Using Oauth tickets across several services?

by

After talking with Brock Allen in the comments to the original post, I can’t really guarantee this is a good/safe solution, but this is the code I ended up using. (Note: a version of this code is available as a nuget package.)

I created a IDataProtector implementation that uses AES:

internal class AesDataProtectorProvider : IDataProtector
{
    // Fields
    private byte[] key;

    // Constructors
    public AesDataProtectorProvider(string key)
    {
        using (var sha1 = new SHA256Managed())
        {
            this.key = sha1.ComputeHash(Encoding.UTF8.GetBytes(key));
        }
    }

    // IDataProtector Methods
    public byte[] Protect(byte[] data)
    {
        byte[] dataHash;
        using (var sha = new SHA256Managed())
        {
            dataHash = sha.ComputeHash(data);
        }

        using (AesManaged aesAlg = new AesManaged())
        {
            aesAlg.Key = this.key;
            aesAlg.GenerateIV();

            using (var encryptor = aesAlg.CreateEncryptor(aesAlg.Key, aesAlg.IV))
            using (var msEncrypt = new MemoryStream())
            {
                msEncrypt.Write(aesAlg.IV, 0, 16);

                using (var csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write))
                using (var bwEncrypt = new BinaryWriter(csEncrypt))
                {
                    bwEncrypt.Write(dataHash);
                    bwEncrypt.Write(data.Length);
                    bwEncrypt.Write(data);
                }
                var protectedData = msEncrypt.ToArray();
                return protectedData;
            }
        }
    }

    public byte[] Unprotect(byte[] protectedData)
    {
        using (AesManaged aesAlg = new AesManaged())
        {
            aesAlg.Key = this.key;

            using (var msDecrypt = new MemoryStream(protectedData))
            {
                byte[] iv = new byte[16];
                msDecrypt.Read(iv, 0, 16);

                aesAlg.IV = iv;

                using (var decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV))
                using (var csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
                using (var brDecrypt = new BinaryReader(csDecrypt))
                {
                    var signature = brDecrypt.ReadBytes(32);
                    var len = brDecrypt.ReadInt32();
                    var data = brDecrypt.ReadBytes(len);

                    byte[] dataHash;
                    using (var sha = new SHA256Managed())
                    {
                        dataHash = sha.ComputeHash(data);
                    }

                    if (!dataHash.SequenceEqual(signature))
                        throw new SecurityException("Signature does not match the computed hash");

                    return data;
                }
            }
        }
    }
}

And then used this in an ISecureDataFormat implementation like so:

public class SecureTokenFormatter : ISecureDataFormat<AuthenticationTicket>
{
    // Fields
    private TicketSerializer serializer;
    private IDataProtector protector;
    private ITextEncoder encoder;

    // Constructors
    public SecureTokenFormatter(string key)
    {
        this.serializer = new TicketSerializer();
        this.protector = new AesDataProtectorProvider(key);
        this.encoder = TextEncodings.Base64Url;
    }

    // ISecureDataFormat<AuthenticationTicket> Members
    public string Protect(AuthenticationTicket ticket)
    {
        var ticketData = this.serializer.Serialize(ticket);
        var protectedData = this.protector.Protect(ticketData);
        var protectedString = this.encoder.Encode(protectedData);
        return protectedString;
    }

    public AuthenticationTicket Unprotect(string text)
    {
        var protectedData = this.encoder.Decode(text);
        var ticketData = this.protector.Unprotect(protectedData);
        var ticket = this.serializer.Deserialize(ticketData);
        return ticket;
    }
}

The ‘key’ parameter on the constructor can then set to the same value on a number of services and they will all be able to decrypt (‘unprotect’) and use the ticket.

More Related Contents:

  1. How can I revoke a JWT token?
  2. Google Home Authorization Code and Authentication with Google Account
  3. How does OAuth 2 protect against things like replay attacks using the Security Token?
  4. OWIN Security – How to Implement OAuth2 Refresh Tokens
  5. Using Postman to access OAuth 2.0 Google APIs
  6. Gmail API returns 403 error code and “Delegation denied for “
  7. Does OpenID Connect support the Resource Owner Password Credentials grant?
  8. Error: invalid_request device_id and device_name are required for private IP
  9. Sign in with Google temporarily disabled for this app
  10. 403 Forbidden message when calling the v3 Google Calendar API using a Service Account via OAuth 2.0
  11. “This app would like to: Have offline access” when access_type=online
  12. Is it possible to be able to correctly select any available Google account to use when using authorisation via the JS client library for Drive?
  13. How to bypass entering authentication code to authorize my code everytime I use the YouTube Data API v3
  14. How to specify refresh tokens lifespan in Keycloak
  15. Registering Web API 2 external logins from multiple API clients with OWIN Identity
  16. Google APIs Console – missing client secret
  17. How to renew the access token using the refresh token?
  18. Why Does OAuth v2 Have Both Access and Refresh Tokens?
  19. How is OAuth 2 different from OAuth 1?
  20. CORS issue while making an Ajax request for oauth2 access token
  21. How to identify a Google OAuth2 user?
  22. OAuth 2.0: Benefits and use cases — why?
  23. How to implement oauth2 server in ASP.NET MVC 5 and WEB API 2 [closed]
  24. How to set redirect_uri protocol to HTTPS in Azure Web Apps
  25. How to send emails with google using nodemailer after Google disabled less sure app option?
  26. MVC 5 Owin Facebook Auth results in Null Reference Exception
  27. Unhandled Exception Global Handler for OWIN / Katana?
  28. Correct redirect URI for Google API and OAuth 2.0
  29. ImportError: cannot import name SignedJwtAssertionCredentials
  30. Multiple IdentityServer Federation : Error Unable to unprotect the message.State

Leave a Comment