0

I want to do token based mechanism where I would be having either SPA or mobile apps supporting multiple clients.

Use case of my web service engine and my application:

My web application: Client will do registration of their application either SPA or mobile apps.They will get client id on registration.Only client id as secret key would be compromised in case of SPA or mobile apps hence I am just providing clientid.

Web service engine: Support multiple client with managing session of each user after login in to respective application of clients.

So let's say there are 2 client who have register their application in to my web application :

Client 1 : MyApp1

Client 2 : MyApp2

Now if MyApp1 have 2 users with John and Stephen and if they login in MyApp1 then i want to manage session for those users with token based mechanism. Now if John and Stephen wants to access protected resource then they can access only through valid accesstoken.

Same goes for MyApp2.

For token based mechanism I have seen lots of question referring to this below article only:

http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/

But the only confusion part in above tutorial and in most of the tutorial is after validating user name and password and generating access token. Does above tutorial is storing access token in server side cookie for validating accesstoken when request comes to access protected resource?

I am really confused here. I know accesstoken validation happens inside [Authorize attribute] but I am not getting without storing accesstoken how above tutorial is validating accesstoken.

My thought is like may be when request comes for accessing protected resources access token is encrypted or decrypted based on machine key attribute in webconfig and this is how access token is validated inside [Authorize] attribute but I am just not sure about this.

halfer
  • 19,824
  • 17
  • 99
  • 186
I Love Stackoverflow
  • 6,738
  • 20
  • 97
  • 216
  • Token in that tutorial is encrypted and self contained (contains all necessary information to validate it), so you don't need to store anything to be able to validate it. – Evk Nov 07 '17 at 07:15
  • @Evk:So in that example token is like this for eg: skhfksdkfhskdjfh283768273468726384726kjdfkjshdf.how does this represent identity of user.I am not getting this.Can you please provide some more insight as i am really struggling hard to understand this. – I Love Stackoverflow Nov 07 '17 at 07:20

3 Answers3

2

You can control what information goes inside a token. Look at the SimpleAuthorizationServerProvider class in the article:

var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim("sub", context.UserName));
identity.AddClaim(new Claim("role", "user"));

Use the Claims to store anything you need regarding to the user, their username or roles and this is what happens in the article you referred to. The token generated already contains that information about the user.

This is taken from the article :

The second method “GrantResourceOwnerCredentials” is responsible to validate the username and password sent to the authorization server’s token endpoint, so we’ll use the “AuthRepository” class we created earlier and call the method “FindUser” to check if the username and password are valid.

If the credentials are valid we’ll create “ClaimsIdentity” class and pass the authentication type to it, in our case “bearer token”, then we’ll add two claims (“sub”,”role”) and those will be included in the signed token. You can add different claims here but the token size will increase for sure.

This is why you do not need to store the token anywhere,the token is self contained and everything is stored inside it in an encrypted form. Don't forget that before you add a claim containing the username you have already validated the username and password, so you can guarantee that the token is created correctly for a valid user / password combination. Of course you do not want to store the password inside the token, the whole point of tokens is to avoid doing that. Passing passwords to an API all the time does increase the risk of them being stolen, tokens are much better for this.

Finally, the tokens expire after a time you control, usually they are short lived so even if someone does get their hands on one they will not last long.

If you take care of how you pass the tokens, meaning in the Authorisation Header over an https call then you are as protected as you can be and the headers will be encrypted. The point here is to never issue calls like this over basic http.

The author of the article you referenced is a well respected authority in this particular area and currently a Microsoft MVP and you are basically in good hands. Keep reading his articles, but pay attention to the details.

----------- Clarification related to JWT format --------------

yes the JWT token will contain information related to its issue date and expiry date as well. I have an article of my own on this : https://eidand.com/2015/03/28/authorization-system-with-owin-web-api-json-web-tokens/

Look at the calls which create the token and look at the information returned in the screenshots.

In my example the token contains the actual encrypted token, the token type, seconds it expires in, the audience which is the ClientID, when it was issued and when it expires.

This is just an example of a token, yours will look probably a bit differently but you get the idea I hope. Use Postman to see what's coming back in the token

There are a number of concepts to be understood when it comes to OAuth2, it does require a bit of research and practice.

In short, you request a token with A Basic Authorisation Header, you get the token back and it's telling you what type it is, in my case it's Bearer so that's my next Authorisation Header for any call to a protected resource.

My suggestion is to start small, one step at a time, use Postman to build your calls and understand what's going on. Once you have that knowledge it's much easier to progress. Took me about 6 weeks to wrap my head around all concepts and get something working first time around, but now it takes a couple hours at most. Good luck

Andrei Dragotoniu
  • 6,155
  • 3
  • 18
  • 32
  • First of all thank you so much for the answer and upvoted for your kind efforts towards helping me.So are you saying that token issue time,expire time are also encoded in to accesstoken? – I Love Stackoverflow Nov 07 '17 at 11:18
  • added more info related to JWT tokens in the main answer – Andrei Dragotoniu Nov 07 '17 at 11:22
  • So again there are lots of confusing things when it come to implementing authentication and authorization in webapi.There are bearer token concept,jwt token concept,open id connect concept.Its really getting hard for me to choose from those options.Can you please help me to choose from those options? – I Love Stackoverflow Nov 07 '17 at 11:25
  • So ultimately i should go with token bearer right instead of jwt token if i am not wrong? – I Love Stackoverflow Nov 07 '17 at 11:45
  • you misunderstand, your jwt token is used in conjunction with a Bearer Authorization type. They are separate things. Don't confuse the token type with the authorization type – Andrei Dragotoniu Nov 07 '17 at 13:08
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/158476/discussion-between-learning-and-andrei-dragotoniu). – I Love Stackoverflow Nov 08 '17 at 07:21
1

The application does not need to store the access token server side, it will only read the user from the token which is passed along.

When the request hits the authentication server, which is attach to the Owin pipeline in the ConfigureOAuth() method, the HTTP header token is decrypted and the user data from the token is sat to the current user of the context.

Marcus Höglund
  • 16,172
  • 11
  • 47
  • 69
  • First of all thank you so much for the answer and upvoted for your kind efforts towards helping me.So when a token is generated user information is encrypted in that accesstoken and so when decrypted user information is obtained from that accesstoken only.Is it like that? – I Love Stackoverflow Nov 07 '17 at 07:23
  • Yes, that is correct. In this case the token is the only source of user info – Marcus Höglund Nov 07 '17 at 07:30
  • So for token based mechanism you have any good reference which i should follow.if you could please provide me that i would be very thankfull to you. – I Love Stackoverflow Nov 07 '17 at 07:33
  • @Learning I think the blog, which you linked to, captures all the main parts of the token based implementation. – Marcus Höglund Nov 07 '17 at 07:39
  • So if i use that code i would be able to accompalish my use cases which i describe in my question? – I Love Stackoverflow Nov 07 '17 at 07:40
  • Most parts, the only thing is that if the tokens should be valid for more than one application you need to use the same machine key so both applications can read the token. https://stackoverflow.com/questions/25749818/sharing-oauth-tokens-across-two-web-api-projects – Marcus Höglund Nov 07 '17 at 07:44
  • But accesstoken will be per user for each of the client application so i should have only 1 machine key right?Sorry i am asking so silly questions – I Love Stackoverflow Nov 07 '17 at 07:47
  • @Learning there is no silly questions :) this is what SO is for. If one token only should be valid for one application then don't care about the machine key – Marcus Höglund Nov 07 '17 at 07:49
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/158383/discussion-between-learning-and-marcus-hoglund). – I Love Stackoverflow Nov 07 '17 at 07:50
  • @MarcusHöglund: Hi ,commenting on this after a long time and first time. Need to understand, if I use this access token in microservice based architecture, then if My API gateway uses the access token from request header for it's validation[by sending it to our Authentication server] and passes that request further to internal microservice, then will internal microservice needs to revalidate the access token or not? If not, how internal microservice will know about the identity of the request? – Anish Mittal Sep 02 '20 at 14:42
1

This is one of the things that bugged me for a long time

I'm not sure I understand why did you give an example for 2 applications, but the token mechanism is actually simple, but it's kinda black boxed when you use owin and identity

the token is not stored anywhere on the server or the database, authenticating the user on login is done using your logic or usually again black boxed in identity, this involves validating a secured password etc

after this the token is generated (usually using identity) or if you did it manually this will involve securing the token with whatever info you want to store in it

when the user sends a request next time he should pass the token and you will need to decrypt it and validate what's necessary (like expiration time for example), all of this is done behind the scene usually

just a fun note: even if you changed the DB completely the token will still be valid with the user id that doesn't even exist in your new DB! but of course identity automatically invalidates this token when it compares with the securityStamp

Hassan Khallouf
  • 1,170
  • 1
  • 13
  • 30
  • First of all thank you so much for the answer and upvoted for your kind efforts towards helping me.So when a token is generated user information is encrypted in that accesstoken and so when decrypted user information is obtained from that accesstoken only.Is it like that? – I Love Stackoverflow Nov 07 '17 at 07:25
  • pretty much yes, usually in .Net world we encrypt ClaimsPrincipal object, which will contain user claims in key value pairs, id, securitystamp, role, etc identity already has its defaults, but I did implement the system manually on asp core to be able to understand the whole thing – Hassan Khallouf Nov 07 '17 at 07:43
  • Previously what i was thinking is like i will store accesstoken in my database table with userid and then when request comes for accessing protected resource then i will check that accesstoken inside database to see if it is valid or not but the problem is i have to do this for every endpoint which i want to protect.Do you think this make sense? – I Love Stackoverflow Nov 07 '17 at 07:46
  • a lot of people do this, but this doesn't make any sense to me and I believe it's a mistake, if you are going to compare values using equality then what's the point of securing the token? besides you need to make a db call with every request the user sends to check if his token is valid, and if he is logged in from more than one device you will have multiple db entries, and logging out from everywhere feature will require deleting all of them – Hassan Khallouf Nov 07 '17 at 07:50
  • You said you implement the system in your second last comment.Can you tell me which sources you referred for that? – I Love Stackoverflow Nov 07 '17 at 07:52
  • I really don't remember, it was a lot of searching and multiple pages until I landed on what I needed, but if you followed any tutorial on generating jwt tokens for asp core you will understand most of the process – Hassan Khallouf Nov 07 '17 at 07:54
  • 1 thing i dont understand is some sites and some answers on SO are referring to jst tokens and some are referring to Bearer tokens.So which one i should use Bearer tokens or jwt tokens? – I Love Stackoverflow Nov 07 '17 at 07:58
  • they are not 2 things to choose from, look at this:https://stackoverflow.com/questions/40375508/whats-the-difference-between-jwts-and-bearer-token – Hassan Khallouf Nov 07 '17 at 08:00
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/158391/discussion-between-learning-and-hassan-khallouf). – I Love Stackoverflow Nov 07 '17 at 09:40