3

Generating an Authentication Token with a dynamic Machine Key

I am using the OWIN security context and the CookieAuthenticationProvider to generate authentication cookies:

public partial class Startup {
    public void ConfigureAuth(IAppBuilder app) {
        app.UseCookieAuthentication(new CookieAuthenticationOptions() {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Authentication/Login"),
            Provider = new CookieAuthenticationProvider()
        });
    }
}

However, I'd like to implement this in a multi-tenant environment. I already have a tenant context established which has an associated machine key property; I just need a way to generate a token based on a tenant-specific machine key (rather than the machine key in the web.config file).

Ideally, I'd like to inherit and augment the existing OWIN classes (maybe CookieAuthenticationProvider) rather than implement my own.

Does anyone know how generate an authentication token from a given machine/private key?

Bill

Update

Since Machine keys can't be edited; rather than try to adjust machine keys, would it be secure to implement IDataProtectionProvider or augment DataProtectionProvider to use the System.Security.Cryptography.DpapiDataProtector and pass in a tenant-specific private key as a specificPurpose parameter?

If all tenants shared the machine key but each tenant had their own private key, they wouldn't be able to decrypt each other's authentication tokens, correct?

Bill Heitstuman
  • 979
  • 1
  • 8
  • 23
  • Perhaps not "exactly" what you need but could steer you in the right direction: http://stackoverflow.com/questions/18446385/asp-net-machinekey-set-keys-in-code – von v. Jul 07 '15 at 01:21
  • Thanks for your suggestion. Unfortunately, each tenant will not be running in its own application pool so I have to keep looking. – Bill Heitstuman Jul 07 '15 at 04:13
  • Why do you need to have a machine-key per tenant? – trailmax Jul 07 '15 at 10:11
  • If each tenant has their own machine-key, they can use it to decrypt the authentication token in their environment and get a reference to the currently authenticated user. – Bill Heitstuman Jul 07 '15 at 16:11

1 Answers1

0

I wouldn't recommend DPAPI in a web farm. It was designed for a single host. People have gotten it to work, but it's fragile.

You could wrap the machinekey, encryptedKey, with each tenant's key. KeyInfo would allow you to determine the tenant.

Brent Schmaltz
  • 1,151
  • 6
  • 7
  • Thanks Brent. I'm not sure what you mean by wrapping the machine key...I need the keys to be different so that one tenant can not use their machine key to create a token to access another tenant's data. I suggested DpapiDataProtector because that's what the Katana implementation of OWIN Security uses. Are you saying that Katana does not work well in a web farm? – Bill Heitstuman Jul 07 '15 at 23:40
  • A machine key is a symmetric key. Wrapping it means creating a EncryptedKey https://msdn.microsoft.com/en-us/library/system.security.cryptography.xml.encryptedkey(v=vs.110).aspx where the key used to wrap it is different for each tenant. In this case you can detect the tenant from the KeyInfo property. I think Katana uses MachineKey by default. – Brent Schmaltz Jul 08 '15 at 14:22
  • Oops,I was looking at another part of the Katana project; you're right it does use the MachineKey, thanks for clarifying. However, I don't see how wrapping the MachineKey will work. The tenant needs to be able to decrypt the authentication token to get the current User within their ASP.NET environment and my mutli-tenant service needs to be able to decrypt the same token using the tenant's private symmetric key. If I could simulate a MachineKey decryption with a given symmetric key, it would be ideal. – Bill Heitstuman Jul 08 '15 at 21:41
  • Are you generating tokens for external consumers? – Brent Schmaltz Jul 09 '15 at 14:39
  • Yes, I would like to, but that is not the primary goal. Regardless of how the token is generated, I need my mutli-tenant service and the tenant's service to be able to decrypt the user info from the authentication token. – Bill Heitstuman Jul 09 '15 at 18:01