14

I'm attempting to implement a web app using a microservice architecture by breaking up major components into separate web servers. I'm implementing an authentication server using ASP.NET Identity (email/username logins only, no Facebook, etc) and a "main" application server.

My current challenge is figuring out how the application server will recognize if a user has logged via the authentication server. Since the authentication server generates tokens which it users to verify users's identities, I imagine that they are stored somewhere and can be queried by the application server, but I'm not sure how to go about doing this. Ideally, my application servers WebAPI endpoints will be able to use the [Authorize] annotation.

Q: How can one server control access via a separate authentication server using ASP.NET Identity?

user-8564775
  • 483
  • 2
  • 5
  • 15

1 Answers1

11

I've done something similar by doing the following (using cookie authentication):

1 - set the cookie domain to be the TLD across all websites

My Startup.Auth.cs looks like this:

app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),
            Provider = new CookieAuthenticationProvider
            {
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(30),
                    regenerateIdentity: (manager, user) => {
                        var identity = manager.CreateIdentity(user, DefaultAuthenticationTypes.ApplicationCookie);

                        //some additional claims and stuff specific to my needs
                        return Task.FromResult(identity);
                    })
            },
            CookieDomain = ".example.com"
        });

2 - update the web.config of all websites to use the same <machineKey />

Mine looks like this:

<machineKey 
    decryption="Auto" 
    decryptionKey="my_key" 
    validation="HMACSHA512"
    validationKey="my_other_key" />

Now I can perform login operations on, say, account.example.com, and redirect the user to site1.example.com and they will be seen as authenticated.

Brendan Green
  • 11,676
  • 5
  • 44
  • 76
  • Since a api is stateless, it wouldn't look for cookies, would it? To my knowledge it only looks for a authentication header. How would this work for an API? I'm planning to keep the API inside my MVC project, so the api would be at example.com/api, would this work as well? – CularBytes Aug 26 '15 at 09:55
  • 2
    So you can use bearer tokens instead. The key is that the machine keys are the same across machines, otherwise the token can't be decrypted. – Brendan Green Aug 26 '15 at 10:49
  • Using an authentication cookie does not necessarily make your API "statefull". If you try to have **stateless operations** (like in REST), using an authentication cookie is just the same as using another authentication header. You can safely use a cookie (which is just a standard HTTP header). – SandRock Apr 24 '18 at 11:04