Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Current »

Overview

This new token service is meant to be used for all new Kodiak API services. The token issuer requires the user to log in using windows authentication for it to issue a token. The token validator then uses access rules to verify whether or not a user can access the service it’s used in. The token service uses both public and private keys. so it’s necessary to have access to the public key when validating tokens in other services.

The new token issuer can be found here: https://bitbucket.org/kiehf/kodi_kodiak_token_issuer/src/main/

And the authenticator for the tokens can be found here: https://bitbucket.org/kiehf/kodi_kodiak_token_validation/src/main/ and on myget here: https://www.myget.org/feed/kodiak/package/nuget/Kodi.Kodiak.TokenValidation

Token Issuer

The token issuer is only available on kodiak-dev right now through this link:

https://kodiak-dev.kodi.internal/token-issuer-iis/create

The token issuer needs to run on IIS for the windows authentication to work.

Each token contains information about the issuer, audience, expiry time and signing credentials for the token. The only claim included in the token is the windows username of the user (Example: kodi\marvin).

It may be necessary to add a binding in IIS for a fully qualified host name such as kodiak-dev.kodi.internal as opposed to simply kodiak-dev. This is done by choosing “Default Web Site” → Bindings → Add

There you should choose Type: https, enter the Host name and select the correct certificate.

image-20240221-123625.png

Examples

To get a token through a browser, simply navigate to https://kodiak-dev.kodi.internal/token-issuer-iis/create and sign in using your windows credentials.

To send a request in postman, you’ll have to use NTLM Authentication using your windows credentials:

image-20240205-142727.png

Example C# request using WebClient using default credentials:

using (var wc = new WebClient() { UseDefaultCredentials = true })
{
    var token = wc.DownloadString(KodiakTokenIssuerUrl);

    if (token != null)
    {
        if (token.Contains("token"))
        {
            // String on the form {"token": "eyJhbGciOiJSUzI1Ni..."}
            token = token.Substring(token.IndexOf("token") + 8);
            
            // String containing only the token
            token = token.Substring(0, token.IndexOf("\""));
        }
    }
}

Token Authenticator

The token validation middleware package can be found on myget under the name Kodi.Kodiak.TokenValidation. It checks whether the user included in the token exists in the database and whether the user has access to the specified service. If so, it will attach the user to HttpContext. Otherwise it will send a 401 unauthorized response.

To perform these validations, the validation middleware needs the public key, access to a repository and the name of the service using the package:

app.UseKodiakTokenValidation(
    public key string,
    issuer, 
    audience, 
    name of project service, 
    database connection string, 
    SqlServer or Oracle
  );

Example:

app.UseKodiakTokenValidation(
    "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMI...-----END PUBLIC KEY-----", 
    "https://kodiak.is", 
    "https://kodiak.is", 
    "RequestForQuoteService", 
    "Server=kodi-mssql;Initial Catalog=CATALOG;User Id=user;Password=pass;", 
    "SqlServer"
  );

Example request to service using the Token Authenticator

wc.Headers[HttpRequestHeader.ContentType] = "application/json";
wc.Headers[HttpRequestHeader.Authorization] = "Bearer " + Kodi.Kodiak.Client.Settings.Context.KodiakServiceToken;
var response = await wc.UploadStringTaskAsync(Kodi.Kodiak.Client.Settings.Context.QuoteServerUrl + "api/quotes", json);
CreateQuoteResponse createQuoteResponse = JsonConvert.DeserializeObject<CreateQuoteResponse>(response);
  • No labels