Provides an AuthenticationHandler
which supports HMAC authentication in an ASP.NET Core project.
Usage:
-
Register an implementation of
IHmacAuthorizationProvider
inStartup.cs
. Either use the built-inMemoryHmacAuthenticationProvider
for in-memory HMAC app configuration or implement your ownIHmacAuthorizationProvider
to provide HMAC apps.services.AddTransient<IHmacAuthorizationProvider>(_ => new MemoryHmacAuthenticationProvider(hmacAuthenticatedApps));
-
When using the built-in
MemoryHmacAuthenticationProvider
, get your HMAC authenticated clients, for example from theappsettings.json
file. For HMAC authentication, anAppId
and anApiKey
is required for each client which should get access.{ "Authentication": { "HmacAuthenticatedApps": [ { "AppId": "<some-app-id>", "ApiKey": "<some-api-key>" } ] } }
var hmacAuthenticatedApps = this.Configuration .GetSection("Authentication") .GetSection("HmacAuthenticatedApps") .Get<HmacAuthenticationClientConfiguration[]>() .ToDictionary(e => e.AppId, e => e.ApiKey);
-
Enable HMAC authentication in
Startup.cs
in theConfigureServices
method. The.AddHmacAuthentication(...)
method will use the configuredIHmacAuthorizationProvider
for resolving HMAC apps:services .AddAuthentication(o => { o.DefaultScheme = HmacAuthenticationDefaults.AuthenticationScheme; }) .AddHmacAuthentication(HmacAuthenticationDefaults.AuthenticationScheme, "HMAC Authentication", options => { });
-
Add
MemoryCache
(from Microsoft.Extensions.Caching.Memory) inStartup.cs
in theConfigureServices
method. TheMemoryCache
is used by the HMACAuthenticationHandler
to determine replay attacks.services.AddMemoryCache();
-
Enable authentication in
Startup.cs
in theConfigure
method:app.UseAuthentication();
-
Optional: Specify HMAC as the authentication scheme for certain controllers:
[Authorize(AuthenticationSchemes = HmacAuthenticationDefaults.AuthenticationScheme)] [Route("api/[controller]")] public class HomeController : Controller { // ... }
Provides a DelegatingHandler
for adding an HMAC authorization header to HTTP requests.
Instantiate your HttpClient
instance with the ApiKeyDelegatingHandler
.
Make sure, that you don't create new HttpClient
instances for every request (see also this blog post for details):
new HttpClient(new ApiKeyDelegatingHandler(appId, apiKey));
Or in case your WebAPI client is another ASP.NET WebAPI (>= ASP.NET Core 2.1), register your HttpClient
in the Startup.cs
for example as follows:
services.AddTransient(sp => new ApiKeyDelegatingHandler(appId, apiKey));
services
.AddHttpClient("HmacHttpClient")
.AddHttpMessageHandler<ApiKeyDelegatingHandler>();
To generate an API Key, the following simple Console Application can be used. This implementation is also provided on .NET Fiddle.
using System.Security.Cryptography;
public class Program
{
public static void Main()
{
Console.WriteLine($"AppID: {Guid.NewGuid()} or <some-speaking-name>");
Console.WriteLine($"ApiKey: {GenerateApiKey()}");
}
private static string GenerateApiKey()
{
using (var cryptoProvider = new RNGCryptoServiceProvider())
{
byte[] secretKeyByteArray = new byte[32]; //256 bit
cryptoProvider.GetBytes(secretKeyByteArray);
return Convert.ToBase64String(secretKeyByteArray);
}
}
}
Provides an AuthenticationHandler
which supports Basic authentication in an ASP.NET Core project.
Enable Basic authentication in Startup.cs
in the ConfigureServices
method:
services.AddTransient<IBasicAuthorizationProvider>(_ => new MemoryBasicAuthenticationProvider(authenticatedApps));
services
.AddAuthentication(o =>
{
o.DefaultScheme = BasicAuthenticationDefaults.AuthenticationScheme;
})
.AddBasicAuthentication();
If you want to validate usernames and passwords from the basic authentication header more sophisticated than the built-in MemoryBasicAuthenticationProvider
, just implement and register your own IBasicAuthorizationProvider
.
Enable Authentication in Startup.cs
in the Configure
method:
app.UseAuthentication();
Provides a DelegatingHandler
for adding an HMAC authorization header to HTTP requests.
Instantiate your HttpClient
instance with the BasicAuthenticationDelegatingHandler
.
Make sure, that you don't create new HttpClient
instances for every request (see also this blog post for details):
new HttpClient(new BasicAuthenticationDelegatingHandler(username, password));