Use existing Asp Net Framework machine key in a Asp Net Core app

Question

I have few working ASP NET apps built with Net.Framework sharing same machineKey in Web.config, so when a user authenticated in one app, other apps consider him authenticated as well.

Now I have to wire up a new app to this club that uses asp net Core 2.0. Is there a quick solution on how to convert the existing "legacy"

<system.web>
...
<machineKey decryption="AES" decryptionKey="blablabla" validation="SHA1" validationKey="blablabla" />
</system.web>

to be used in the Core app?

Edit: The actual Net.Framework api is using token-based authentication:

using Microsoft.Owin;
using Microsoft.Owin.Security.OAuth;
private void ConfigureOAuth(IAppBuilder app)
{
    OAuthBearerOptions = new OAuthBearerAuthenticationOptions();
    //Token consumption from header "Authentication Bearer"
    app.UseOAuthBearerAuthentication(OAuthBearerOptions);
}

Then on [Authorize] the framework decodes the token using machine key. The correct question i guess would be how to implement the same in Core 2.0+ using the manually provided machine key to decrypt the auth token sent in header.

Answer 1

You can use awesome library for this purposes AspNetTicketBridge.

Token handler definition:

public class OwinBearerTokenMachineKeyAuthenticationHandler : AuthenticationHandler<AuthenticationSchemeOptions>
{
    public const string DefaultAuthScheme = "DefaultAuth";

    // List of supported decryption algorithms: DES | 3DES | AES
    private const string DefaultDecryptionAlgorithm = "<YOUR DECRYPTION ALGORIGHM>";

    // List of supported validation algorithms: SHA1 | MD5 | 3DES | AES | HMACSHA256 | HMACSHA384 | HMACSHA512
    private const string DefaultValidationAlgorithm = "<YOUR VALIDATION ALGORITHM>";

    private const string DefaultAuthorizationHeader = "Authorization";

    public OwinBearerTokenMachineKeyAuthenticationHandler(IOptionsMonitor<AuthenticationSchemeOptions> options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock) : base(options, logger, encoder, clock)
    {
    }

    protected override Task<AuthenticateResult> HandleAuthenticateAsync()
    {
        var token = Request.Headers[DefaultAuthorizationHeader][0].Remove(0, 7); // Bad code, don't use it... please

        // Get keys from machine keys section / another configuration file.
        var validationKey = "<YOUR VALIDATION KEY FROM MACHINE KEY CONFIG>";
        var decryptionKey = "<YOUR DECRYPTION KEY FROM MACHINE KEY CONFIG>";


        var ticket = MachineKeyTicketUnprotector.UnprotectOAuthToken(token, decryptionKey, validationKey, DefaultDecryptionAlgorithm, DefaultValidationAlgorithm);
        var newTicket = AuthenticationTicketConverter.Convert(ticket, DefaultAuthScheme);
        return Task.FromResult(AuthenticateResult.Success(newTicket));
    }
}

App configuration:

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    // ...

    app.UseAuthentication();
    app.UseAuthorization(); // Gives ability to use [Authorize] attribute

    // ...
}

public void ConfigureServices(IServiceCollection services)
{
    // ...

    RegisterAuthorization(services);

    // ...
}

private void RegisterAuthorization(IServiceCollection services)
{
    services.AddAuthentication(o => { o.DefaultScheme = OwinBearerTokenMachineKeyAuthenticationHandler.DefaultAuthScheme; })
            .AddScheme<AuthenticationSchemeOptions, OwinBearerTokenMachineKeyAuthenticationHandler>(OwinBearerTokenMachineKeyAuthenticationHandler.DefaultAuthScheme, o => { });
    services.AddAuthorization(); // Gives ability to use [Authorize] attribute
}

P.S. I spent 2 days for finding good solution to accomplish this task, but only this seems the best.