Using API key for authentication on Identity Server 4

Hello my dear developers!

How do you feel today?

There are challenges when dealing with IAM nowadays.

On one hand, you have a great solution for IAM management on your asp.net applications with IdentityServer.

On the other, a challenge arises when you need to authenticate applications that consume your API. For instance, authenticating kubecost at a highly available cluster on Kubernetes, would be desirable.

Sadly, IdentityServer 4 does not have API key authentication support, but at this article they found a very interesting work around for the former situation.

Detailed instructions on how to secure you asp.net application with API key authentication can be found here.

An advantage of using IdentityServer is that simply adding this nuget package to your asp.net core application you can easily implement it.

It goes without saying that out of the box you need a database and by default your connection is managed by EFCore. Of course this can be tweaked but this is beyond the scope of this article.

I hope that this was as helpful for me as it was for you.

Happy coding and remember…there is life beyond coding 😊

Mapping claims using OpenID Connect authentication

Hello my dear developers!

How do you feel today?

Recently I have been looking into IAM highly available systems. There are 2 side to this story.

First, your regular database has a hardware limit when scaling horizontally on a cluster.

One way to avoid this would be to have replica sets for a mySQL image with volume storing those changes. The former approach allows you to scale and still have a single source of truth. Check this article for further reading on the matter.

The problem comes when you have multiple clusters at many regions, how do you keep consistency among them? This is yet to be determined.

Meanwhile, if you use JWT tokens there is an excellent way to avoid cluttering them with a tone of claims. This article explains how to make a claim mandatory and how to map extra claims to your user on asp.net core.

I hope that this was as helpful for me as it was for you.

Happy coding and remember…there is life beyond coding 😊

Flattening json objects

Hello my dear developers!

How do you feel today?

Recently I had a need to flatten json structures to have them separated as claims.

Therefore, a json like the following:

{
    "areaAccess":{
        "firstSite":{
            "read":true,
            "write":false
        },
        "secondSite":"All"
    }
}

Would turn into a claim list like:

• areaAcces:firstSite:read=True
• areaAcces:firstSite:write=False
• areaAcces:secondSite=”All”

A good starting point is https://newbedev.com/c-flattening-json-structure that explains a neat way to do that. Unfortunately, it is not so straight foreward boolean, since text json has JsonValueKind.True and JsonValueKind.False but it is a solid start.

I hope that this was as helpful for me as it was for you.

Happy coding and remember…there is life beyond coding 🙂

Token based authentication from HttpClient

Hello my dear developers!

How do you feel today?

Recently I’ve been having at token based authentication in more depth and found a few wringcles in the experience. First, for references please read these 2 articles that do a wanderfull job. They explain how to implement token based authentication in a very simple fashion:

• https://sandrino.dev/blog/aspnet-core-5-jwt-authorization
• https://www.faciletechnolab.com/blog/2021/4/5/how-to-implement-jwt-token-authentication-in-aspnet-core-50-web-api-using-jwt

Another more advance resource for managing security is : https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/additional-claims?view=aspnetcore-6.0

For my simple code reference go to : https://github.com/ambsenyestudi/aspnetcore_3_token_based_authentication

Ok, once you implement token based authentication your typical attempt is to add an authentication header to your httpClient default headers or to the very HttpRequestMessage.

For default header

var response = await client.PostAsync(settings.LoginEndpoint, content).ConfigureAwait(false);
var json = await response.Content.ReadAsStringAsync();
token = JsonSerializer.Deserialize<Token>(json, serializationOptions);
client.DefaultRequestHeaders.Accept.Clear();
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token.Bearer);

For HttpRequestMessage

var requestMessage = new HttpRequestMessage(HttpMethod.Post, settings.GameEndpoint);
requestMessage.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token.Bearer);
requestMessage.Content = content;
var response = await client.SendAsync(requestMessage).ConfigureAwait(false);

This is all very fine and good, the problem comes if the API that you are calling to has redirect activated.

On your API Startup.cs

...
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
        app.UseSwagger();
        app.UseSwaggerUI(c => c.SwaggerEndpoint("/swagger/v1/swagger.json", "Ambseny.ChessEngine.Api v1"));
    }

    //this causes your redirection when calling to your http url 
    app.UseHttpsRedirection();
...
}

It took me a tone of research to find this https://github.com/dotnet/runtime/issues/26475

The former basically tells you that on a redirect you loose the authentication headers on you request. So, make sure to direct your calls to the https url or you will never get authenticaiton due to the redirect security fix.

I hope that this was as helpful for me as it was for you.

Happy coding and remember…there is life beyond coding🙂