Using Thinktecture Hawk Katana Authentication Middleware with ASP.NET 5.0 (ASP.NET MVC 6)

In this post, I have covered Katana middleware versus ASP.NET 5.0 middleware. Calling a normal Katana middleware that accepts AppFunc from ASP.NET 5.0 pipeline is not that difficult. You can just use the UseOwin extension method on IApplicationBuilder, like so.

app.UseOwin(addToPipeline =>
    addToPipeline(next =>
        return new MyNormalKatanaMiddleware(next).Invoke;

Continue reading

Thinktecture.IdentityModel.Hawk – Nonce Storage for Replay Protection – Redis Example

Thinktecture.IdentityModel.Hawk now stores nonce values and validates the incoming nonce to detect replays. In Hawk authentication, the timestamp (ts) field is the fundamental protection mechanism against replay attacks. By default, Hawk uses a time window of 1 minute and this value is stored in the ClockSkewSeconds property of the Thinktecture.IdentityModel.Hawk.Core.Options class. This basically means the replay window is 2 minutes (accounting +1 and -1). If the server and the client clocks are reasonably in sync, ClockSkewSeconds can be set to a much lower value, say 10 seconds and that will bring the window of opportunity for replay to a very small time period.
Continue reading

Tracing Thinktecture.IdentityModel.Hawk through Event Tracing for Windows (ETW)

Thinktecture.IdentityModel.Hawk version 2.1.0 now uses ETW infrastructure to raise events. One of the challenges with Hawk authentication is that it uses different parts of the message to compute MAC and when authentication fails, it is generally difficult to figure out what went wrong. Both client and server must use the exact same values in the MAC computation process, for the MAC computed by the server to match the MAC computed by the client. If there is even a slight mismatch such as an additional space or difference in capitalization, etc authentication fails and 401 is the end result. A secure system does not give out much in terms of what went wrong but then, for a developer, it is a real problem to figure out what is wrong. To help solve this problem, tt.idm Hawk now raises ETW events.
Continue reading

ASP.NET vNext Middleware for Hawk Authentication – An Experiment

Thinktecture Identity model has support for Eran Hammer’s Hawk authentication in the form of OWIN middleware. With ASP.NET vNext introducing a new but very similar middleware concept (changes only on the API surface and OWIN middleware can be used as-is in ASP.NET VNext apps), I took the opportunity to completely rewrite the middleware. As ASP.NET vNext is being actively developed, there could be changes and this middleware will change to react to those changes. Hence, at this point, this middleware is just for review only. Since Linus had said “Talk is cheap. Show me the code.”, I keep this blog post very short and just link to github. Your feedback is welcome.

Using tt.idm Hawk Authentication OWIN Middleware with IIS-Hosted ASP.NET Web API

Hawk Authentication in Thinktecture.IdentityModel can be hooked into your ASP.NET Web API through the message handler (HawkAuthenticationHandler) or the OWIN middleware (HawkAuthenticationMiddleware). The sample here is based on a self-hosted web API (WCF channel stack) using the message handler and another self-hosted web API (OWIN host adapter) using the OWIN middleware. It is possible to use the OWIN middleware and enable Hawk authentication for your ASP.NET Web API which is hosted in IIS. Of course, you can use the message handler, which is the simplest option but we will see how message handler measures up to OWIN middleware in the case of hosting in IIS.
Continue reading

Thinktecture.IdentityModel.Hawk NuGet Package

With Thinktecture.IdentityModel V.Next out, Hawk authentication implementation in Thinktecture IdentityModel gets its own NuGet package. It is currently in pre-release and here is the NuGet Gallery link. The OWIN middleware code that has been a part of the samples is now moved into Thinktecture.IdentityModel and is a part of this NuGet package.

Let’s now see how we can create a simple web API (ValuesController, of course) and OWIN-host it with hawk authentication plugged in using the OWIN middleware that is part of this NuGet package.
Continue reading

Hawk Authentication for ASP.NET Web API using Thinktecture.IdentityModel.45 – Replay protection

Hawk authentication is designed to work without transport security. When TLS is used, replay protection is not much of an issue but it is an interesting thing to see how replays are handled in Hawk.

Similar to Hawk, HTTP digest authentication is also designed to work without TLS. Digest authentication uses a server-generated nonce and a nonce counter to defend against replays. How the server generates the nonce is left to the implementation. A server can store the nonce and look up a store to see if the nonce it received is a nonce it generated and take the corresponding timestamp (if stored together) and determine if the nonce is fresh or not. If the nonce is stale, a new nonce is generated and sent back with a 401.
Continue reading

OWIN Authentication Middleware for Hawk in Thinktecture.IdentityModel.45

This is continuation of my previous post Basic Authentication with ASP.NET Web API Using OWIN Middleware, where I implemented HTTP basic authentication in a custom OWIN middleware class AuthenticationMiddleware that derives from the OwinMiddleware class. However, when it comes to implementing authentication in an OWIN middleware, the recommended approach is to use the authentication micro-framework that Katana has and derive from the out-of-box middleware class AuthenticationMiddleware<T>. Of course, this special authentication middleware also derives from OwinMiddleware, like so.
Continue reading

Hawk Authentication for ASP.NET Web API using Thinktecture.IdentityModel.45 – Response Payload Verification

This is continuation of my earlier post on implementing Hawk authentication for ASP.NET Web API using Thinktecture.IdentityModel.45.

One of the primary design goals of the Hawk scheme is to “simplify and improve HTTP authentication for services that are unwilling or unable to deploy TLS for all resources”. It is highly recommended to use TLS (HTTPS) even with Hawk but the design goal of Hawk is to ensure the working of the scheme in the absence of HTTPS as well. I covered the basics of Hawk and how the request payload can be protected by Hawk. In the absence of TLS, a man-in-the-middle (MITM) can tamper with the web API response even if the request is protected. One of the key aspects related to preventing the responses getting tampered is the response payload verification and it works like this.
Continue reading

Hawk Authentication for ASP.NET Web API using Thinktecture.IdentityModel.45

Hawk is a MAC-based HTTP authentication scheme that provides partial cryptographic verification of HTTP messages. Hawk requires a symmetric key to be shared between the client and the server out-of-band. For more info, see here.

Hawk 101

The client sends an HTTP request, like so.

GET /resource/1?b=1&a=2 HTTP/1.1

The server returns a challenge, like so.

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Hawk

Continue reading