Get identity claims from bearer token (Web API)

asp.netasp.net-web-apibearer-tokenclaims-based-identity

I have two Web APIs with a shared machine.key. I would like to pass the bearer token generated by the first Web API to the second Web API as a parameter (i.e. token=xxxxxxxx) and extract the identity claims (i.e userId) from it.

Is this possible? I've looked all over but there doesn't seem to be much information on parsing a text bearer token to extract claims.

Thanks.

Best Answer

If you're using OWIN, you could implement your own OAuthBearerAuthenticationProvider, which takes the token from the query string and sets it to the context:

internal class MyAuthProvider : OAuthBearerAuthenticationProvider
{
    public override Task RequestToken(OAuthRequestTokenContext context)
        if (context.Token == null)
        {
            var value = context.Request.Query.Get("token");
            if (!string.IsNullOrEmpty(value))
            {
                context.Token = value;
            }
        }

        return Task.FromResult<object>(null);
    }
}

You could use it in your Startup.cs like this:

public void Configuration(IAppBuilder app)
{
    // All the other stuff here

    var audience = "";
    var secret = "...";

    app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
    {
        Provider = new MyAuthProvider(),
        AuthenticationMode = AuthenticationMode.Active,
        AllowedAudiences = new [] { audience },
        IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
        {
            new SymmetricKeyIssuerSecurityTokenProvider("MyApp", TextEncodings.Base64Url.Decode(key))
        }
    });

    // All the other stuff here
}

When you've implemented your auth like this, you can access the token information in your WebApi controller via the User.Identity property. To read custom claims, you can cast it to ClaimsIdentity.

var identity = User.Identity as ClaimsIdentity;
var myClaim = identity.Claims.FirstOrDefault(c => c.Type == "myClaimKey");

Note: Read the comments of this answer, it can produce a XSS Vulnerability if you are using the default error handing of WebAPI

I just add the following in App_Start / WebApiConfig.cs class in my MVC Web API project.

config.Formatters.JsonFormatter.SupportedMediaTypes
    .Add(new MediaTypeHeaderValue("text/html") );

That makes sure you get JSON on most queries, but you can get XML when you send text/xml.

If you need to have the response Content-Type as application/json please check Todd's answer below.

NameSpace is using System.Net.Http.Headers.

C# – Decrypt Bearer Token in Web API

I assume that in Startup.cs you have a code similar to this:

var oAuthOpt = new OAuthBearerAuthenticationOptions
{
    Provider = new OAuthTokenProvider(
        req => req.Query.Get("bearer_token"),
        req => req.Query.Get("access_token"),
        req => req.Query.Get("refresh_token"),
        req => req.Query.Get("token"),
        req => req.Headers.Get("X-Token"))
};

app.UseOAuthBearerAuthentication(OAuthOpt);

app.UseOAuthAuthorizationServer(new OAuthAuthorizationServerOptions
{
    AllowInsecureHttp = true,
    TokenEndpointPath = new PathString(settings.TokenEndpointBasePath),
    AccessTokenExpireTimeSpan = Util.AccessTokenExpireTimeSpan,
    Provider = new AuthorizationServerProvider(new AuthenticationService()),
});

What you have to do is to replace oAuthOpt with a public static field in Startup.cs and than use it when you need to unprotect your bearer tokens.

For SignalR i'm creating an Authorization attribute where i take that oAuthOpt and use it decode tokens.

This is how I do it:

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = false, AllowMultiple = false)]
public sealed class AuthorizeHubAttribute : AuthorizeAttribute
{
    public override bool AuthorizeHubConnection (HubDescriptor hubDescriptor, IRequest request)
    {
        var token = request.QueryString["Authorization"];
        var ticket = Startup.OAuthOpt.AccessTokenFormat.Unprotect(token);
        if ( ticket != null && ticket.Identity != null && ticket.Identity.IsAuthenticated )
        {
            request.Environment["server.User"] = new ClaimsPrincipal(ticket.Identity);
            return true;
        }
        else
            return false;
    }

    public override bool AuthorizeHubMethodInvocation (IHubIncomingInvokerContext hubIncomingInvokerContext, bool appliesToMethod)
    {
        var connectionId = hubIncomingInvokerContext.Hub.Context.ConnectionId;
        var environment = hubIncomingInvokerContext.Hub.Context.Request.Environment;
        var principal = environment["server.User"] as ClaimsPrincipal;
        if ( principal != null && principal.Identity != null && principal.Identity.IsAuthenticated )
        {
            hubIncomingInvokerContext.Hub.Context = new HubCallerContext(new Microsoft.AspNet.SignalR.Owin.ServerRequest(environment), connectionId);
            return true;
        }
        else
            return false;
    }
}

var ticket = Startup.OAuthOpt.AccessTokenFormat.Unprotect(token);

That line is the connection with Startup.cs

Best Answer

Related Solutions

Json – How to get ASP.NET Web API to return JSON instead of XML using Chrome

Note: Read the comments of this answer, it can produce a XSS Vulnerability if you are using the default error handing of WebAPI

C# – Decrypt Bearer Token in Web API

Related Topic