Geek Answers Handbook

How to give Owin user id?

TL; dr: What is the Owin equivalent of the HttpApplication.AuthenticateRequest event ?

Background

When ASP.net starts up on IIS, the global System.Web.HttpApplication object raises the AuthenticateRequest event during each request.

Various HTTP modules (such as FormsAuthentication Integrated Authentication) can join the event. Event handlers are called in the order in which they are registered. The first handler that sets HttpContext.Current.User is the authentication used.

The work of the modules that are subscribed to this event is to set HttpContext.Current.User to some Principal :

 IIdentity identity = new GenericIdentity("MBurns", "ContosoAuthentcation"); IPrincipal principal = new GenericPrincipal(identity, null); HttpContext.Current.User = principal;

Once HttpContext.Current.User assigned, ASP.net knows that the user is authenticated. (And as soon as the user is authenticated, he is no longer anonymous).

Any module can do this.

Anyone can use web.config to register their own IHttpModule on ASP.net:

web.config

 <system.webServer> <modules runAllManagedModulesForAllRequests="true"> <add name="MySuperCoolAuthenticationModule" type="ContosoAuthModule" /> </modules> </system.webServer>

The module is simple enough to write. You implement the only Init method of the IHttpModule interface. For us, we add ourselves as an AuthenticateRequest event handler:

 public class ContosoAuthModule : IHttpModule { public void Init(HttpApplication httpApplication) { // Register event handlers httpApplication.AuthenticateRequest += OnApplicationAuthenticateRequest; } }

And then you can do what is necessary to authenticate the user, and if he is a valid user, install HttpContext.Current.User :

 private void OnApplicationAuthenticateRequest(object sender, EventArgs e) { var request = HttpContext.Current.Request; String username = SomeStuffToFigureOutWhoIsMakingTheRequest(request); if (String.IsNullOrWhiteSpace(username)) { //I don't know who they are :( return; } //I know who they are, they are [username]! IIdentity identity = new GenericIdentity(username, "ContosoSuperDuperAuthentication"); HttpContext.Current.User = new GenericPrincipal(identity, null); }

That's all HttpApplication

MSDN documents the various events generated by HttpApplication , and in what order:

ASP.NET Application Lifecycle Overview for IIS 7.0 ( archive.is )

  1. Check the request, which checks the information sent by the browser and determines if it contains potentially malicious markup. See ValidateRequest a and Script Usage Overview a for more information.
  2. Perform a URL mapping if any URL has been configured in UrlMappingsSection in the section of the Web.config file.
  3. Raise the BeginRequest event.
  4. Raise AuthenticateRequest to an event.
  5. Raise the PostAuthenticateRequest event.
  6. Raise the AuthorizeRequest event.
  7. Raise the PostAuthorizeRequest event.
  8. Raise the ResolveRequestCache event.

And it's all great when it's ASP.net and HttpApplication . Everything is well understood, easy to explain (on the split screen above) and works.

But HttpApplication is old and broken.

Owen is the new heat

Now everything should be Owen. HttpApplication lives in System.Web . People want to be isolated from System.Web . They want this business, called Owen, to be in charge now.

To achieve this, they (i.e., any new ASP.net MCV, web forms or SignalR website) completely disable the ASP.net authentication system:

 <system.web> <authentication mode="None" /> </system.web>

So there is no longer the HttpApplication.AuthenticateRequest event. :(

What is the equivalent of Owen?

What is the Owin equivalent of HttpApplication.AuthenticateRequest?

It is safe to say that no matter where my code is called from, my job as before is to set HttpContext.Current.User to identity.

Is it safe to say that no matter where my code is called form, my job is still to set HttpContext.Current.User to identity?

What is the Owin equivalent of HttpApplication.AuthenticateRequest?

Attempt that does not work

None of this is ever called

 using System; using System.Threading.Tasks; using Microsoft.Owin; using Owin; using System.Web; using System.IO; using Microsoft.Owin.Extensions; using System.Security.Claims; using System.Security.Principal; [assembly: OwinStartup("AnyStringAsLongAsItsNotBlank", typeof(BasicAuthOwin))] public class BasicAuthOwin { public void Configuration(IAppBuilder app) { app.Use((context, next) => { System.Diagnostics.Trace.WriteLine("They did their best, shoddily-iddly-iddly-diddly"); OnAuthenticateRequest(context); return next.Invoke(); }); app.UseStageMarker(PipelineStage.Authenticate); app.Run(context => { return context.Response.WriteAsync("Hello world"); }); } private void OnAuthenticateRequest(IOwinContext context) { var request = context.Request; String username = SomeStuffToFigureOutWhoIsMakingTheRequest(request); if (String.IsNullOrWhiteSpace(username)) { //I don't know who they are :( return; } //I know who they are, they are [username]! IIdentity identity = new GenericIdentity(username, "ContosoSuperDuperOwinAuthentication"); context.Authentication.User = new ClaimsPrincipal(identity); } private string SomeStuffToFigureOutWhoIsMakingTheRequest(IOwinRequest request) { //if ((System.Diagnostics.Stopwatch.GetTimestamp % 3) == 0) // return ""; return "MBurns"; } }
+6
source share
1 answer

Post a blog post from this Jwt Authentication website in the ASP.NET WEB API and MVC . It explains how to solve the "Authorization was rejected for this request" problem using OWIN.

Jwthandler class

 public static void OnAuthenticateRequest(IOwinContext context) { var requestHeader = context.Request.Headers.Get("Authorization"); int userId = Convert.ToInt32(JwtDecoder.GetUserIdFromToken(requestHeader).ToString()); var identity = new GenericIdentity(userId.ToString(), "StakersClubOwinAuthentication"); //context.Authentication.User = new ClaimsPrincipal(identity); var token = requestHeader.StartsWith("Bearer ") ? requestHeader.Substring(7) : requestHeader; var secret = WebConfigurationManager.AppSettings.Get("jwtKey"); Thread.CurrentPrincipal = ValidateToken( token, secret, true ); context.Authentication.User = (ClaimsPrincipal) Thread.CurrentPrincipal; //if (HttpContext.Current != null) //{ // HttpContext.Current.User = Thread.CurrentPrincipal; //} }

Launch class

 public class Startup { public void Configuration(IAppBuilder app) { var config = new HttpConfiguration(); app.Use((context, next) => { JwtAuthHandler.OnAuthenticateRequest(context); //the new method return next.Invoke(); }); app.UseStageMarker(PipelineStage.Authenticate); WebApiConfig.Register(config);//Remove or comment the config.MessageHandlers.Add(new JwtAuthHandler()) section it would not be triggered on execution. app.UseWebApi(config); } }
0
source

More articles:


All Articles