Thinktecture IdentityModel AuthenticationConfiguration Mapping for Cookie - how?

Question

I have a Web API based application currently set up using the amazing Thinktecture IdentityModel 4.5.

It is set up for claims-based authentication, accepting a Basic

Answer 1

So after waiting a few minutes and receiving no replies and desperately needing this functionality I dived into the Thinktecture IdentityModel 4.5 source code to see what was going on and it seems this feature is not actually supported. Not only is it not supported but from the looks of it cookie mapping is not actually implemented.

I forked the repository and made a few small changes to allow for this feature: https://github.com/ibraheemhlaiyil/Thinktecture.IdentityModel.45

and sent Dominick Baier of Thinktecture this in a pull request: https://github.com/thinktecture/Thinktecture.IdentityModel.45/pull/95

Cookie usage has it's disadvantages, and it seems Thinktecture are trying to stay away from them as far as possible, however I could not come up with a different solution to my problem - a javascript client web applications that needs to open a new window/tab and maintain the authenticated session in the new window/tab.

If you want to use this feature, you simply set the new CookieName property on the SessionTokenConfiguration object. IdentityModel uses the HeaderName property to determine which header to look up for authentication data. In the same way, if the CookieName property is set this determines which cookie name is looked up for authentication data if no authentication data was found on the header.

In the example below, authentication data is looked for on the cookie named sessionToken if no authentication data is found on the Authorization header.

    private static AuthenticationConfiguration CreateAuthenticationConfiguration()
    {

        var authenticationConfig = new AuthenticationConfiguration
        {
            ClaimsAuthenticationManager = _authenticationManager,
            RequireSsl = false,
            SendWwwAuthenticateResponseHeaders = false,
            EnableSessionToken = true,
            SessionToken = new SessionTokenConfiguration
            {
                EndpointAddress = "/Authenticate",
                DefaultTokenLifetime = new TimeSpan(1, 0, 0),
                HeaderName = "Authorization",
                CookieName = "sessionToken",
                SigningKey = CryptoRandom.CreateRandomKey(32)
            }
        };

        authenticationConfig.AddBasicAuthentication(_userService.ValidateUser, _userService.GetRolesForUser);

        return authenticationConfig;
    }

As before, this configuration is applied like so during your application start up:

HttpConfiguration config;
var authenticationConfig = CreateAuthenticationConfiguration();
config.MessageHandlers.Add(new AuthenticationHandler(authenticationConfig));

The cookie authentication data has the exact same form as the data sent in the Authorization header, so if sent, the cookie should look like:

Cookie: sessionToken=Session eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjEzNzM2NDA5NjgsImlzcyI6InNlc3Npb24gaXNzdWVyIiwiYXVkIjoiaHR0cDovL3Nlc3Npb24udHQvIiwiaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvbmFtZSI6ImEiLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL2F1dGhlbnRpY2F0aW9ubWV0aG9kIjoiaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93cy8yMDA4LzA2L2lkZW50aXR5L2F1dGhlbnRpY2F0aW9ubWV0aG9kL3Bhc3N3b3JkIiwiaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93cy8yMDA4LzA2L2lkZW50aXR5L2NsYWltcy9hdXRoZW50aWNhdGlvbmluc3RhbnQiOiIyMDEzLTA3LTEyVDEzOjU2OjA4LjA5N1oiLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL3JvbGUiOiJBZG1pbmlzdHJhdG9yIiwiSWQiOiIyIn0.UlPeD9HzduQfwHE7NuXi9eMVo40hypi_LBK-f76VYFI

Hope someone finds this of some use!