Highwind is a dot.net core web api for issuing Java Web Tokens (jwt) in a windows domain.
The api utilises integrated windows authentication to authenticate incoming requests and returns a jwt for use in other applications.
This allows a non windows app (i.e. linux docker container with web app) to effectively authenticate a user seemlessly with integrated windows auth.
Swagger is available at '/swagger'.
This is a proof of concept project.
dotnet restore
B. Generate a public and private key (for RSA signed JWTs - otherwise check appsettings hmacSecretKey)
- Generate keys
openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
- Convert these to XML format using a site like RSA Key Converter. This is required for generating an instance of
RSA
- seeXmlHelper.cs
. - Place the results for the public and private keys into
public.key.xml
andprivate.key.xml
in the root directory. - You can use Xml Formatter
Make sure to edit the "Cors:allowedOrigins" section to include the domain of your client app/s.
dotnet run
dotnet publish
dotnet run highwind.dll
Current version is 1.0.
The main endpoint.
All clients need to hit this endpoint to authenticate a user via a GET redirect or GET ajax request.
This endpoint uses integrated windows authenticatoin to authenticate the incoming request and redirects to redirectURL
following success or failure.
Upon success, it sets an http only cookie via a Set-Cookie header in the response.
If there is a failure, it will set the cookie to an invalid value which the client will need to handle.
- Client receives request from user - say access root / of website.
- Client redirects to
highwind/v{version}/Token/auth?apiKey&redirectURL
- Highwind auths user and sets cookie in response and redirects back to
redirectURL
- Client handles cookie in middleware
- See Highwind Test Client project for details. See also
EXAMPLE.MD
.
A simple validation endpoint to test a jwt is valid by highwind's perspective.
Expects Body { "token": "token-value", "audience": "audience-value" }
- Add client secret Handling - i.e. need DB with client id, client secret hash + audience.
- Mapping of client secret to audience - see previous point.
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.
MaiorSi