c# - OWIN Bearer Token Authentication -


i have questions related bearer token. in owin can protect ticket protect(ticket) this:

claimsidentity identity = new claimsidentity(startup.oauthserveroptions.authenticationtype);  identity.addclaim(new claim(claimtypes.name, user.username));   dictionary<string, string> properties = new dictionary<string, string>();  properties.add("userid", user.id);  properties.add("username", user.username);  properties.add("role", "user");   authenticationproperties properties = new authenticationproperties(properties);   authenticationticket ticket = new authenticationticket(identity, properties);    datetime currentutc = datetime.utcnow;   datetime expireutc = currentutc.add(timespan.fromhours(24));   ticket.properties.issuedutc = currentutc;  ticket.properties.expiresutc = expireutc;    string token = oauthauthorizationserveroptions.accesstokenformat.protect(ticket)

now token this:

nqak-9r6u64owsm_lqn_mjzkc_djd8ivniw0ex77v5x2rybhf4m_zg_unrsoo5bxdzql0hwrsvvd4efa4chnsf5raghd13aoxzlvwojoz5v_9bhrcq8a7tqhyim6dqvvoyys3lh2su-wu1m85hh2icydtdty3ijakz_qnp1nsqo5lrnnel4upbetpw9zqwizzzbx7_y2cxi2v0k7wnlror3gfkizlu9j-nfidrpwxqq5744nfwwhalyadgs7euwyuxpjcj9ykhyzaxfksjexbw

my questions:

  • how token generated/encrypted?

  • are there chances can try mess'up token , add custom claims it?

example:

if have token string can this:

authenticationticket ticket = oauthauthorizationserveroptions.accesstokenformat.unprotect(token);

now can add custom claims it. example if there role claim value user can modify claim , add admin re encode ticket , token has admin role.

i din tests, encoded token on server , try modify on system couldn't unprotect it. therefore thinking maybe ticket encrypted/decrypted using machine key on created. if try unprotect same machine works. can decrypt , modify it.

can explain process please?

how token generated/encrypted?

the data protection provider can set using setdataprotectionprovider extension method on iappbuilder object. when not done, data protection provider of host used. in case of iis + asp.net, machinekeydataprotector in assembly microsoft.owin.host.systemweb. self-hosting, dpapi. basically, token encrypted , maced , protect() about.

are there chances can try mess'up token , add custom > claims it?

no. not possible. token protected in machine cannot unprotected somewhere else. exception case of web farm have multiple machines. 1 machine can protect , if subsequent request goes other machine, machine should have ability unprotect. dpapi, not possible. machinekeydataprotector, possible having same machinekey section in machines. if concerned mitm being able this, no, not possible.


Comments

Post a Comment

Popular posts from this blog

javascript - Jquery show_hide, what to add in order to make the page scroll to the bottom of the hidden field once button is clicked -

i have button on website when clicked, reveals map. button can seen when page first loads up, when clicked, section holding map slides open , goes out of screen since page loads @ top (normal). want page scroll down bottom of div select when button pushed, if map out of screen. if page scrolled down, , clicks show map button, don't want page jump bottom of map. i tried figure out myself, no luck. seasoned jquery coders able give me guidance? many thanks! map = mapdiv.gmap3("get"); infobox = new infobox({ pixeloffset: new google.maps.size(-220, -310), closeboxurl: '', enableeventpropagation: true }); mapdiv.delegate('.infobox .close','click',function () { infobox.close(); }); jquery(".slidingdiv").hide(); jquery(".show_hide").show(); jquery('.show_hide').click(function(){ lastcenter=map.getcenter(); jquery(".slidingdiv&quo
Read more

javascript - Highcharts multi-color line -

Image
i looking create highchart multi-colored line. if goes down under value, become red, , when comes on value, become green . here picture example: or maybe highcharts have other charts models differentiate high or low level color? you can achieve coloring using lineargradient coloring: color: { lineargradient: { x1: 0, x2: 0, y1: 0, y2: 1 }, stops: [ [0, 'red'], [0.25, 'yellow'], [0.50, 'green'], [0.75, 'yellow'], [1, 'red'] ] } here 0 in stops relates minimum value of series , 1 maximum value, , in between percentages between values. if find percentages according values prior creating chart use correct stops values make relate specific values in data (at least approximately). see this jsfiddle example .
Read more

javascript - Enter key does not work in search box -

tried search guys sorry. input in search box doesnt work (or search) when hit enter when user clicks search button. doing wrong? here code. thanks. <script type="text/javascript"> $(document).ready(function() { $("#submit").click(function() { var url = "http://asla.org/awardssearch.html"; url += "?s=" + $('#googlecse').val(); window.location = url; }); $('#googlecse').keydown(function(event) { if (event.keycode == '13') { $("#submit").click(); } else { //do nothing :) } }); }); </script> <form class="navbar-form navbar-right" role="search"> <div class="search"> <input id="googlecse" type="text" onblur="if(this.value=='')this.value=this.defaultvalue;" onfocus="if(this.value==this.defaultvalue)t
Read more