Multiple Authentication / Authorization support for Web API via OWIN

Question

I have a Web API project of ours that needs to be secured. I am planning to allow the user's that registered with my app to use the API [Forms Authentication], users with their own organizational accounts [ADFS] and Social Sign-In.

I have all the middleware available to plug-in and make available to the user's. However, in my application I do have custom roles and privileges that are to be provided so that my application authorizes the service calls based on the existing privileges. What is the best way to accomplish this.

I think that I will be required to provide my own custom implementation of the UserStore and UserManager with my own IUser Implementation.

Kindly suggest the best practice for this scenario.

Answer 1

With multiple authentication middleware registered, you can get multiple claimidentity's.

register each type of authentication you want to support.

I would be sure to add a claims transformation module at the end of the pipeline. Thinktecture has an example. ThinkTecture Owin Claims Transformer

This would give you one place to look up and add all the application type claims for an authenticated user in one spot.

Simple pseudo example (geared to webapi, but concept the same). Authenticate with bearer or basic or both then transform.

//identity 2.0 user manager stuff used in your modules
app.CreatePerOwinContext(ApplicationSession.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);

// Token Authentication -> get a principle
app.UseOAuthBearerAuthentication(OAuthBearerOptions);

// Basic Authentication. -> get a principle
app.UseBasicAuthentication(app.CreateLogger<BasicAuthenticationMiddleware>(), 
                "Realm", ValidateUser);

// transform claims to application identity.  Add additional claims if needed
app.UseClaimsTransformation(TransformClaims);

Answer 2

This is what I ended up designing for a system with similar requirements. The key is to separate the authentication and authorization logic.

• Build Owin authentication middleware components that take care of establishing user identity based on various login methods you mentioned. Looks like you have this accomplished. Set ASP.NET identity based on the user.

• Retrieve the roles/permissions for the logged in user from your store. This can be done as a separate Owin middleware or a part of your authentication. Add the permissions as Claims to your Principal.

• Extend your roles/permissions store to map API service operations to the application permissions.

• Implement a custom API Authorize attribute and apply it to every API operation. In this attribute you will have access to the operation name and the user Claims (permissions). Match the Claims with the permissions you mapped in the step above. If there is a match, return IsAuthorized=true, otherwise, return false.

Here is a similar issue at a simpler level.

How do you setup mixed authorizations for different authentications in .net (web api 2 + owin)

Answer 3

It sounds like you are looking for externalized authorization. Externalized authorization is the act of:

• decoupling business logic from authorization logic
• expressing authorization logic as centrally managed, centralized authorization policies
• protecting your APIs through a common layer
• enabling fine-grained & dynamic access control through the use of attribute-based access control (ABAC) which extends what's possible with RBAC (role-based access control).

Have a look at XACML, the eXtensible Access Control Markup Language. You can find some more information on OASIS's website.

Also check out NIST's project on ABAC.

Once you defined your authorization logic, you can decide how to enforce it. This can be done either via direct enforcement at the entry of your apps or can be done in a provisioning way whereby the permissions derived from the authorization policies are fed into an authentication token e.g. SAML as attribute assignments.

HTH