SquareWidget.HMAC.Server.Core
1.0.0
Prefix Reserved
There is a newer version of this package available.
See the version list below for details.
See the version list below for details.
dotnet add package SquareWidget.HMAC.Server.Core --version 1.0.0
NuGet\Install-Package SquareWidget.HMAC.Server.Core -Version 1.0.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="SquareWidget.HMAC.Server.Core" Version="1.0.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add SquareWidget.HMAC.Server.Core --version 1.0.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
#r "nuget: SquareWidget.HMAC.Server.Core, 1.0.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
// Install SquareWidget.HMAC.Server.Core as a Cake Addin
#addin nuget:?package=SquareWidget.HMAC.Server.Core&version=1.0.0
// Install SquareWidget.HMAC.Server.Core as a Cake Tool
#tool nuget:?package=SquareWidget.HMAC.Server.Core&version=1.0.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
SquareWidget.HMAC.Server.Core
Server-side HMAC authentication handler
Prerequisites
ASP.NET Core 2.1
Getting Started
Download the NuGet package in your ASP.NET Core 2.1 API. Implement a shared secret store service from abstract base class SharedSecretStoreService as in this example:
using SquareWidget.HMAC.Server.Core;
using System.Threading.Tasks;
namespace SquareWidget.ExampleApi
{
public class MySharedSecretStoreService : SharedSecretStoreService
{
public override Task<string> GetSharedSecretAsync(string clientId)
{
// TODO: Use clientId to get the shared secret from Azure Key Vault, IdentityServer4, or a database
return Task.Run(() => "P@ssw0rd");
}
}
}
Add to ConfigureServices method in Startup.cs to register the authentication handler:
services
.AddAuthentication(HmacAuthenticationDefaults.AuthenticationScheme)
.AddHmacAuthentication<MySharedSecretStoreService>(o => { });
Options
By default the authentication handler looks for two request headers called "Hash" and "Timestamp" but these can be overridden if the client passes in another value in the request header:
services
.AddAuthentication(HmacAuthenticationDefaults.AuthenticationScheme)
.AddHmacAuthentication<MySharedSecretStoreService>(o =>
{
o.HashHeaderName = "MyHash";
o.TimestampHeaderName = "MyTimestamp";
});
There is a replay attack value of 15 seconds. This can be overridden which is especially useful when stepping through code:
services
.AddAuthentication(HmacAuthenticationDefaults.AuthenticationScheme)
.AddHmacAuthentication<MySharedSecretStoreService>(o =>
{
o.ReplayAttackDelayInSeconds = 900; // 15 mins
});
Client Side
/*
using System;
using System.Globalization;
using System.Net.Http;
using System.Security.Cryptography;
using System.Text;
using System.Threading.Tasks;
*/
var uri = "https://localhost:01234/api/values";
var clientId = "testClient";
var clientSecret = "P@ssw0rd";
var hashHeaderName = "Hash";
var timestampHeaderName = "Timestamp";
var timestamp = DateTime.UtcNow;
var timestampValue = timestamp.ToString("o", CultureInfo.InvariantCulture);
var ticks = timestamp.Ticks.ToString(CultureInfo.InvariantCulture);
string hashValue;
var key = Encoding.UTF8.GetBytes(clientSecret);
using (var hmac = new HMACSHA256(key))
{
var hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(ticks));
var hashString = Convert.ToBase64String(hash);
hashValue = string.Format("{0}:{1}", clientId, hashString);
}
var client = new HttpClient();
client.DefaultRequestHeaders.Clear();
client.DefaultRequestHeaders.Add(timestampHeaderName, timestampValue);
client.DefaultRequestHeaders.Add(hashHeaderName, hashValue);
var response = await client.GetAsync(uri);
if (response.IsSuccessStatusCode)
{
Console.WriteLine("Received HTTP 200 from API. Writing values to console...");
Console.WriteLine(Environment.NewLine);
var content = await response.Content.ReadAsStringAsync();
Console.WriteLine(content);
}
else
{
Console.WriteLine("Response was unsuccessful with status code: " + response.StatusCode);
}
Authors
- James Still - Initial work - SquareWidget
License
This project is licensed under the MIT License and is free to use.
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net5.0 was computed. net5.0-windows was computed. net6.0 was computed. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
| .NET Core | netcoreapp2.1 is compatible. netcoreapp2.2 was computed. netcoreapp3.0 was computed. netcoreapp3.1 was computed. |
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.
-
.NETCoreApp 2.1
- Microsoft.AspNetCore.App (>= 2.1.6)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.