10

I have ASP.NET 4.5 service with OWIN pipeline that issues OAuth access_token in exchange for username/password. This service is called from ng-app and once it gets a token, stores in the browsers local storage. Then it calls resource api that consumes this token, API is also written in asp.net 4.5 and uses owin. This being OAuth token issued with OWIN it's encrypted/signed to machineKey secrets - so far so good and is happily consumed by the resource API. All this made possible by OAuthAuthorizationServerMiddleware.

Now I need to consume these tokens sent from the same ng-app to asp.net core 2.1 services, nothing fancy, just verify/decode it and get claims inside the token.
This OAuthAuthorizationServerMiddleware was never ported to asp.net core so I am stuck. (OAuth Authorization Service in ASP.NET Core does not help it talks about the full-fledged oidc server I just need to consume them w/o changing the issuing code) In ConfigureServices() tacked on to service.AddAuthentication(): Tried.AddJwtBearer - but this makes no sense - these are not Jwt tokens really Tried.AddOAuth but this does not make sense either b/c I am not dealing with full OAuth flow with redirects to obtain a token, I also don't deal with ClientId/ClientSecret/etc, I just receive "Bearer token-here" in the HTTP header from ng app so I need something in the pipeline to decode this and set ClaimsIdentity but this "something in the pipeline" also needs to have access to machinery-like data that is the same as it is in asp.net 4.5 OWIN service Any ideas?

ArunPratap
  • 4,816
  • 7
  • 25
  • 43
Andriy
  • 103
  • 1
  • 7

2 Answers2

8

You could set the OAuthValidation AccessTokenFormat to use a MachineKey DataProtectionProvider and DataProtector which will protect and unprotect your bearer tokens. You will need to implement the MachineKey DataProtector. This guy already did it https://github.com/daixinkai/AspNetCore.Owin/blob/master/src/DataProtection/src/AspNetCore.DataProtection.MachineKey/MachineKeyDataProtectionProvider.cs.

public void ConfigureServices(IServiceCollection services){
   services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
   ConfigureAuth(services);

  string machineKey = @"<?xml version=""1.0"" encoding=""utf-8"" ?>
        <machineKey decryption=""Auto"" decryptionKey =""DEC_KEY"" validation=""HMACSHA256"" validationKey=""VAL_KEY"" />";
        var machineKeyConfig = new XmlMachineKeyConfig(machineKey);
        MachineKeyDataProtectionOptions machinekeyOptions = new MachineKeyDataProtectionOptions();
        machinekeyOptions.MachineKey = new MachineKey(machineKeyConfig);
        MachineKeyDataProtectionProvider machineKeyDataProtectionProvider = new MachineKeyDataProtectionProvider(machinekeyOptions);
        MachineKeyDataProtector machineKeyDataProtector = new MachineKeyDataProtector(machinekeyOptions.MachineKey);

   //purposes from owin middleware
   IDataProtector dataProtector = 
   machineKeyDataProtector.CreateProtector("Microsoft.Owin.Security.OAuth",
               "Access_Token", "v1"); 

   services.AddAuthentication(options =>
   {
       options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
   })
   .AddOAuthValidation(option=> {
            option.AccessTokenFormat = new OwinTicketDataFormat(new OwinTicketSerializer(), dataProtector); })

It's important to keep the same DataProtector "purposes" Owin uses in the OAuthAuthorizationServerMiddleware so the data is encrypted/decrypted correctly. Those are "Microsoft.Owin.Security.OAuth", "Access_Token" and "v1". (see https://stackoverflow.com/a/29454816/2734166).

And finally you will have to migrate the Owin TicketSerializer (and maybe the TicketFormat too) since the one in NetCore is slightly different. You can grab it from here:

https://github.com/aspnet/AspNetKatana/blob/e2b18ec84ceab7ffa29d80d89429c9988ab40144/src/Microsoft.Owin.Security/DataHandler/Serializer/TicketSerializer.cs

I got this working recently. Basically authenticating to a .NET 4.5 Owin API and running a resource API in NET Core using the same token. I'll try to share the code in github as soon as I clean it up.

As far as I know it's not recommended to keep the old machine key data protector, but to migrate to the new ones from NET Core. Sometimes this is not possible. In my case I have too many APIs already in production, so I'm trying some new NET Core APIs to work with the legacy ones.

Gonza
  • 203
  • 2
  • 4
  • 2
    Thanks! SO MANY articles and answers on this topic, and this is the first that acknowledges I might want to have a seamless experience for my users by reusing the same machinekey in aspnetcore to be able to authenticate someone via their EXISTING cookie. – Simon_Weaver Mar 04 '19 at 00:09
  • 1
    Very helpful. I have a similar use case with an existing ASP.Net service that is providing OAuth and works because of the machine key. I run into an issue with `AddOAuthValidation`. This seems to be an openiddict thing, which I'm not familiar with and didn't want to integrate. Was hoping for a way to do it without, via the Microsoft.Extensions.DependencyInjection.OAuthExtensions.AddOAuth, but that requires CallbackPath, ClientID, etc. – barthooper Mar 13 '19 at 20:58
  • 1
    On second thought I think I'll just modify the .Net Framework authorization service to use something that is not hellish to use in conjunction with a .Net Core resource server. Looking into retooling it to use a DpapiDataProtector. – barthooper Mar 22 '19 at 19:57
  • @gonja i ran into a similar situation. Can you please share the github code for reference please. – Saurabh Agrawal Nov 19 '19 at 11:29
  • @SaurabhAgrawal I haven't setup the sample project yet. I'll try to upload it asap. – Gonza Nov 20 '19 at 15:56
  • @Gonza Any update on the sample project? Ran into this again on a different project with a less flexible authorization service. Thanks. – barthooper Jan 30 '20 at 20:45
  • 1
    Sorry guys! I'll try to upload it asap! – Gonza Feb 06 '20 at 17:11
  • 2
    Here's the repo based on daixinkai implementation https://github.com/gonzaloluna/AspNetCore.Owin – Gonza Feb 10 '20 at 17:22
5

You should try this Owin.Token.AspNetCore nuget package instead. By following the code example provided in the README file I'm able to decode legacy tokens using the machine keys on .NET Core 3.1. Note: there's also an option to specify encryption method and validation method if the defaults are not working for you.

henrythelonewolf
  • 51
  • 1
  • 3
  • You should name the package in your answer rather than just post a direct link to it. The linked resource might be moved or deleted in future. – Andreas Jun 18 '20 at 04:32