Web API 2.0 Owin authorization with multiple .net applications

Question

I have two .net applications. Both applications have WebAPI 2.O APIs using C#.

Let's say one is parent application another one is a child. Parent application has Owin authentication and all APIs working as expected with Authorization.

In child application, I want to use same Authorization provider used in the parent application. I don't want to use authentication for child application again.

Two things I have tried:

1. Use of same machine keys in both the applications

2. Tried to create a third independent .net application which will provide authentication and authorization for both the applications.

First one didn't work. I am not sure how I can achieve the second one.

Any help would be appreciated.

Thanks.

Answer 1

So, if I understood correctly, you want a way to authenticate a child service, based on the parent service authentication passing authentication between the services.

We just need the same thing here, to authenticate the microservices behind our front service (parent service).

We used JWT for that, using it we can solve that, because on the child services (in our case microservices) they trust the parent authentication.

The services work like this, the Parent Service or maybe another Authentication service creates the valid JWT to be used on the Parent Service.

When the Parent Service, receveives the JWT they will validate everything that's need to ensure the client is corret. When the Parent Service need to call the Child Service, it'll send the same JWT, but on the Child Service the JWT will be not the same, in our case we just validate the Lifetime and Issuer Sign Key.

We end up with a code like this on our Startup.cs file on our child services, our parent service/auth service was kept the same.

public static void ConfigureAuth(IServiceCollection services)
{
    services
        .AddAuthentication(o =>
        {
            o.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            o.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        })
        .AddJwtBearer(o =>
        {
            o.SaveToken = true;
            o.TokenValidationParameters = new TokenValidationParameters
            {
                // Must validate the signing key
                ValidateIssuerSigningKey = true,

                // Must validate the life time
                ValidateLifetime = true,

                // The issuer may vary in a multitenant scenario,
                // that's why we not valid the issuer.
                ValidateIssuer = false,
                ValidIssuer = o.ClaimsIssuer,

                // Allowing passing a token among multiple services (audiences).
                ValidateAudience = false,
                ValidAudience = "",

                // Does not require expiration
                RequireExpirationTime = false,
                ClockSkew = TimeSpan.Zero
            };
        });
}

If you still have doubts I recommend you to look for Authentication Between Microservice, maybe that can help.

Answer 2

Store the generated authentication token (along with user identity info if needed) from the Parent application in a secure Redis cache.

You can then get the token from subsequent requests on the Parent API's authorized endpoints, and append it on any calls to your Child API:

public class ValuesController : ApiController
{
  [Authorize]
  public IHttpActionResult Get()
  {
    var authToken = Request.Headers.Authorization;
    // send authToken with requests to child endpoints
  }
}

Then on the Child API you can get the auth token in a similar manner, and lookup & validate it against the stored Redis tokens.

Extra points if you're getting the token in middleware.