dmarlow / aspnetticketbridge Goto Github PK
View Code? Open in Web Editor NEWDecrypts MachineKey protected AuthenticationTicket objects created by ASP.NET to be used in ASP.NET Core.
License: MIT License
Decrypts MachineKey protected AuthenticationTicket objects created by ASP.NET to be used in ASP.NET Core.
License: MIT License
We are porting an OWIN OAuth 2.0 server to .net core. For the refresh token part I think it might be useful to add the following method to the MachineKeyTicketUnprotector class:
public static OwinAuthenticationTicket UnprotectOAuthRefreshToken(string token, string decryptionKey, string validationKey,
string decryptionAlgorithm = "AES", string validationAlgorithm = "HMACSHA1")
{
var decoded = WebEncoders.Base64UrlDecode(token);
var unprotected = Unprotect(decoded, decryptionKey, validationKey,
decryptionAlgorithm, validationAlgorithm,
"User.MachineKey.Protect",
"Microsoft.Owin.Security.OAuth", "Refresh_Token", "v1");
var serializer = new OwinTicketSerializer();
var ticket = serializer.Deserialize(unprotected);
return ticket;
}
Steps to reproduce:
Create empty .net framework web site with two following files
Web.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms name=".HELLO" />
</authentication>
<machineKey validationKey="FFFFFFFFFFFFFFFFFFFF0000000000444444444400000000" decryptionKey="FFFFFFFFFFFFFFFFFFFF0000000000444444444400000000" />
</system.web>
</configuration>
Default.aspx
<%@ Page Language="C#" %>
<script runat="server">
protected void Page_Load(object sender, EventArgs e)
{
FormsAuthentication.SetAuthCookie("foo", true);
}
</script>
<h1>Hello</h1>
<%= Request.Cookies.Get(".HELLO").Value %>
Run web site and visit main page to receive something like:
4CA1FDC27E0C28B0571296D799C1A469B1C63337C51A8EBB4B302E669DB091084B03BA9D051E3535C0EF2F2BC56EC3DACB5589FB9E082BD0902BF897E5A3F18AA49DC6AB566841913AF1D46E1ACF49BCC05E3F5C1A0A69C5DA38A2C03FE07F293D089BC9858AFEB5B5EB8F516121DDCC1623CB4D1B8324F3D5297AE669DFE556
Create dotnet core console app
using System;
using AspNetTicketBridge;
public static class Program
{
public static void Main()
{
string validationKey = "FFFFFFFFFFFFFFFFFFFF0000000000444444444400000000";
string decryptionKey = "FFFFFFFFFFFFFFFFFFFF0000000000444444444400000000";
var token = "4CA1FDC27E0C28B0571296D799C1A469B1C63337C51A8EBB4B302E669DB091084B03BA9D051E3535C0EF2F2BC56EC3DACB5589FB9E082BD0902BF897E5A3F18AA49DC6AB566841913AF1D46E1ACF49BCC05E3F5C1A0A69C5DA38A2C03FE07F293D089BC9858AFEB5B5EB8F516121DDCC1623CB4D1B8324F3D5297AE669DFE556";
var ticket = MachineKeyTicketUnprotector.UnprotectOAuthToken(token, decryptionKey, validationKey);
Console.WriteLine($"Result: {ticket}"); // null
}
}
Piece of code in MachineKey unprotect which returns null is:
if (!MachineKey.BuffersAreEqual(protectedData, checked (offset + count), buffer1Count, hash, 0, hash.Length))
return (byte[]) null;
This library works very well for "parsing" existing tokens. What about issuing new tokens? Any clue to obtain the "Protect" method of the MachineKey class?
It might be useful to completely replace an existing OWIN OAuth 2.0 server.
Packaged assembly is not strongly named and this is a issue for most projects which have this requirement and include checks in their CI.
Can there be a separate version of this NuGet e.g. AspNetTicketBridge.Strong?
Benefits and references here: https://docs.microsoft.com/en-us/dotnet/standard/assembly/strong-named
I'm using this package for decrypting tokens generated by an OWIN app. Can the token expiration be validated through this package? If no, are there any plans in doing so, or it is out of the scope of this package?
We had a legacy auth system that was using the old Authentication Tickets, and wanted to have our new Authentication System in .NET Core interop with it.
This library already contained much of the pieces, but needed a little bit more boilerplate to make it easy to do.
Here is an example of this working:
private static void SetCookieOptions(CookieAuthenticationOptions opts, B2CSettings settings)
{
opts.Cookie.Domain = settings.CookieDomain;
opts.Cookie.Name = "CookieName";
opts.Cookie.Expiration = new TimeSpan(4, 30, 0);
opts.Cookie.SecurePolicy = CookieSecurePolicy.Always;
opts.Cookie.HttpOnly = true;
opts.Cookie.IsEssential = true;
opts.ExpireTimeSpan = new TimeSpan(4, 30, 0);
opts.Cookie.Path = "/";
//Interop support for cookies from ASP.NET 4.x
opts.TicketDataFormat =
new AspNet4TicketDataFormat(new MachineKeyDataProtector(
settings.ValidationKey, settings.DecryptionKey)
.ForPurposes(MachineKeyDataProtector.DefaultCookiePurposes));
}
Will clean-up what I added an submit a PR shortly.
I am using this library to decrypt bearer tokens with decryption algorithm AES and validation algorithm SHA1. I am always getting a failure (false return) from the BuffersAreEqual method in MachineKey.cs. The buffer counts are the same but the check inside the loop is not matching up. If I simply change the code so that this method always returns true everything seems to work fine and my token is successfully unprotected. I have not been able to determine the reason behind this validation. Why would this validation be failing always and is it important?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.