search

IdentityServer / IdentityServer2

[deprecated] Thinktecture IdentityServer is a light-weight security token service built with .NET 4.5, MVC 4, Web API and WCF.
Other
409 stars 291 forks source link

Weeding through the WebApi authX options... Simple symmetric "secret" keys scenario? #209

Closed ghost closed 11 years ago

ghost commented 11 years ago

I'm a big fan of thinktecture which I already use for MVC/Azure single sign on but I am having trouble weeding through the various options to secure an MVC4 WebApi. I need to create and distribute unique secret keys to systems that access my WebApi -- similar to the access keys used for the Azure APIs -- and not require humans to login each time the WebApi will be used. Can I use the thinktecture admin console and thinktecture/WIF-APIs to issue and check validity of these keys for the respective thinktecture user/identity? At best, I'd like to retrieve the claims associated with the key from the thinktecture IdSrv on an as-needed-basis as well. The keys are for system-internal use only and should be the only thing needed uniquely identify the connecting party (over x.509 TLS). There are other options, but I'd like to stay within a clean thinktecture scenario here if possible.

Can anyone provide a crumb trail or point me to an example or post? .

Thanks!

Thoughts:

This looks close to what i need but i don't see the complete usage context anywhere. example? http://leastprivilege.com/2012/08/20/support-for-x-509-client-certificates-in-thinktecture-identitymodel-for-web-api/

OK, I ordered "Pro ASP.NET Web API Security: Securing ASP.NET Web API" but a tip in the meantime would be appreciated.

ghost commented 11 years ago

Just found this... moving forward. Thanks for a great framework and these samples.

https://github.com/thinktecture/Thinktecture.IdentityModel.45/tree/master/Samples/Web%20API%20Security

it looks like OAuth2 callbacks is the only way to handle this with out username password. Simplest way?

leastprivilege commented 11 years ago

Not sure what you mean with "without username password" - but idsrv does not have anything built in to issue "keys". You may built on top of it - but nothig out of the box.

ghost commented 11 years ago

Thanks, I was hoping that the Identity Server could help me generate and manage my preshared keys (PSK) since I will need them for some of my WebApis, and since PSKs will be distributed to the same users that have an STS/SSO account on the thinktecture STS.

leastprivilege commented 11 years ago

No. sorry. You need to do that yourself.