Authentication with shared access keys via ASP.NET Core authentication filters
Shared access key authentication
The Arcus.WebApi.Security package provides an mechanism that uses shared access keys to authenticate users.
This authentication process consists of two parts:
- Looks for the configured HTTP request header that contains the shared access key
- Shared access key matches the value with the secret stored, determined via configured secret provider
- Shared access key authentication
- Installation
- Globally enforce shared access key authentication
- Enforce shared access key authentication per controller or operation
Installation
This feature requires to install our NuGet package
PM > Install-Package Arcus.WebApi.Security.Authentication -Version 0.4.0
Globally enforce shared access key authentication
Introduction
The SharedAccessKeyAuthenticationFilter can be added to the request filters in an ASP.NET Core application.
This filter will then add authentication to all routes via a shared access key configurable on the filter itself.
Usage
The authentication requires a ICachedSecretProvider or ISecretProvider to be registered in services of the applications (normally in the Startup class).
After that, you can add the filter to the MVC services:
using Arcus.Security.Core.Caching;
using Arcus.WebApi.Security.Authentication.SharedAccessKey;
using Microsoft.Extensions.DependencyInjection;
public class Startup
{
public void ConfigureServices(IServiceCollections services)
{
services.AddSingleton<ICachedSecretProvider>(serviceProvider => new MyCachedSecretProvider());
services.AddMvc(options => options.Filters.Add(new SharedAccessKeyAuthenticationFilter(headerName: "http-request-header-name", secretName: "shared-access-key-name")));
}
}
Enforce shared access key authentication per controller or operation
Introduction
The SharedAccessKeyAuthenticationAttribute can be added on both Controller and method level in an ASP.NET Core application.
This attribute will then add authentication to the route(s) via shared access keys configurable on the attribute itself.
Usage
The authentication requires a ICachedSecretProvider or ISecretProvider to be registered in services of the applications (normally in the Startup class):
using Arcus.Security.Core.Caching;
using Microsoft.Extensions.DependencyInjection;
public class Startup
{
public void ConfigureServices(IServiceCollections services)
{
services.AddSingleton<ICachedSecretProvider>(serviceProvider => new CachedSecretProvider(new MySecretProvider()));
services.AddMvc();
}
}
After that, you can freely use the attribute on the route (single method) or routes (multiple methods or Controller level) that requires authentication:
using Arcus.WebApi.Security.Authentication;
[ApiController]
[SharedAccessKeyAuthentication(headerName: "http-request-header-name", secretName: "shared-access-key-name")]
public class MyApiController : ControllerBase
{
[HttpGet]
[Route("authz/shared-access-key")]
public Task<IActionResult> AuthorizedGet()
{
return Task.FromResult<IActionResult>(Ok());
}
}