Geek Answers Handbook

Using multiple authorization schemes (HMAC and OATH)

Ok, so I have a WebAPI authentication service that is used to request / token and returns a Bearer token to the client, I added AppId and Api Key to the properties so that I return

{ "access_token": "...", "token_type": "bearer", "expires_in": 86399, "dm:appid": "1", "dm:apikey": "...", ".issued": "Wed, 01 Jul 2015 20:46:45 GMT", ".expires": "Thu, 02 Jul 2015 20:46:45 GMT" }

The AppId and Api keys must be used by the client to generate an Hmac SHA256 signature for each request.

On my controller, I used the Authorize attribute and created an HmacAuthentication attribute that implements IAuthenticationFilter

 [RoutePrefix("api/account")] [Authorize] [HmacAuthentication] public class AccountController : ApiController { // rest of controller here }

The problem is that any request to this controller expects the Authorization: Bearer ... header and the HmacAuthentication attribute also expects the Authorization: amx .

Now I know that you can have only one authorization header, so my quandry is how I can implement both authorization headers without breaking HTTP, someone has achieved using OWIN OAuth and HMAC Authentication

I followed these examples from Taiseer Joudeh

Token Based Authentication Using ASP.NET Web API 2, Owin, and Identity ASP.NET Secure Web API Using API Key Authentication - HMAC Authentication

+5
source share
1 answer

It was a long time without an answer, and since I solved my original problem, I decided that I should post the solution here so that others can use it.

In the end, the solution was to add a custom header to your comment, such as @Glaucus. For standard OAuth authorization, I added the Authorize header attribute. To satisfy my need for HMAC, I simply added an X-Authorize attribute to the header and changed my code to use that header instead.

Now I can have a WebAPI service protected by an OAuth token and by implementing HMAC authorization in requests

0
source

More articles:


All Articles