c# - JWT and Web API (JwtAuthForWebAPI?) - Looking For An Example -

-

i've got web api project fronted angular, , want secure using jwt token. i've got user/pass validation happening, think need implement jwt part.

i believe i've settled on jwtauthforwebapi example using great.

i assume method not decorated [authorize] behave does, , method decorated [authorize] 401 if token passed client doesn't match.

what can't yet figure out how send token client upon initial authentication.

i'm trying use magic string begin, have code:

registerroutes(globalconfiguration.configuration.routes); var builder = new securitytokenbuilder(); var jwthandler = new jwtauthenticationmessagehandler {     allowedaudience = "http://xxxx.com",     issuer = "corp",     signingtoken = builder.createfromkey(convert.tobase64string(new byte[]{4,2,2,6})) };  globalconfiguration.configuration.messagehandlers.add(jwthandler);

but i'm not sure how gets client initially. think understand how handle on client, bonus points if can show angular side of interaction.

i ended-up having take information several different places create solution works me (in reality, beginnings of production viable solution - works!)

i got rid of jwtauthforwebapi (though did borrow 1 piece allow requests no authorization header flow through webapi controller methods not guarded [authorize]).

instead i'm using microsoft's jwt library (json web token handler microsoft .net framework - nuget).

in authentication method, after doing actual authentication, create string version of token , pass along authenticated name (the same username passed me, in case) , role which, in reality, derived during authentication.

here's method:

[httppost] public loginresult postsignin([frombody] credentials credentials) {     var auth = new loginresult() { authenticated = false };      if (trylogon(credentials.username, credentials.password))     {         var tokendescriptor = new securitytokendescriptor         {             subject = new claimsidentity(new[]             {                 new claim(claimtypes.name, credentials.username),                  new claim(claimtypes.role, "admin")             }),              appliestoaddress = configurationmanager.appsettings["jwtallowedaudience"],             tokenissuername = configurationmanager.appsettings["jwtvalidissuer"],             signingcredentials = new signingcredentials(new                  inmemorysymmetricsecuritykey(jwttokenvalidationhandler.symmetrickey),                 "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",                 "http://www.w3.org/2001/04/xmlenc#sha256")             };              var tokenhandler = new jwtsecuritytokenhandler();             var token = tokenhandler.createtoken(tokendescriptor);             var tokenstring = tokenhandler.writetoken(token);              auth.token = tokenstring;             auth.authenticated = true;         }      return auth; }

update

there question handling token on subsequent requests. did create delegatinghandler try , read/decode token, create principal , set thread.currentprincipal , httpcontext.current.user (you need set both). finally, decorate controller methods appropriate access restrictions.

here's meat of delegatinghandler:

private static bool tryretrievetoken(httprequestmessage request, out string token) {     token = null;     ienumerable<string> authzheaders;     if (!request.headers.trygetvalues("authorization", out authzheaders) || authzheaders.count() > 1)     {         return false;     }     var bearertoken = authzheaders.elementat(0);     token = bearertoken.startswith("bearer ") ? bearertoken.substring(7) : bearertoken;     return true; }   protected override task<httpresponsemessage> sendasync(httprequestmessage request, cancellationtoken cancellationtoken) {     httpstatuscode statuscode;     string token;      var authheader = request.headers.authorization;     if (authheader == null)     {         // missing authorization header         return base.sendasync(request, cancellationtoken);     }      if (!tryretrievetoken(request, out token))     {         statuscode = httpstatuscode.unauthorized;         return task<httpresponsemessage>.factory.startnew(() => new httpresponsemessage(statuscode));     }      try     {         jwtsecuritytokenhandler tokenhandler = new jwtsecuritytokenhandler();         tokenvalidationparameters validationparameters =             new tokenvalidationparameters()             {                 allowedaudience = configurationmanager.appsettings["jwtallowedaudience"],                 validissuer = configurationmanager.appsettings["jwtvalidissuer"],                 signingtoken = new binarysecretsecuritytoken(symmetrickey)             };          iprincipal principal = tokenhandler.validatetoken(token, validationparameters);         thread.currentprincipal = principal;         httpcontext.current.user = principal;          return base.sendasync(request, cancellationtoken);     }     catch (securitytokenvalidationexception e)     {         statuscode = httpstatuscode.unauthorized;     }     catch (exception)     {         statuscode = httpstatuscode.internalservererror;     }      return task<httpresponsemessage>.factory.startnew(() => new httpresponsemessage(statuscode)); }

don't forget add messagehandlers pipeline:

public static void start() {     globalconfiguration.configuration.messagehandlers.add(new jwttokenvalidationhandler()); }

finally, decorate controller methods:

[authorize(roles = "onerolehere")] [get("/api/admin/settings/product/allorgs")] [httpget] public list<org> getallorganizations() {     return queryabledependencies.getmergedorganizations().tolist(); }  [authorize(roles = "adifferentrolehere")] [get("/api/admin/settings/product/allorgswithapproval")] [httpget] public list<approvableorg> getallorganizationswithapproval() {     return queryabledependencies.getmergedorganizationswithapproval().tolist(); }

Comments

Post a Comment

Popular posts from this blog

java - WrongTypeOfReturnValue exception thrown when unit testing using mockito -

-
my test list<person> mylist; @test public void testisvalidperson() { mylist = new arraylist<person>(); mylist.add(new person("tom")); when(persondao.get(person)).thenreturn(mylist); when((persondao.get(person)).isempty()).thenreturn(false);//------exception thrown boolean result = service.isvalid("tom"); assertfalse(result); } method tested: public boolean isvalid(string person){ persondao = new persondao(); person personobj = new person(person); return (persondao.get(person).isempty())?false : true; } exception thrown: org.mockito.exceptions.misusing.wrongtypeofreturnvalue: boolean cannot returned get() get() should return list *** if you're unsure why you're getting above error read on. due nature of syntax above problem might occur because: 1. exception *might* occur in wrongly written multi-threaded tests. please refer mockito faq on limitations of concurrency testing. 2. sp
Read more

php - Magento - Deleted Base url key -

-
i working on cleaning url: http://mydomain.com/shop/shop/deals i going through settings in configuration tab in admin panel on magento , change secure , unsecure base urls remove first base url "shop" web page read: http://mydomain.com/shop/deals so changed unsecure base urls mydomain.com/shop mydomain.com , secure 12.345.67.89/shop 12.345.67.89. wrong thing do. i cannot reload page or admin console. how access these files through ftp , change correctly there?? when make changes in admin panel changes made in database not in file. have make changes in database. 1.go database , select core_config_data table under table find web/unsecure/base_url , web/secure/base_url . make changes here. don't forget clear cache in var/cache folder
Read more

android - How to disable Button if EditText is empty ? -

-
i have edittext , button in application. when button clicked,the text entered in edittext added listview. i want disable button if edittext empty.how ? this code button click imagebutton imb=(imagebutton)findviewbyid(r.id.btn_send); imb.setonclicklistener(new onclicklistener() { @override public void onclick(view arg0) { edittext et = (edittext)findviewbyid(r.id.edittext1); string str = et.gettext().tostring(); web1.add(str); toast.maketext(shoutsingleprogram.this, "you entered...."+str, toast.length_short).show(); adapter1.notifydatasetchanged(); et.settext(""); } }); } how can ? edittext1.addtextchangedlistener(new textwatcher() { @override public void ontextchanged(charsequence s, int start, int before, in
Read more