Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Authorization with OAuth Bearer Token provided by External Web API

I'm posting this in the hope of receiving some feedback/advice and information on something I've been struggling with the last few days. To start I'll give a quick breakdown of the project.

There are 2 applications in the solution:

  1. WebAPI resource & authorization server - Uses OWIN (hosted in IIS) and ASP.NET Identity to issue an authentication token on a correct login and then allow requests to the various controllers.

  2. MVC client application - Has no authorization as of yet (until I figure it out) but will make calls to the WebAPI resource server to get all data. These calls will only ever be made from actions of the controllers in the client app, no client side AJAX calls.

The client application doesn't have it's own datasource. All information is stored in a database which the WebAPI service has access to, so essentially if they provide the correct credentials and the client app receives a bearer token I need to deliver a way for the application to see them as authorized.

  • What's the best way to handle this?
  • Is it possible to configure OWIN on the client side to use the OAuth settings of the server? Am I barking up the wrong tree and will I need to just use HTTPClients?
  • Could I deserialize the bearer token and store it in session, and then write my own authorization providers to check these on the client side?

My initial concerns are I'm abusing Bearer Tokens and trying to cobble them into a solution which isn't ideal. All examples of external authorization I've found so far usually involve making calls to providers hosted by Google/Facebook/Twitter to check the user is who they say they are, and then moves on to creating a user record in their system. My application can't do this.

In regards to security I was planning to introduce filters which would validate the request has came from the client application by providing an identifier and secret, along with IP validation.

I realize this may be a bit open ended, but I'd appreciate any advice. The scope of the project is that the web service is the only thing to have access to the database. The MVC client application will be hosted on a different server, and the service will only accept requests from said client application.

like image 360
CannonFodder Avatar asked Jan 12 '15 08:01

CannonFodder


2 Answers

You don't need to access the data source in your MVC app to validate the bearer token. Basically, you can do it in the following way,

  • MVC app requests access_token from webapi and passes it to the UI client (let's say a browser).

  • Browser stores the access_token in a cookie/localstorage and sends them to the MVC app for all subsequent requests.

  • Create an ActionFilter in the MVC app to validate if the request from the browser has the token supplied in the header. If not, reject the request.

  • MVC app passes the access_token in the Authorization header to the webapi.

  • Use HTTPS for all communications (between MVC app <-> Client and MVC app <-> WebAPI)

You can further obfuscate or encrypt the access_token you get from the WebAPI on the MVC app side for additional security but then you will have to send the decrypted version back to the WebAPI.

like image 187
su8898 Avatar answered Nov 15 '22 17:11

su8898


I realize that my answer is a bit late, but maybe it helps other people:

The bearer token that you get from the API has a list of claims encrypted that only the API can decrypt. I assume you need to have these claims on the MVC application as well so you can restrict resources on the client.

So, what I have done was to first get token. After you get it, you make another request to the API resource api/me/claims to get the list of readable claims on the client. Based on this list you can allow access to resources in your MVC CLient Application using a custom claims based Authorize attribute. Also, you can store the claims in a cookie in the client session. Below is the code for the API controller to get the Claims.

[RoutePrefix("api/me/claims")]
public class ClaimsController : BaseApiController
{
    [Authorize]
    [Route("")]
    public IHttpActionResult GetClaims()
    {
        var identity = User.Identity as ClaimsIdentity;

        var claims = from c in identity.Claims
                     select new
                     {
                         subject = c.Subject.Name,
                         type = c.Type,
                         value = c.Value
                     };

        return Ok(claims);
    }
}

The idea is to reconstruct the ClaimsIdentity object of the logged User on the Client side and maybe add it to the session.

The token is not enough. You might risk getting a Not Authorized response from the API on a resource that you have made visible for the user in the MVC Client Application. Needles to say that is recommended to use HTTPS for all requests.

like image 3
Corneliu Serediuc Avatar answered Nov 15 '22 16:11

Corneliu Serediuc