dmarlow / aspnetticketbridge Goto Github PK
View Code? Open in Web Editor NEWDecrypts MachineKey protected AuthenticationTicket objects created by ASP.NET to be used in ASP.NET Core.
License: MIT License
aspnetticketbridge's People
Stargazers
Watchers
Forkers
irubens akrock kevinheader taphome-official cooperliu yuzd inversionhourglass cashwu zakaria-c bartdircx vloiukaspnetticketbridge's Issues
Refresh token management
We are porting an OWIN OAuth 2.0 server to .net core. For the refresh token part I think it might be useful to add the following method to the MachineKeyTicketUnprotector class:
public static OwinAuthenticationTicket UnprotectOAuthRefreshToken(string token, string decryptionKey, string validationKey,
string decryptionAlgorithm = "AES", string validationAlgorithm = "HMACSHA1")
{
var decoded = WebEncoders.Base64UrlDecode(token);
var unprotected = Unprotect(decoded, decryptionKey, validationKey,
decryptionAlgorithm, validationAlgorithm,
"User.MachineKey.Protect",
"Microsoft.Owin.Security.OAuth", "Refresh_Token", "v1");
var serializer = new OwinTicketSerializer();
var ticket = serializer.Deserialize(unprotected);
return ticket;
}
FormsAuthentication: "forms authentication seems to be doing some goofy things"
Steps to reproduce:
Create empty .net framework web site with two following files
Web.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms name=".HELLO" />
</authentication>
<machineKey validationKey="FFFFFFFFFFFFFFFFFFFF0000000000444444444400000000" decryptionKey="FFFFFFFFFFFFFFFFFFFF0000000000444444444400000000" />
</system.web>
</configuration>Default.aspx
<%@ Page Language="C#" %>
<script runat="server">
protected void Page_Load(object sender, EventArgs e)
{
FormsAuthentication.SetAuthCookie("foo", true);
}
</script>
<h1>Hello</h1>
<%= Request.Cookies.Get(".HELLO").Value %>Run web site and visit main page to receive something like:
4CA1FDC27E0C28B0571296D799C1A469B1C63337C51A8EBB4B302E669DB091084B03BA9D051E3535C0EF2F2BC56EC3DACB5589FB9E082BD0902BF897E5A3F18AA49DC6AB566841913AF1D46E1ACF49BCC05E3F5C1A0A69C5DA38A2C03FE07F293D089BC9858AFEB5B5EB8F516121DDCC1623CB4D1B8324F3D5297AE669DFE556
Create dotnet core console app
using System;
using AspNetTicketBridge;
public static class Program
{
public static void Main()
{
string validationKey = "FFFFFFFFFFFFFFFFFFFF0000000000444444444400000000";
string decryptionKey = "FFFFFFFFFFFFFFFFFFFF0000000000444444444400000000";
var token = "4CA1FDC27E0C28B0571296D799C1A469B1C63337C51A8EBB4B302E669DB091084B03BA9D051E3535C0EF2F2BC56EC3DACB5589FB9E082BD0902BF897E5A3F18AA49DC6AB566841913AF1D46E1ACF49BCC05E3F5C1A0A69C5DA38A2C03FE07F293D089BC9858AFEB5B5EB8F516121DDCC1623CB4D1B8324F3D5297AE669DFE556";
var ticket = MachineKeyTicketUnprotector.UnprotectOAuthToken(token, decryptionKey, validationKey);
Console.WriteLine($"Result: {ticket}"); // null
}
}
Piece of code in MachineKey unprotect which returns null is:
if (!MachineKey.BuffersAreEqual(protectedData, checked (offset + count), buffer1Count, hash, 0, hash.Length))
return (byte[]) null;
Ticket protection
This library works very well for "parsing" existing tokens. What about issuing new tokens? Any clue to obtain the "Protect" method of the MachineKey class?
It might be useful to completely replace an existing OWIN OAuth 2.0 server.
Apply strong name signature to packaged assembly (NuGet)
Packaged assembly is not strongly named and this is a issue for most projects which have this requirement and include checks in their CI.
Can there be a separate version of this NuGet e.g. AspNetTicketBridge.Strong?
Benefits and references here: https://docs.microsoft.com/en-us/dotnet/standard/assembly/strong-named
Token expiration issue
I'm using this package for decrypting tokens generated by an OWIN app. Can the token expiration be validated through this package? If no, are there any plans in doing so, or it is out of the scope of this package?
Read & Write AspNet 4.X Authentication Ticket Cookies form .Net Core
We had a legacy auth system that was using the old Authentication Tickets, and wanted to have our new Authentication System in .NET Core interop with it.
This library already contained much of the pieces, but needed a little bit more boilerplate to make it easy to do.
Here is an example of this working:
private static void SetCookieOptions(CookieAuthenticationOptions opts, B2CSettings settings)
{
opts.Cookie.Domain = settings.CookieDomain;
opts.Cookie.Name = "CookieName";
opts.Cookie.Expiration = new TimeSpan(4, 30, 0);
opts.Cookie.SecurePolicy = CookieSecurePolicy.Always;
opts.Cookie.HttpOnly = true;
opts.Cookie.IsEssential = true;
opts.ExpireTimeSpan = new TimeSpan(4, 30, 0);
opts.Cookie.Path = "/";
//Interop support for cookies from ASP.NET 4.x
opts.TicketDataFormat =
new AspNet4TicketDataFormat(new MachineKeyDataProtector(
settings.ValidationKey, settings.DecryptionKey)
.ForPurposes(MachineKeyDataProtector.DefaultCookiePurposes));
}
Will clean-up what I added an submit a PR shortly.
Issue with BuffersAreEqual
I am using this library to decrypt bearer tokens with decryption algorithm AES and validation algorithm SHA1. I am always getting a failure (false return) from the BuffersAreEqual method in MachineKey.cs. The buffer counts are the same but the check inside the loop is not matching up. If I simply change the code so that this method always returns true everything seems to work fine and my token is successfully unprotected. I have not been able to determine the reason behind this validation. Why would this validation be failing always and is it important?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.