OWIN Bearer Token Authentication

Question

I have some questions related to Bearer Token. In Owin you can protect a ticket Protect(ticket) like this:

ClaimsIdentity identity = new ClaimsIdentity(Startup.OAuthServerOptions.AuthenticationType);

identity.AddClaim(new Claim(ClaimTypes.Name, user.UserName));

 Dictionary<string, string> properties = new Dictionary<string, string>();
 properties.Add("UserId", user.Id);
 properties.Add("UserName", user.UserName);
 properties.Add("Role", "user");

 AuthenticationProperties properties = new AuthenticationProperties(properties);

 AuthenticationTicket ticket = new AuthenticationTicket(identity, properties);


 DateTime currentUtc = DateTime.UtcNow;

 DateTime expireUtc = currentUtc.Add(TimeSpan.FromHours(24));

 ticket.Properties.IssuedUtc = currentUtc;
 ticket.Properties.ExpiresUtc = expireUtc;


 string token = OAuthAuthorizationServerOptions.AccessTokenFormat.Protect(ticket)

Now the token will be something like this:

nqak-9R6U64Owsm_lqn_mJzKc_Djd8iVnIw0EX77v5x2rybhf4m_zg_UnrsoO5BxDZQl0HWrSvvd4efa4ChNSf5rAGhd13aOXZlvwOJOZ5v_9bhRCq8A7tqHyiM6DqVVOyYs3lh2SU-wU1m85HH2IcYDtdTY3ijaKZ_QnP1nsqO5LRnnEL4upbETPW9zqWIZzZBX7_Y2cXi2v0K7WnlRor3gFKIZlU9J-NfidRpWXqq5744NfWWHalYADGS7eUWyuxPJCj9ykHYzaXFksJEXBw

My questions:

• How this token is generated/encrypted?

• Are there any chances that somebody can try to mess'up with the token and add some custom claims to it?

Example:

If you have the token string you can do this:

AuthenticationTicket ticket = OAuthAuthorizationServerOptions.AccessTokenFormat.Unprotect(token);

Now you can add custom claims to it. For example if there is a role claim with value user then you can modify that claim and add admin then re encode the ticket and you get a token that has admin role.

I actually din some tests, encoded a token on a server and then try to modify it on another system but I couldn't Unprotect it. Therefore I am thinking maybe the ticket is encrypted/decrypted using the machine key on which was originally created. However if I try to Unprotect it from the same machine it works. I can decrypt it and modify it.

Can somebody explain this process please?

Answer 1

How this token is generated/encrypted?

The data protection provider can be set using the SetDataProtectionProvider extension method on the IAppBuilder object. When this is not done, the data protection provider of the host is used. In case of IIS + ASP.NET, this is MachineKeyDataProtector in the assembly Microsoft.Owin.Host.SystemWeb. For self-hosting, this will be DPAPI. Basically, the token is encrypted and then MACed and that is what Protect() is all about.

Are there any chances that somebody can try to mess'up with the token and add some custom > claims to it?

No. This is not possible. Token protected in a machine cannot be unprotected somewhere else. An exception to that will be the case of a web farm where you have multiple machines. One machine can protect and if the subsequent request goes to some other machine, that machine should have the ability to unprotect. With DPAPI, this is not possible. With MachineKeyDataProtector, this is possible by having the same machineKey section in all the machines. But then if you are concerned about some MITM being able to do this, then no, it is not possible.