Provides an AuthenticationHandler
which supports HMAC authentication in an ASP.NET Core project.
Usage:
- Get your HMAC authenticated clients, for example from the
appsettings.json
file. For HMAC authentication, anAppId
and anApiKey
is required for each client which should get access.
var hmacAuthenticatedApps = this.Configuration
.GetSection("Authentication")
.GetSection("HmacAuthenticatedApps")
.Get<HmacAuthenticationClientConfiguration[]>()
.ToDictionary(e => e.AppId, e => e.ApiKey);
{
"Authentication": {
"HmacAuthenticatedApps": [
{
"AppId": "<some-app-id>",
"ApiKey": "<some-api-key>"
}
]
}
}
- Enable HMAC authentication in
Startup.cs
in theConfigureServices
method:
services
.AddAuthentication(o =>
{
o.DefaultScheme = HmacAuthenticationDefaults.AuthenticationScheme;
})
.AddHmacAuthentication(HmacAuthenticationDefaults.AuthenticationScheme, "HMAC Authentication", o =>
{
o.MaxRequestAgeInSeconds = HmacAuthenticationDefaults.MaxRequestAgeInSeconds;
o.HmacAuthenticatedApps = hmacAuthenticatedApps;
});
- Add
MemoryCache
(from Microsoft.Extensions.Caching.Memory) inStartup.cs
in theConfigureServices
method. TheMemoryCache
is used by the HMACAuthenticationHandler
to determine replay attacks.
services.AddMemoryCache();
- Enable authentication in
Startup.cs
in theConfigure
method:
app.UseAuthentication();
- Optional: Specify HMAC as the authentication scheme for certain controllers:
[Authorize(AuthenticationSchemes = HmacAuthenticationDefaults.AuthenticationScheme)]
[Route("api/[controller]")]
public class HomeController : Controller
{
// ...
}
Provides a DelegatingHandler
for adding an HMAC authorization header to HTTP requests.
Instantiate your HttpClient
instance with the ApiKeyDelegatingHandler
.
Make sure, that you don't create new HttpClient
instances for every request (see also this blog post for details):
new HttpClient(new ApiKeyDelegatingHandler(appId, apiKey));
Or in case your WebAPI client is another ASP.NET WebAPI (>= ASP.NET Core 2.1), register your HttpClient
in the Startup.cs
for example as follows:
services.AddTransient(sp => new ApiKeyDelegatingHandler(appId, apiKey));
services
.AddHttpClient("HmacHttpClient")
.AddHttpMessageHandler<ApiKeyDelegatingHandler>();
To generate an API Key, the following simple Console Application can be used. This implementation is also provided on .NET Fiddle.
using System.Security.Cryptography;
public class Program
{
public static void Main()
{
Console.WriteLine($"AppID: {Guid.NewGuid()} or <some-speaking-name>");
Console.WriteLine($"ApiKey: {GenerateApiKey()}");
}
private static string GenerateApiKey()
{
using (var cryptoProvider = new RNGCryptoServiceProvider())
{
byte[] secretKeyByteArray = new byte[32]; //256 bit
cryptoProvider.GetBytes(secretKeyByteArray);
return Convert.ToBase64String(secretKeyByteArray);
}
}
}
Provides an AuthenticationHandler
which supports Basic authentication in an ASP.NET Core project.
Enable Basic authentication in Startup.cs
in the ConfigureServices
method:
services.AddAuthentication(o =>
{
o.DefaultScheme = BasicAuthenticationDefaults.AuthenticationScheme;
})
.AddBasicAuthentication(BasicAuthenticationDefaults.AuthenticationScheme, o =>
{
o.AuthorizationProvider = new MemoryBasicAuthenticationProvider(authenticatedApps);
});
Provides a DelegatingHandler
for adding an HMAC authorization header to HTTP requests.
Instantiate your HttpClient
instance with the BasicAuthenticationDelegatingHandler
.
Make sure, that you don't create new HttpClient
instances for every request (see also this blog post for details):
new HttpClient(new BasicAuthenticationDelegatingHandler(username, password));