Reading Katana Cookie Authentication Middleware’s Cookie from FormsAuthenticationModule

I saw a question in stackoverflow about using the cookie created by FormsAuthenticationModule (FAM) from the Katana Cookie Authentication Middleware. I thought it was a one-off question. But then, here is one more question, similar, but it is about reading the cookie created by CAM from FAM. Though we cannot change FAM’s behavior, it is technically possible to write an HTTP module to read the ticket. So, thought of writing some code to illustrate how to read the CAM cookie.
Continue reading

Using Thinktecture Hawk Katana Authentication Middleware with ASP.NET 5.0 (ASP.NET MVC 6)

In this post, I have covered Katana middleware versus ASP.NET 5.0 middleware. Calling a normal Katana middleware that accepts AppFunc from ASP.NET 5.0 pipeline is not that difficult. You can just use the UseOwin extension method on IApplicationBuilder, like so.

app.UseOwin(addToPipeline =>
{
    addToPipeline(next =>
    {
        return new MyNormalKatanaMiddleware(next).Invoke;
    });
});

Continue reading

Thinktecture.IdentityModel.Hawk – Nonce Storage for Replay Protection – Redis Example

Thinktecture.IdentityModel.Hawk now stores nonce values and validates the incoming nonce to detect replays. In Hawk authentication, the timestamp (ts) field is the fundamental protection mechanism against replay attacks. By default, Hawk uses a time window of 1 minute and this value is stored in the ClockSkewSeconds property of the Thinktecture.IdentityModel.Hawk.Core.Options class. This basically means the replay window is 2 minutes (accounting +1 and -1). If the server and the client clocks are reasonably in sync, ClockSkewSeconds can be set to a much lower value, say 10 seconds and that will bring the window of opportunity for replay to a very small time period.
Continue reading

ASP.NET vNext Middleware for Hawk Authentication – An Experiment

Thinktecture Identity model has support for Eran Hammer’s Hawk authentication in the form of OWIN middleware. With ASP.NET vNext introducing a new but very similar middleware concept (changes only on the API surface and OWIN middleware can be used as-is in ASP.NET VNext apps), I took the opportunity to completely rewrite the middleware. As ASP.NET vNext is being actively developed, there could be changes and this middleware will change to react to those changes. Hence, at this point, this middleware is just for review only. Since Linus had said “Talk is cheap. Show me the code.”, I keep this blog post very short and just link to github. Your feedback is welcome.

Barebones ASP.NET MVC Google Signin through OWIN Middleware

If you use Visual Studio and want to add Google sign-in to your ASP.NET MVC app by using an out of box template, you get code that uses ASP.NET identity and three Katana authentication middleware: (1) the cookie authentication middleware running in active mode, (2) another instance of cookie authentication middleware but running in passive mode, and (3) Google authentication middleware. That will be like so.
Continue reading

Basic Authentication with ASP.NET Web API Using Authentication Filter

Authorization filters and action filters have been around for a while in ASP.NET Web API but there is this new authentication filter introduced in Web API 2. Authentication filters have their own place in the ASP.NET Web API pipeline like other filters. Historically, authorization filters have been used to implement authentication and there is ton of samples out there with all kinds of authentication implemented in authorization filters. Web API 2 introduces the authentication filter so that authentication concerns can be separated out of authorization filter and put into an authentication filter.
Continue reading