Basic Authentication with ASP.NET Web API Using Authentication Filter

Authorization filters and action filters have been around for a while in ASP.NET Web API but there is this new authentication filter introduced in Web API 2. Authentication filters have their own place in the ASP.NET Web API pipeline like other filters. Historically, authorization filters have been used to implement authentication and there is ton of samples out there with all kinds of authentication implemented in authorization filters. Web API 2 introduces the authentication filter so that authentication concerns can be separated out of authorization filter and put into an authentication filter.
Continue reading

Hawk Authentication for ASP.NET Web API using Thinktecture.IdentityModel.45 – Replay protection

Hawk authentication is designed to work without transport security. When TLS is used, replay protection is not much of an issue but it is an interesting thing to see how replays are handled in Hawk.

Similar to Hawk, HTTP digest authentication is also designed to work without TLS. Digest authentication uses a server-generated nonce and a nonce counter to defend against replays. How the server generates the nonce is left to the implementation. A server can store the nonce and look up a store to see if the nonce it received is a nonce it generated and take the corresponding timestamp (if stored together) and determine if the nonce is fresh or not. If the nonce is stale, a new nonce is generated and sent back with a 401.
Continue reading

OWIN Authentication Middleware for Hawk in Thinktecture.IdentityModel.45

This is continuation of my previous post Basic Authentication with ASP.NET Web API Using OWIN Middleware, where I implemented HTTP basic authentication in a custom OWIN middleware class AuthenticationMiddleware that derives from the OwinMiddleware class. However, when it comes to implementing authentication in an OWIN middleware, the recommended approach is to use the authentication micro-framework that Katana has and derive from the out-of-box middleware class AuthenticationMiddleware<T>. Of course, this special authentication middleware also derives from OwinMiddleware, like so.
Continue reading

Basic Authentication with ASP.NET Web API Using OWIN Middleware

One of the decisions to be made while implementing authentication for ASP.NET Web API is where to implement the authentication logic – message handler, authorization filter or HTTP module. Authorization filter is a bad choice for the obvious reason that it is for authorization and not authentication. For message handler versus HTTP module, a good read is the ASP.NET site itself. A rule of thumb is to use an HTTP module if Web API is going to be exclusively web-hosted and to use a message handler otherwise. One of the greatest advantages of a message handler is that it is host-agnostic but the downside is that the principal set in the message handler reverts back to the previous principal when the response leaves the web API pipeline. If you use IIS logs, for example, it will know nothing about the principal you set in the message handler. HTTP module locks you into IIS but it has it’s own advantage. Notable one being the fact that IIS/ASP.NET does recognize the principal set from the HTTP module. For host-agnostic reasons, in the book that I have written Pro ASP.NET Web API Security, I have extensively used message handlers. Continue reading

Hawk Authentication for ASP.NET Web API using Thinktecture.IdentityModel.45 – Response Payload Verification

This is continuation of my earlier post on implementing Hawk authentication for ASP.NET Web API using Thinktecture.IdentityModel.45.

One of the primary design goals of the Hawk scheme is to “simplify and improve HTTP authentication for services that are unwilling or unable to deploy TLS for all resources”. It is highly recommended to use TLS (HTTPS) even with Hawk but the design goal of Hawk is to ensure the working of the scheme in the absence of HTTPS as well. I covered the basics of Hawk and how the request payload can be protected by Hawk. In the absence of TLS, a man-in-the-middle (MITM) can tamper with the web API response even if the request is protected. One of the key aspects related to preventing the responses getting tampered is the response payload verification and it works like this.
Continue reading

Hawk Authentication for ASP.NET Web API using Thinktecture.IdentityModel.45

Hawk is a MAC-based HTTP authentication scheme that provides partial cryptographic verification of HTTP messages. Hawk requires a symmetric key to be shared between the client and the server out-of-band. For more info, see here.

Hawk 101

The client sends an HTTP request, like so.

GET /resource/1?b=1&a=2 HTTP/1.1
Host: example.com:8000

The server returns a challenge, like so.

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Hawk

Continue reading

Pro ASP.NET Web API Security

Happy to announce that the book I have written for Apress“Pro ASP.NET Web API Security” is published and is available in Amazon.

My heart felt thanks to Dominick Baier, thinktecture for all his help and guidance, including taking time from his busy schedule to write the foreword for this book. Thanks to Ewan Buckingham, lead editor  and Mark Powers, coordinating editor from Apress for all the help in getting this book published. Special thanks to Barbara McGuire, our developmental editor.

Pro ASP.NET Web API Security

Continue reading