SquareWidget.HMAC.Server.Core 2.1.0

Middleware HMAC-based authentication service for ASP.NET Core 2.1 Web Api

Install-Package SquareWidget.HMAC.Server.Core -Version 2.1.0
dotnet add package SquareWidget.HMAC.Server.Core --version 2.1.0
<PackageReference Include="SquareWidget.HMAC.Server.Core" Version="2.1.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add SquareWidget.HMAC.Server.Core --version 2.1.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.

SquareWidget.HMAC.Server.Core

Middleware HMAC-based authentication service for ASP.NET Core 2.1 Web Api.

Status

TODO

Prerequisites

ASP.NET Core 2.1

Getting Started

See the documentation for usage. Download the NuGet package in your ASP.NET Core 2.1 API. Implement a shared secret store service from abstract base class SharedSecretStoreService as in this example:

using SquareWidget.HMAC.Server.Core;
using System.Threading.Tasks;

namespace SquareWidget.ExampleApi
{
    public class MySharedSecretStoreService : SharedSecretStoreService
    {
        public override Task<string> GetSharedSecretAsync(string clientId)
        {
            // TODO: Use clientId to get the shared secret from 
			// Azure Key Vault, IdentityServer4, or a database
            return Task.Run(() => "P@ssw0rd");
        }
    }
}

Add to ConfigureServices method in Startup.cs to register the authentication handler:

services
    .AddAuthentication(HmacAuthenticationDefaults.AuthenticationScheme)
    .AddHmacAuthentication<MySharedSecretStoreService>(o => { });

Options

By default the authentication handler looks for two request headers called "Hash" and "Timestamp" but these can be overridden if the client passes in another value in the request header:

services
    .AddAuthentication(HmacAuthenticationDefaults.AuthenticationScheme)
    .AddHmacAuthentication<MySharedSecretStoreService>(o => 
    {
        o.HashHeaderName = "MyHash";
        o.TimestampHeaderName = "MyTimestamp";
    });

There is a replay attack value of 15 seconds. This can be overridden which is especially useful when debugging code:

services
    .AddAuthentication(HmacAuthenticationDefaults.AuthenticationScheme)
    .AddHmacAuthentication<MySharedSecretStoreService>(o => 
    {
        o.ReplayAttackDelayInSeconds = 900; // 15 mins
    });

Client Side

Use SquareWidget.HMAC.Client.Core package. See the documentation. Bring in the package and use HmacHttpClient:

var baseUri = "https://localhost:12345";
var credentials = new ClientCredentials
{
    ClientId = "testClient",
    ClientSecret = "testSecret"
};

var requestUri = "api/widgets/1";
using (var client = new HmacHttpClient(baseUri, credentials))
{
    var widget = client.Get<Widget>(requestUri).Result;
    // do something with widget ID 1...
}

Versioning

Version 2.1.0 targeting ASP.NET Core 2.1

Authors

James Still

License

This project is licensed under the MIT License.

Acknowledgments

SquareWidget.HMAC.Server.Core

Middleware HMAC-based authentication service for ASP.NET Core 2.1 Web Api.

Status

TODO

Prerequisites

ASP.NET Core 2.1

Getting Started

See the documentation for usage. Download the NuGet package in your ASP.NET Core 2.1 API. Implement a shared secret store service from abstract base class SharedSecretStoreService as in this example:

using SquareWidget.HMAC.Server.Core;
using System.Threading.Tasks;

namespace SquareWidget.ExampleApi
{
    public class MySharedSecretStoreService : SharedSecretStoreService
    {
        public override Task<string> GetSharedSecretAsync(string clientId)
        {
            // TODO: Use clientId to get the shared secret from 
			// Azure Key Vault, IdentityServer4, or a database
            return Task.Run(() => "P@ssw0rd");
        }
    }
}

Add to ConfigureServices method in Startup.cs to register the authentication handler:

services
    .AddAuthentication(HmacAuthenticationDefaults.AuthenticationScheme)
    .AddHmacAuthentication<MySharedSecretStoreService>(o => { });

Options

By default the authentication handler looks for two request headers called "Hash" and "Timestamp" but these can be overridden if the client passes in another value in the request header:

services
    .AddAuthentication(HmacAuthenticationDefaults.AuthenticationScheme)
    .AddHmacAuthentication<MySharedSecretStoreService>(o => 
    {
        o.HashHeaderName = "MyHash";
        o.TimestampHeaderName = "MyTimestamp";
    });

There is a replay attack value of 15 seconds. This can be overridden which is especially useful when debugging code:

services
    .AddAuthentication(HmacAuthenticationDefaults.AuthenticationScheme)
    .AddHmacAuthentication<MySharedSecretStoreService>(o => 
    {
        o.ReplayAttackDelayInSeconds = 900; // 15 mins
    });

Client Side

Use SquareWidget.HMAC.Client.Core package. See the documentation. Bring in the package and use HmacHttpClient:

var baseUri = "https://localhost:12345";
var credentials = new ClientCredentials
{
    ClientId = "testClient",
    ClientSecret = "testSecret"
};

var requestUri = "api/widgets/1";
using (var client = new HmacHttpClient(baseUri, credentials))
{
    var widget = client.Get<Widget>(requestUri).Result;
    // do something with widget ID 1...
}

Versioning

Version 2.1.0 targeting ASP.NET Core 2.1

Authors

James Still

License

This project is licensed under the MIT License.

Acknowledgments

This package is not used by any popular GitHub repositories.

Version History

Version Downloads Last updated
2.1.0 919 12/8/2018
1.0.0 146 12/3/2018