Overview
This new token service is meant to be used for all new Kodiak API services. The token issuer requires the user to log in using windows authentication for it to issue a token. The token validator then uses access rules to verify whether or not a user can access the service it’s used in. The token service uses both public and private keys. so it’s necessary to have access to the public key when validating tokens in other services.
The new token issuer can be found here: https://bitbucket.org/kiehf/kodi_kodiak_token_issuer/src/main/
And the authenticator for the tokens can be found here: https://bitbucket.org/kiehf/kodi_kodiak_token_validation/src/main/ and on myget here: https://www.myget.org/feed/kodiak/package/nuget/Kodi.Kodiak.TokenValidation
Token Issuer
The token issuer is only available on kodiak-dev right now through this link:
https://kodiak-dev.kodi.internal/token-issuer-iis/create
The token issuer needs to run on IIS for the windows authentication to work.
Each token contains information about the issuer, audience, expiry time and signing credentials for the token. The only claim included in the token is the windows username of the user (Example: kodi\marvin).
Examples
To get a token through a browser, simply navigate to https://kodiak-dev.kodi.internal/token-issuer-iis/create and sign in using your windows credentials.
To send a request in postman, you’ll have to use NTLM Authentication using your windows credentials:
Example C# request using WebClient using default credentials:
using (var wc = new WebClient() { UseDefaultCredentials = true }) { var token = wc.DownloadString(KodiakTokenIssuerUrl); if (token != null) { if (token.Contains("token")) { // String on the form {"token": "eyJhbGciOiJSUzI1Ni..."} token = token.Substring(token.IndexOf("token") + 8); // String containing only the token token = token.Substring(0, token.IndexOf("\"")); } } }
Token Authenticator
The token validation middleware package can be found on myget under the name Kodi.Kodiak.TokenValidation. It checks whether the user included in the token exists in the database and whether the user has access to the specified service. If so, it will attach the user to HttpContext. Otherwise it will send a 401 unauthorized response.
To perform these validations, the validation middleware needs the public key, access to a repository and the name of the service using the package:
app.UseKodiakTokenValidation( public key string, issuer, audience, name of project service, database connection string, SqlServer or Oracle );
Example:
app.UseKodiakTokenValidation( "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMI...-----END PUBLIC KEY-----", "https://kodiak.is", "https://kodiak.is", "RequestForQuoteService", "Server=kodi-mssql;Initial Catalog=CATALOG;User Id=user;Password=pass;", "SqlServer" );
Example request to service using the Token Authenticator
wc.Headers[HttpRequestHeader.ContentType] = "application/json"; wc.Headers[HttpRequestHeader.Authorization] = "Bearer " + Kodi.Kodiak.Client.Settings.Context.KodiakServiceToken; var response = await wc.UploadStringTaskAsync(Kodi.Kodiak.Client.Settings.Context.QuoteServerUrl + "api/quotes", json); CreateQuoteResponse createQuoteResponse = JsonConvert.DeserializeObject<CreateQuoteResponse>(response);