softaware.Authentication.Hmac.AspNetCore 1.0.0

A library which adds support for HMAC authentication in ASP.NET Core projects.

There is a newer version of this package available.
See the version list below for details.

Install-Package softaware.Authentication.Hmac.AspNetCore -Version 1.0.0

dotnet add package softaware.Authentication.Hmac.AspNetCore --version 1.0.0

<PackageReference Include="softaware.Authentication.Hmac.AspNetCore" Version="1.0.0" />

For projects that support PackageReference, copy this XML node into the project file to reference the package.

paket add softaware.Authentication.Hmac.AspNetCore --version 1.0.0

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

Documentation

softaware.Authentication.Hmac

softaware.Authentication.Hmac.AspNetCore

Provides an AuthenticationHandler which supports HMAC authentication in an ASP.NET Core project.

Usage:

Get your HMAC authenticated clients, for example from the appsettings.json file. For HMAC authentication, an AppId and an ApiKey is required for each client which should get access.

var hmacAuthenticatedApps = this.Configuration
    .GetSection("Authentication")
    .GetSection("HmacAuthenticatedApps")
    .Get<HmacAuthenticationClientConfiguration[]>()
    .ToDictionary(e => e.AppId, e => e.ApiKey);

{
  "Authentication": {
    "HmacAuthenticatedApps": [
        {
            "AppId": "<some-app-id>",
            "ApiKey": "<some-api-key>"
        }
    ]
  }
}

Enable HMAC authentication in Startup.cs in the ConfigureServices method:

services
    .AddHmacAuthentication(HmacAuthenticationDefaults.AuthenticationScheme, "HMAC Authentication", o =>
    {
        o.MaxRequestAgeInSeconds = HmacAuthenticationDefaults.MaxRequestAgeInSeconds;
        o.HmacAuthenticatedApps = hmacAuthenticatedApps;
    });

Add MemoryCache (from Microsoft.Extensions.Caching.Memory) in Startup.cs in the ConfigureServices method.
The MemoryCache is used by the HMAC AuthenticationHandler to determine replay attacks.

services.AddMemoryCache();

Enable authentication in Startup.cs in the Configure method:

app.UseAuthentication();

Optional: Specify HMAC as the authentication scheme for certain controllers:

[Authorize(AuthenticationSchemes = HmacAuthenticationDefaults.AuthenticationScheme)]
[Route("api/[controller]")]
public class HomeController : Controller
{
   // ...
}

softaware.Authentication.Hmac.Client

Provides a DelegatingHandler for adding an HMAC authorization header to HTTP requests.

Instantiate your HttpClient instance with the ApiKeyDelegatingHandler:

new HttpClient(new ApiKeyDelegatingHandler(appId, apiKey));

Or in case your WebAPI client is another ASP.NET WebAPI (>= ASP.NET Core 2.1), register your HttpClient in the Startup.cs for example as follows:

services.AddTransient(sp => new ApiKeyDelegatingHandler(appId, apiKey));

services
    .AddHttpClient("HmacHttpClient")
    .AddHttpMessageHandler<ApiKeyDelegatingHandler>();

Generate HMAC AppId and ApiKey

To generate an API Key, the following simple Console Application can be used.
This implementation is also provided on .NET Fiddle.

using System.Security.Cryptography;

public class Program
{
    public static void Main()
    {
        Console.WriteLine($"AppID: {Guid.NewGuid()} or <some-speaking-name>");
        Console.WriteLine($"ApiKey: {GenerateApiKey()}");
    }

    private static string GenerateApiKey()
    {
        using (var cryptoProvider = new RNGCryptoServiceProvider())
        {
            byte[] secretKeyByteArray = new byte[32]; //256 bit
            cryptoProvider.GetBytes(secretKeyByteArray);
            return Convert.ToBase64String(secretKeyByteArray);
        }
    }
}