Using Thinktecture Hawk Katana Authentication Middleware with ASP.NET 5.0 (ASP.NET MVC 6)

In this post, I have covered Katana middleware versus ASP.NET 5.0 middleware. Calling a normal Katana middleware that accepts AppFunc from ASP.NET 5.0 pipeline is not that difficult. You can just use the UseOwin extension method on IApplicationBuilder, like so.

app.UseOwin(addToPipeline =>
{
    addToPipeline(next =>
    {
        return new MyNormalKatanaMiddleware(next).Invoke;
    });
});

Continue reading

Thinktecture.IdentityModel.Hawk – Nonce Storage for Replay Protection – Redis Example

Thinktecture.IdentityModel.Hawk now stores nonce values and validates the incoming nonce to detect replays. In Hawk authentication, the timestamp (ts) field is the fundamental protection mechanism against replay attacks. By default, Hawk uses a time window of 1 minute and this value is stored in the ClockSkewSeconds property of the Thinktecture.IdentityModel.Hawk.Core.Options class. This basically means the replay window is 2 minutes (accounting +1 and -1). If the server and the client clocks are reasonably in sync, ClockSkewSeconds can be set to a much lower value, say 10 seconds and that will bring the window of opportunity for replay to a very small time period.
Continue reading

Tracing Thinktecture.IdentityModel.Hawk through Event Tracing for Windows (ETW)

Thinktecture.IdentityModel.Hawk version 2.1.0 now uses ETW infrastructure to raise events. One of the challenges with Hawk authentication is that it uses different parts of the message to compute MAC and when authentication fails, it is generally difficult to figure out what went wrong. Both client and server must use the exact same values in the MAC computation process, for the MAC computed by the server to match the MAC computed by the client. If there is even a slight mismatch such as an additional space or difference in capitalization, etc authentication fails and 401 is the end result. A secure system does not give out much in terms of what went wrong but then, for a developer, it is a real problem to figure out what is wrong. To help solve this problem, tt.idm Hawk now raises ETW events.
Continue reading

ASP.NET vNext Middleware for Hawk Authentication – An Experiment

Thinktecture Identity model has support for Eran Hammer’s Hawk authentication in the form of OWIN middleware. With ASP.NET vNext introducing a new but very similar middleware concept (changes only on the API surface and OWIN middleware can be used as-is in ASP.NET VNext apps), I took the opportunity to completely rewrite the middleware. As ASP.NET vNext is being actively developed, there could be changes and this middleware will change to react to those changes. Hence, at this point, this middleware is just for review only. Since Linus had said “Talk is cheap. Show me the code.”, I keep this blog post very short and just link to github. Your feedback is welcome.

A Simple ASP.NET vNext MVC Application without Visual Studio 2014 Part 1

There are already posts out there explaining how to setup ASP.NET vNext. The first and the foremost source, ASP.NET vNext Home in Github has all the steps clearly documented. Then, there is a ton of videos and good stuff out there. The objective of this post is to show the steps involved in setting up ASP.NET vNext and create a “complete” MVC application (remember MVC in vNext means MVC + Web API). Of course, we will not need to install VS 2014 but I don’t think it will be practical to do any serious development without VS. But then, just to get a taste of what vNext is, it is okay. Here are the steps (Windows only).

Continue reading