Skip to content

Instantly share code, notes, and snippets.

@loudej

loudej/auth.md

Last active December 24, 2015 08:29
Show Gist options
  • Save loudej/6770552 to your computer and use it in GitHub Desktop.
Save loudej/6770552 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
auth.md

Auth flows

Okay! Here are the environment keys and flows that authentication middleware follow.

Any API you see on IAuthenticationManager, IOwinContext, IOwinRequest, IOwinResponse are only syntax sugar and utility code around these env keys and values.

SignIn and SignOut

Simplest cases first: the application wants to sign in or sign out the user.

For SignIn it means that it has calculated the claims the user should possess, and it passes those claims to the appropriate authentication middleware by creating a ClaimsIdentity where the identity.AuthenticationType exactly equals the middleware's options.AuthenticationType.

![SignIn](http://www.websequencediagrams.com/cgi-bin/cdraw?lz=dGl0bGUgU2lnbkluCgpBLT4rQjogbmV4dChlbnYpCgoKQi0-K0MABwxub3RlIG92ZXIgQwppZGVudGl0eSA9IG5ldyBDbGFpbXNJAA4HKCJCIiwgYwAPBSkKZW52WyJzZWN1cml0eS4AawYiXQAsDVByaW5jaXBhbCgAUAgpCmVuZCBub3RlCkMtLT4tQjogY29tcGxldGUKAH4LQgpmb3JlYWNoIABQFi4AgQwHaWVzCmlmIACBLgguQXV0aGVudGljYXRpb25UeXBlID09ICJCIj8KLSAgdG9rZW5pemUAJwkKLSAgc2V0LWNvb2tpZQCBEQoKQi0tPi1BAIESCg&s=qsd)

For SignOut there are no claims involved, so the value for the key is just the array of AuthenticationType strings matching the middleware's option.AuthenticationType.

![SignOut](http://www.websequencediagrams.com/cgi-bin/cdraw?lz=dGl0bGUgU2lnbk91dAoKQS0-K0I6IG5leHQoZW52KQoKCkItPitDAAcMbm90ZSBvdmVyIEMKZW52WyJzZWN1cml0eS4AQAciXSA9IHsiQiJ9CmVuZCBub3RlCkMtLT4tQjogY29tcGxldGUKADwLQgppZiBhbnkgADUZPSAiQiI_Ci0gIHNldC1jb29raWUgIiIsIGV4cGlyZWQAXgoKQi0tPi1BAF8K&s=qsd)

Multiple middleware can SignIn by having several ClaimsIdentity onto the ClaimsPrincipal.Identities. Multiple middleware can SignOut by having more than one AuthenticationType in the string array.

Challenge and Authenticate any active middleware

These two flows are the most similar to the traditional forms http module. This is assuming the options.AuthenticationMode is active.

If a request arrives for a protected resource, and the user is anonymous or has not presented sufficient credentials, a challenge is produced by the convention of a 401 response status code. In the case of cookie auth middleware this is converted to a redirect that is expected to SignIn and return. Other mechanisms, like social logins, are more complex but boil down to redirecting away and eventually returning.

![Challenge any active](http://www.websequencediagrams.com/cgi-bin/cdraw?lz=dGl0bGUgQ2hhbGxlbmdlIGFueSBhY3RpdmUKCkEtPitCOiBuZXh0KGVudikKCgpCLT4rQwAHDG5vdGUgb3ZlciBDCmVudlsib3dpbi5SZXNwb25zZVN0YXR1c0NvZGUiXSA9IDQwMQplbmQgbm90ZQpDLS0-LUI6IGNvbXBsZXRlCgBBC0IKaWYgAC8gAEsFPwAhCXNlY3VyaXR5LgCBRAkiXSBlbXB0eQAfBXRoaXMuT3B0aW9ucy5Nb2RlID09IEEAgWUFPwotIABNISAzMDIAEhZIZWFkZXJzIl1bIkxvY2F0aW9uAIFpBSIvbG9naW4iAIFpCgpCLS0-LUEAgWoK&s=qsd)

After the user has successfully signed in the IPrincipal/ClaimsPrincipal may be examined.

The user principal generated by active middleware will be present on the OWIN environment dictionary and will also be assigned to the ASPNET request.User value.

![Authenticate any active](http://www.websequencediagrams.com/cgi-bin/cdraw?lz=dGl0bGUgQXV0aGVudGljYXRlIGFueSBhY3RpdmUKCkEtPitCOiBuZXh0KGVudikKCm5vdGUgb3ZlciBCCmlmIHRoaXMuT3B0aW9ucy5Nb2RlID09ADcHPwotIGlkZW50aXR5ID0AJAYAXQxBc3luYygpCi0gaWYAIAk_Ci0gICBwcmluY2lwYWwgPSBlbnZbInNlcnZlci5Vc2VyIl0AFA8rPQBeCQplbmQgbm90ZQoKQi0-K0MAgS4MAIEvCkMKAEIeOwA9CkMtLT4tQjogY29tcGxlAFIGLT4tQQAHCw&s=qsd)

Challenge and Authenticate by AuthenticationType

For the cases where you want a 401 to address a specific middleware by it's AuthenticationType name, you can direct the challenge with an additional env key. This makes the active/passive mode irrelevant, really, because the middleware will use only the AuthenticationType equality to determine if any action should be performed.

Common examples of this are social authentication types, which typically ignore outgoing 401's unless they are explicitly named. Another common example of this is when you have an active middleware, like cookie which will redirect, you may set the challenge authentication type to any other value to prevent the redirect from occuring.

![Challenge by AuthenticationType](http://www.websequencediagrams.com/cgi-bin/cdraw?lz=dGl0bGUgQ2hhbGxlbmdlIGJ5IEF1dGhlbnRpY2F0aW9uVHlwZQoKQS0-K0I6IG5leHQoZW52KQoKCkItPitDAAcMbm90ZSBvdmVyIEMKZW52WyJvd2luLlJlc3BvbnNlU3RhdHVzQ29kZSJdID0gNDAxAB8Gc2VjdXJpdHkuAHsJIl0gKz0geyJCIn0KZW5kIG5vdGUKQy0tPi1COiBjb21wbGV0ZQoAZAtCCmlmIABSIABuBT8KaWYgYW55ACgGAGYVPT0gIkIiKT8KLSAAMyEgMzAyABIWSGVhZGVycyJdWyJMbwCCQwYAgXIFIi9sb2dpbiIAgU8KCkItLT4tQQCBUAo&s=qsd)

The case where you need to authenticate by authentication type is one where you invoke an api function out of the enviroment, instead of looking at the request user. The active/passive mode is irrelevant for this calling pattern as well, because only the authenticationTypes parameter determines which middleware should perform their authentication and callback with an identity.

![Authenticate by AuthenticationType](http://www.websequencediagrams.com/cgi-bin/cdraw?lz=dGl0bGUgQXV0aGVudGljZSBieQAECmF0aW9uVHlwZQoKQS0-K0I6IG5leHQoZW52KQoKQi0-K0MABQ1ub3RlIG92ZXIgQwpmdW5jIGF1dGhBc3luYyA9IGVudlsic2VjdXJpdHkuAFgLZSJdCgAgCShhAGsRczp7IkIifSwgY2FsbGJhY2spCmVuZCBub3RlCgpDAIERBgARLwCBHwtCCmlmAIEjBQBmDyBjb250YWlucyAiQiI_Ci0gaWRlbnRpdHkgPSB0aGlzAIE1DQCBNQYpCi0AgRsJKAAnCACBIQwAgisHABETAIIuDWFkZABkCnRvIGxpc3QAgWYNLT4tQjogCgpCLS0-LUM6IGNvbXBsZXRlAIJ0Dm5vdyBoYXMAgTAJADATAC8KAEYFQQBACw&s=qsd)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment