Reading Katana Cookie Authentication Middleware’s Cookie from FormsAuthenticationModule

I saw a question in stackoverflow about using the cookie created by FormsAuthenticationModule (FAM) from the Katana Cookie Authentication Middleware. I thought it was a one-off question. But then, here is one more question, similar, but it is about reading the cookie created by CAM from FAM. Though we cannot change FAM’s behavior, it is technically possible to write an HTTP module to read the ticket. So, thought of writing some code to illustrate how to read the CAM cookie.
Continue reading

Web API Model Binding in ASP.NET MVC 6 (ASP.NET 5)

In ASP.NET 5, MVC and Web API have been merged into a single framework called MVC 6. If you are deep into Web API and MVC in the previous versions of ASP.NET, like me, it will take some time to get used to how binding works in MVC 6. Especially, if you are more into Web API in the recent past than MVC, like me, you will actually feel sad to see that the things you are so used to with Web API are all gone and it is different now : (.
Continue reading

Using Thinktecture Hawk Katana Authentication Middleware with ASP.NET 5.0 (ASP.NET MVC 6)

In this post, I have covered Katana middleware versus ASP.NET 5.0 middleware. Calling a normal Katana middleware that accepts AppFunc from ASP.NET 5.0 pipeline is not that difficult. You can just use the UseOwin extension method on IApplicationBuilder, like so.

app.UseOwin(addToPipeline =>
{
    addToPipeline(next =>
    {
        return new MyNormalKatanaMiddleware(next).Invoke;
    });
});

Continue reading

Thinktecture.IdentityModel.Hawk – Nonce Storage for Replay Protection – Redis Example

Thinktecture.IdentityModel.Hawk now stores nonce values and validates the incoming nonce to detect replays. In Hawk authentication, the timestamp (ts) field is the fundamental protection mechanism against replay attacks. By default, Hawk uses a time window of 1 minute and this value is stored in the ClockSkewSeconds property of the Thinktecture.IdentityModel.Hawk.Core.Options class. This basically means the replay window is 2 minutes (accounting +1 and -1). If the server and the client clocks are reasonably in sync, ClockSkewSeconds can be set to a much lower value, say 10 seconds and that will bring the window of opportunity for replay to a very small time period.
Continue reading

Tracing Thinktecture.IdentityModel.Hawk through Event Tracing for Windows (ETW)

Thinktecture.IdentityModel.Hawk version 2.1.0 now uses ETW infrastructure to raise events. One of the challenges with Hawk authentication is that it uses different parts of the message to compute MAC and when authentication fails, it is generally difficult to figure out what went wrong. Both client and server must use the exact same values in the MAC computation process, for the MAC computed by the server to match the MAC computed by the client. If there is even a slight mismatch such as an additional space or difference in capitalization, etc authentication fails and 401 is the end result. A secure system does not give out much in terms of what went wrong but then, for a developer, it is a real problem to figure out what is wrong. To help solve this problem, tt.idm Hawk now raises ETW events.
Continue reading

ASP.NET vNext Middleware for Hawk Authentication – An Experiment

Thinktecture Identity model has support for Eran Hammer’s Hawk authentication in the form of OWIN middleware. With ASP.NET vNext introducing a new but very similar middleware concept (changes only on the API surface and OWIN middleware can be used as-is in ASP.NET VNext apps), I took the opportunity to completely rewrite the middleware. As ASP.NET vNext is being actively developed, there could be changes and this middleware will change to react to those changes. Hence, at this point, this middleware is just for review only. Since Linus had said “Talk is cheap. Show me the code.”, I keep this blog post very short and just link to github. Your feedback is welcome.