Reputation: 81
FormsAuthentication Decrypt In Asp.Net Core
We have multiple Asp.Net MVC application's with Single Sign On where we pass encrypted string using FormsAuthentication.Encrypt() method and pass it as a query string and decrypt the same string using FormsAuthentication.Decrypt().
Since both sites were developed in Asp.Net MVC we are able to use Forms Authentication and able to decrypt the string.
Now we are developing a new project in Asp.Net Core where we pass a encrypted string as query string from Asp.Net MVC and have to decrypt in Asp.Net Core web application.
Is there any alternative to decrypt the string in Asp.Net Core
Note: We are not using Asp.Net Identity
//Encryption
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, "Name", DateTime.Now, DateTime.Now.AddMinutes(60), true, "DataToEncrypt");
string encrypted = FormsAuthentication.Encrypt(ticket);
Response.Redirect("siteUrl?CookieName="+encrypted );
//Decryption
HttpCookie authCookie = Request.Cookies["CookieName"];
var formsAuthenticationTicket = FormsAuthentication.Decrypt(authCookie.Value);
string _userData = formsAuthenticationTicket.UserData;
Upvotes: 3
Views: 3951
Answers (2)
Reputation: 326
Yes this can be done without altering anything in your legacy app using this: https://github.com/julian-maughan/FormsAuthDecryptor
However I am still looking for how to encrypt ticket back to renew sliding expiration.
// get auth cookie value set by web forms authentication
var authCookieValue = context.Request.Cookies[_authCookieName];
// use special library to decript cookie value since .Net core has no built in means to do this
// note that _encryptionKey, _validationKey, and ValidationAlgorithm type must match with that from legacy web.config
var decryptor = new Decryptor(_encryptionKey, _validationKey, ValidationAlgorithm.HmacSha256);
var ticket = decryptor.Decrypt(authCookieValue);
// now that ticket is in the clear we can create a .Net core identity from it
var identity = new ClaimsIdentity(new[] {
new Claim(ClaimTypes.Name, ticket.Name),
new Claim(ClaimTypes.Role, "YourRole")
}, "CustomAuthenticationType");
context.User = new ClaimsPrincipal(identity);
Upvotes: -1
Reputation: 239200
No, what you were doing before depended on both applications sharing the same machine key, so that they both encrypt/decrypt in the same way. ASP.NET Core does not support the concept of machine keys and does not use them for encryption. Instead, it uses data protection providers. As such there is no possible way to decrypt a value in ASP.NET Core that was encrypted in an ASP.NET app based on machine key. Full stop.
That said, the data protection provider concept used in ASP.NET Core can be used in ASP.NET, but that will obviously require you to change your current design to utilize data protection provider to encrypt/decrypt instead of your current methodology. Then, assuming that the provider is configured the same across all the apps, then you'll be able to decrypt in ASP.NET Core. Namely that requires that the keyring used by the data protection provider is in a shared location that all the apps can access, and that all the apps are configured to use the same application name.
Please refer to the documentation for how to set this up. The documentation is geared towards both cookie sharing and auth, but what this is really about it shared encryption schemes, so setting up data protection bits mentioned in the docs will be enough.
Upvotes: 3
Related Questions
- Encrypting Password Like Forms Authentication in .net Core
- Decrypting FormsAuthentication.Encrypt in dotnet core
- How to decrypt FormsAuthenticationTicket in mvc c#?
- Key encryption in ASP.NET Core
- How to decrypt password in MVC5?
- Encrypt Decrypt with Data Protection in c# MVC across controllers
- encryption and decryption in asp.net with c#
- How to encrypt password
- encrypting username in asp.net mvc5 login
- FormsAuthentication.Decrypt method returns null value in Server