View on GitHub

arcus.webapi

Web API development with Microsoft Azure in a breeze.

The Arcus.WebApi.Security package provides a mechanism that uses shared access keys to grant access to a web application. This authentication process consists of two parts:

  1. Find the configured HTTP request header that contains the shared access key
  2. Shared access key matches the value with the secret stored, determined via configured secret provider

The package allows two ways to configure this type of authentication mechanmism in an ASP.NET application:

Globally enforce shared access key authentication

Introduction

The SharedAccessKeyAuthenticationFilter can be added to the request filters in an ASP.NET Core application. This filter will then add authentication to all endpoints via a shared access key configurable on the filter itself.

Usage

The authentication requires an ICachedSecretProvider or ISecretProvider dependency to be registered with the services container of the ASP.NET request pipeline. This is typically done in the ConfigureServices method of the Startup class. Once this is done, the SharedAccessKeyAuthenticationFilter can be added to the filters that will be applied to all actions:

public void ConfigureServices(IServiceCollections services)
{
    services.AddScoped<ICachedSecretProvider>(serviceProvider => new MyCachedSecretProvider());
    services.AddMvc(options => options.Filters.Add(new SharedAccessKeyAuthenticationFilter(headerName: "http-request-header-name", secretName: "shared-access-key-name")));
}

Enforce shared access key authentication per controller or operation

Introduction

The SharedAccessKeyAuthenticationAttribute can be added on both controller- and operation level in an ASP.NET Core application. The shared access key authentication will then be applied to the endpoint(s) that are decorated with the SharedAccessKeyAuthenticationAttribute.

Usage

The authentication requires an ICachedSecretProvider or ISecretProvider dependency to be registered with the services container of the ASP.NET request pipeline. This is typically done in the ConfigureServices method of the Startup class:

public void ConfigureServices(IServiceCollections services)
{
    services.AddScoped<ICachedSecretProvider>(serviceProvider => new CachedSecretProvider(new MySecretProvider()));
    services.AddMvc();
}

After that, the SharedAccessKeyAuthenticationFilter attribute can be applied on the controllers, or if more fine-grained control is needed, on the operations that requires authentication:

[ApiController]
[SharedAccessKeyAuthentication(headerName: "http-request-header-name", secretName: "shared-access-key-name")]
public class MyApiController : ControllerBase
{
    [HttpGet]
    [Route("authz/shared-access-key")]
    public Task<IActionResult> AuthorizedGet()
    {
        return Task.FromResult<IActionResult>(Ok());
    }
}