKey));
services
.AddHttpClient("HmacHttpClient")
.AddHttpMessageHandler<ApiKeyDelegatingHandler>();To generate an API Key, the following simple Console Application can be used. This implementation is also provided on .NET Fiddle.
using System.Security.Cryptography;
public class Program
{
public static void Main()
{
Console.WriteLine($"AppID: {Guid.NewGuid()} or <some-speaking-name>");
Console.WriteLine($"ApiKey: {GenerateApiKey()}");
}
private static string GenerateApiKey()
{
using (var cryptoProvider = new RNGCryptoServiceProvider())
{
byte[] secretKeyByteArray = new byte[32]; //256 bit
cryptoProvider.GetBytes(secretKeyByteArray);
return Convert.ToBase64String(secretKeyByteArray);
}
}
}Provides an AuthenticationHandler which supports Basic authentication in an ASP.NET Core project.
Enable Basic authentication in Startup.cs in the ConfigureServices method:
services.AddAuthentication(o =>
{
o.DefaultScheme = BasicAuthenticationDefaults.AuthenticationScheme;
})
.AddBasicAuthentication(BasicAuthenticationDefaults.AuthenticationScheme, o =>
{
o.AuthorizationProvider = new MemoryBasicAuthenticationProvider(authenticatedApps);
});Provides a DelegatingHandler for adding an HMAC authorization header to HTTP requests.
Instantiate your HttpClient instance with the BasicAuthenticationDelegatingHandler.
Make sure, that you don't create new HttpClient instances for every request (see also this blog post for details):
new HttpClient(new BasicAuthenticationDelegatingHandler(username, password));