Skip to content

Hawk Authentication for ASP.NET Web API using Thinktecture.IdentityModel.45

July 14, 2013

It’s awesome that we now have Hawk support in Thinktecture IdentityModel!

2 Comments leave one →
  1. February 20, 2015 1:52 pm

    Awesome job. Between Identity Server and membership reboot, I’ve not seen anything as good anywhere. And now you have Hawk too! Hopefully, it won’t take me too long to get familiar with what clearly appears to be your top notch superior coding and style.
    I’ve only just read through the single tenant example code and must say you do write nice code. Gee, I only had to look up the enum 1<< 4 stuff, never saw that before.

    From first glance, it appears that you wrote a nice async "pipeline" type service deal via events so that even if a single server running web and sql situation is getting slammed, it won't jam up, lock the hell out of SQL, and kill a windows server completely from the inhouse perspective. Very nice. (you know, cheap shops with not enough gear – well, maybe you can remember long ago, before you became a rock star)

    Of course, everyone has their membership tweaks, as you pointed out. On a current/old project, I've dreaded the idea of having to rebuild another mess. (loved reading your posts about the old stuff… I'm so sick of having to reinvent the wheel on what should exits, and now does, now that I found MR)

    I'm sure you're very busy, but I figured I would ask my dumb questions before delving in because I am certain you know the answers off the top of your head.

    I want to use MR, but have a few tweaks I am trying to figure out where/how or if I could fairly easily not have to do much to MR to add some weird tweaks:

    every browser hitting any page gets a ticket/token/ call it whatever,
    its made from IP, servertime, a bit of browser identifier stuff…
    to attempt to be able to identify same browser instance,
    but same user desktop with different browsers do get different vals

    anyway… that crap is/will be in REDIS memory …
    and the app passes it back every time for everything or it gets another one…

    after a user/email exists,
    TO LOGIN: on login button click, via js

    1. the browser js sends: hash(email) + token/ticket

    2. web API server checks for
    – no ticket, you get one and a message
    checks for hashemail in the table
    – if not found, that ticket is marked in REDIS to ignore and fake a response
    – if found, it generates a new challenge and stores it in that record with datetime,
    then returns hash(hash(email)) and challenge

    3. client receives challenge and sends back
    hash(hash(hash(email)) )
    hash( hash(passwd) + challenge ) as a delimited string

    The table has indexed fields for: hashemail, HHHEm

    What's the point? makes it harder, not a complete loss if SSL is decoded, they really have to want it… sniffing doesn't yield anything immediately easy…
    sure it adds significant overhead

    It is from best practices on old firewalls that used this method, read it somewhere around find the Stanford js encryption libs years ago. Works ok.

    That ticket/token is to be used by a js function that uses it as a base to generate a temp shared secret for Hawk after validation passed… and of course that same function in C# on the server… well, that was the plan

    Another tweak:
    In addition to adjustable hash iterations for password, I added another function that uses some fixed user account field data to add on X more iterations, so each user password hash is actually hashed a different number of time. I figured why let it be so easy to know out how many trips are required within the database (as the compiled libs generally would not be on the db server).

    Obviously, my first instinct is to just add the fields and add a few functions to your MR.

    Any pointers on getting I3 and MR to run on mono?
    Does this still apply?
    So I don't need to worry about System.IdentityModel much, as you did claims all within the Identity project?

    Yes, you can tell, I'm new to this claims stuff, but saw the need for it years ago, and that app I speak of already has a database table with what I called assigned rights, which will nicely map over to some other authorization structures – seen a few around.
    Any suggestions for that?

    What's your opinion? Blast away. I'm interested to hear why what I was doing is a stupid waste of time. Don't worry, I can take it. Besides, I'm starting a new project and want to use MR because it is WAY better.

    P.S. Schneir gives away Skein hash as a candidate to replace sha256.
    It is very fast.
    and threefish.

    • March 22, 2015 10:58 pm

      If you have questions about the various libraries, please use the github issue tracker. Thanks.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: