thinktecture-ident-model

Thinktecture IdentityModel AuthenticationConfiguration Mapping for Cookie - how?

阅读更多关于 Thinktecture IdentityModel AuthenticationConfiguration Mapping for Cookie - how?

问题 I have a Web API based application currently set up using the amazing Thinktecture IdentityModel 4.5. It is set up for claims-based authentication, accepting a Basic auth credential sent in on the Authorization header. The javascript client saves the returned session token and uses this for subsequent requests by including it in the Authorization header preceded by Session as the scheme. The javascript client also saves the token to a cookie, for retrieval if the window is closed and reopened

How do you prevent replay attacks with Thinktecture IdentityModel token?

阅读更多关于 How do you prevent replay attacks with Thinktecture IdentityModel token?

问题 I have two sites on separate domains. I'm implementing SSO using the Thinktecture IdentityModel. A user logs into Site A. At some point they click a link to take them to site B. Site A redirects the user to site B/Login.aspx?token=< token > with a JWT token. Site B then validates the token by calling an API on Site A to authenticate the user. If authenticated, the user is automatically logged into site B. By default Thinktecture tokens last for 10 hours, with no way to kill a token(as far as

Thinktecture IdentityModel token rejected

阅读更多关于 Thinktecture IdentityModel token rejected

问题 My Durandal SPA app performs BASIC authentication to acquire a session token which it then presents in headers to access Web API controller methods. This works fine. On successful authentication I cache the access_token in localStorage so I can re-acquire it from local storage to preserve the session in the event of browser closure or refresh. The token is re-acquired but it is rejected by the server with an Unauthorized message. This question starts by saying that the OP has successfully

Custom WebApi Authorization Database Call

阅读更多关于 Custom WebApi Authorization Database Call

问题 I'm trying to decide if the custom Authorization attribute I wrote is really a good idea. Scenario Say we have a collection of stores, each Store has an owner. Only the owner of the store can do CRUD operations on the store. EXCEPT for users with a Claim that basically overrides the ownership requirement and says they can do CRUD operations on ANY store. Sidenote: I'm using Thinktecture and ADFS So I made a StoreOwnerAuthorize attribute who's parameters ("Manage", "Stores") are used to check

Role-based authorization in ASP.NET Web API - how to set roles on the principal?

阅读更多关于 Role-based authorization in ASP.NET Web API - how to set roles on the principal?

问题 I am using recipe 10-3 in the newly released book ASP.NET Web Api 2 Recipes to support basic authentication in my Web API. This recipe utilizes a 3rd party library from Thinktecture. As seen from the below code, I am authentication the user against my own account service. using Thinktecture.IdentityModel.WebApi.Authentication.Handler; public static class WebApiConfig { public static void Register(HttpConfiguration config) { ... var authenticationConfiguration = new AuthenticationConfiguration

Custom WebApi Authorization Database Call

阅读更多关于 Custom WebApi Authorization Database Call

I'm trying to decide if the custom Authorization attribute I wrote is really a good idea. Scenario Say we have a collection of stores, each Store has an owner. Only the owner of the store can do CRUD operations on the store. EXCEPT for users with a Claim that basically overrides the ownership requirement and says they can do CRUD operations on ANY store. Sidenote: I'm using Thinktecture and ADFS So I made a StoreOwnerAuthorize attribute who's parameters ("Manage", "Stores") are used to check if the user has the appropriate claim to "override" not being an owner but still able to pass the

Authorization header in null when setting its value to an Encrypted SAML 2 token

阅读更多关于 Authorization header in null when setting its value to an Encrypted SAML 2 token

问题 I'm using Thinktechture Identity Server to issue my SAML security tokens using the WS-Trust protocol. Then I'm calling my WEB Api with an Authorization http header containing the token. The token is handled successfully using Thinktechture.IdentityModel. But when I use a certificate to encrypt the sent token (by choosing an Encrypting Certificate in the IDP RP Admin page), the request received by IdentityModel has it's Authorization header set to null (Actually the encrypted value exists

Updating BootStrapContext with new SessionSecurityToken when using Sliding sessions in WIF with the SAM and Thinktecture IdentityModel

阅读更多关于 Updating BootStrapContext with new SessionSecurityToken when using Sliding sessions in WIF with the SAM and Thinktecture IdentityModel

问题 When using sliding sessions in WIF with the session authentication module (SAM) and Thinktecture IdentityModel as described in brockallen's blog. The session security token issued and written to the cookie has it's "valid to" extended as required and the cookie is set accordingly. But, the BootStrapToken serialized to the current claims Identity remains the old one, with the potentially expired token. This causes problems when trying to use the bootstrap context token for different reasons

Updating BootStrapContext with new SessionSecurityToken when using Sliding sessions in WIF with the SAM and Thinktecture IdentityModel

阅读更多关于 Updating BootStrapContext with new SessionSecurityToken when using Sliding sessions in WIF with the SAM and Thinktecture IdentityModel

When using sliding sessions in WIF with the session authentication module (SAM) and Thinktecture IdentityModel as described in brockallen's blog . The session security token issued and written to the cookie has it's "valid to" extended as required and the cookie is set accordingly. But, the BootStrapToken serialized to the current claims Identity remains the old one, with the potentially expired token. This causes problems when trying to use the bootstrap context token for different reasons (among them could be Implementing “Poor Man”’s Delegation ) . What is the best way to update the

AuthorizationCodeProvider: Create is never called, how do I generate the authorization code?

阅读更多关于 AuthorizationCodeProvider: Create is never called, how do I generate the authorization code?

问题 I'm setting up my own OAuth2 server. So far, I have succesfully implemented GrantResourceOwnerCredentials in my implementation of OAuthAuthorizationServerProvider . Now, because I am developing an app for our business, I want to implement the OAuth2 Authorization Code grant. I have tried to follow directions here https://docs.microsoft.com/en-us/aspnet/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server but in my implementation, I have not found how to reach the Create call of