Skip to content
/ aspnet-authentication-simpletoken Public

Middleware that allows to extract token from authenticated requests, delegate it to an appropriated ISecurityTokenValidator and generate and AuthenticationTicket.

License

LGPL-3.0 license
1 star 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

MakingSense/aspnet-authentication-simpletoken

BranchesTags

Repository files navigation

SimpleToken Authentication

This package allows to extract token from authenticated requests and delegate it to an appropriated ISecurityTokenValidator and generate and AuthenticationTicket.

Behavior

Token extraction details

This tries to support almost RFC 6750 and some licenses based on GitHub behavior. But does not support Form-Encoded Body Parameter (http://tools.ietf.org/html/rfc6750#section-2.2).

There are three methods of sending tokens:

  • Authorization Request Header Field.

    See RFC6750 Section 2.1

    For example:

     GET /resource HTTP/1.1
 Host: server.example.com
 Authorization: Bearer mF_9.B5f-4.1JqM

    It accepts Bearer schema name, but also OAuth2 and Token.

  • URI Query Parameter

    See RFC6750 Section 2.1

    For example https://server.example.com/resource?access_token=mF_9.B5f-4.1JqM&p=q:

     GET /resource?access_token=mF_9.B5f-4.1JqM HTTP/1.1
 Host: server.example.com

  • Basic Authentication with any username and token

    See GitHub Basic Authentication Via OAuth Tokens

    For example:

     $ curl -u user:317F632427BCDA059B19EF241705BD2F https://server.example.com/resource

    Or

     GET /resource
 Host: server.example.com
 Authorization: basic dXNlcjozMTdGNjMyNDI3QkNEQTA1OUIxOUVGMjQxNzA1QkQyRg==

The WWW-Authenticate Response Header Field

When a protected resource is requested but request does not include authentication credentials or does not contain an access token that enables access it includes the HTTP "WWW-Authenticate" response header field.

For example:

  • Request:

    GET /resource
Host: server.example.com

  • Response

    Status Code: 401 Unauthorized
Content-Length: 436
Content-Type: application/json; charset=utf-8
Date: Fri, 11 Sep 2015 16:41:50 GMT
WWW-Authenticate: Bearer

Usage v2

It is necessary to register all valid ISecurityTokenValidator classes and configure the Authentication service using the AddSimpleTokenAuthentication extension method.

Example:

public class Startup
{
	public void ConfigureServices(IServiceCollection services)
	{
		services.AddTransient<ISecurityTokenValidator, MyCustomTokenValidator>();
		services.AddAuthentication()
			.AddSimpleTokenAuthentication();
	}

	public void Configure(IApplicationBuilder app, ILoggerFactory loggerfactory) {
		app.UseAuthentication();
		app.UseMvc();
	}
}

Usage v1

It is necessary to register all valid ISecurityTokenValidator classes and add the middleware to ApplicationBuilder using UseSimpleTokenAuthentication.

Example:

public class Startup
{
	public void ConfigureServices(IServiceCollection services)
	{
		services.AddMvc();
		services.AddTransient<ISecurityTokenValidator, MyCustomTokenValidator>();
	}

    public void Configure(IApplicationBuilder app)
	{
		app.UseSimpleTokenAuthentication(o =>
		{
			o.AutomaticAuthentication = true;
		});
		app.UseMvc();
	}
}

Internally, when the token is not valid or there are not any registered any capable ISecurityTokenValidator, an AuthenticationException is thrown.

About

Middleware that allows to extract token from authenticated requests, delegate it to an appropriated ISecurityTokenValidator and generate and AuthenticationTicket.

Resources

Readme

License

LGPL-3.0 license
Activity
Custom properties

Stars

1 star

Watchers

22 watching

Forks

4 forks
Report repository

Releases

4 tags

Packages

No packages published

Contributors 2

  •  
  •  

Languages