public ActionResult <string> Get() { // look for an Auth Header // we expect it to look like: // string authHeader = Request.Headers["Authorization"]; if (string.IsNullOrEmpty(authHeader)) { return(Unauthorized()); } else { // parse the header var parts = authHeader.Split(" "); string jwtTokenString = parts[1]; (bool isJwtTokenValid, string username, JwtSecurityToken jwtToken) = JwtController.ValidateJWTToken(jwtTokenString, JwtController.AUDIENCE); if (!isJwtTokenValid) { return(Unauthorized()); } else { // at this point this controller would add the identity of the authenticated caller as a new HTTP header and call a downstream webapi // in this POC just return the identity that we derived from the JWT var authCResult = new AuthCResultBE() { IsValid = isJwtTokenValid, User = username, JwtToken = jwtTokenString }; //return Ok(JsonConvert.SerializeObject(authCResult, Formatting.Indented)); return(Ok(authCResult)); } } }
//public ActionResult<string> Post([FromBody] string rawRequest) public async Task <ActionResult <string> > Post() { // note: I specficially choose NOT to use the [FromBody] approach to make debugging easier // if we use the [FromBody] approach this method never get control if the body cannot be correctly deserialized // this approach lets us capture the raw body content passed string httpBody = Request.GetRawBodyString(); AuthCRequestBE authRequest = null; try { authRequest = JsonConvert.DeserializeObject <AuthCRequestBE>(httpBody); } catch (Exception ex) { // you could do addl logging here to support debugging return(BadRequest()); } // look for an Auth Header // we expect it to look like: // Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjFERTJERjQ2NkQyMTg4RDMyRjc0ODdCMjlCQzc2OTExNURDNTM0NzIiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiJodHRwczovL3d3dy5kYXRhY2Fwc3lzdGVtcy5jb20vIiwiYXVkIjoiaHR0cHM6Ly93d3cud29ybGRwYXkuY29tLyIsImV4cCI6MTU2NDk0MjEwN30.mwwaFczSPP1_EMDcgAdXIbf3hwHw26nTv-kG4b1_EH9q8TFrNMmPMjayyWzHDizbwF-As-6AppaNlMbEQFp-ilXLCx_MAgvff1vNA_qA_wh_t0rcsUO_Evbn5lapoDOCom97cddSIywUnb4zA14TRlrttfuOnpkj08WaR2WM38unpKjBpIHYZJYrrG5Gzyyjs2uzPfCydOCcXVuv3xcVTbmgDGVraDswDMF0xVKHwrFNG9HLfCsJhgA14_puVELPRceuXa_o-u9o05U8-BRrzvyEOxobpXc_z6c0FlnA5OcTGbVDChCASal-8kXjaZYzk1dF-FBQxK3Sj75wCi3IYg string authHeader = Request.Headers["Authorization"]; if (string.IsNullOrEmpty(authHeader)) { return(Unauthorized()); } else { // parse the header var parts = authHeader.Split(" "); string jwtTokenString = parts[1]; (bool isJwtTokenValid, string username, JwtSecurityToken jwtToken) = JwtController.ValidateJWTToken(jwtTokenString, JwtController.AUDIENCE); if (!isJwtTokenValid) { return(Unauthorized()); } else { // at this point this controller would add the identity of the authenticated caller as a new HTTP header and call a downstream webapi // this part would typically be in the downstream client and called using await // validate that the body has not body modified string hash = httpBody.SHA256Hash(); (string hashType, string bodyHash) = JwtController.GetBodyHashInfo(jwtToken.Payload); if (!string.IsNullOrEmpty(hashType)) { if (hashType.ToLower() != @"sha256") { return(BadRequest($"hash type: [{hashType}] is NOT supported, use sha256 instead!")); } if (httpBody.SHA256Hash() != bodyHash) { return(BadRequest($"Post Body has been modified")); } } // in this POC just return the identity that we derived from the JWT var authCResult = new AuthCResultBE() { IsValid = isJwtTokenValid, User = username, JwtToken = jwtTokenString }; //return Ok(JsonConvert.SerializeObject(authCResult, Formatting.Indented)); return(Ok(authCResult)); } } }