Merge pull request #7 from mihirdilip/3.1.0

3.1.0

Author: mihirdilip

README.md

@@ -1,5 +1,5 @@
 # AspNetCore.Authentication.ApiKey
-Easy to use and very light weight Microsoft style API Key Authentication Implementation for ASP.NET Core. It can be setup so that it can accept API Key in Header, QueryParams or HeaderOrQueryParams.
+Easy to use and very light weight Microsoft style API Key Authentication Implementation for ASP.NET Core. It can be setup so that it can accept API Key either in Header, QueryParams or HeaderOrQueryParams.
 
 [View On GitHub](https://github.com/mihirdilip/aspnetcore-authentication-apikey)
 
@@ -16,6 +16,8 @@ PM> Install-Package AspNetCore.Authentication.ApiKey
 
 ## Example Usage
 
+Samples are available under [samples directory](samples).
+
 Setting it up is quite simple. You will need basic working knowledge of ASP.NET Core 2.2 or newer to get started using this code.
 
 On [**Startup.cs**](#startupcs), as shown below, add 2 lines in *ConfigureServices* method `services.AddAuthentication(ApiKeyDefaults.AuthenticationScheme).AddApiKeyInHeaderOrQueryParams<ApiKeyProvider>(options => { options.Realm = "My App"; options.KeyName = "X-API-KEY"; });`. And a line `app.UseAuthentication();` in *Configure* method.
@@ -30,39 +32,24 @@ Also add an implementation of *IApiKeyProvider* as shown below in [**ApiKeyProvi
 using AspNetCore.Authentication.ApiKey;
 public class Startup
 {
-	public Startup(IConfiguration configuration)
-	{
-		Configuration = configuration;
-	}
-
-	public IConfiguration Configuration { get; }
-
 	public void ConfigureServices(IServiceCollection services)
 	{
-		// Add the API Key authentication here..
-		// AddApiKeyInHeaderOrQueryParams extension takes an implementation of IApiKeyProvider for validating the key. 
-		// It also requires Realm and KeyName to be set in the options.
+		// Add the ApiKey scheme authentication here..
+		// It requires Realm to be set in the options if SuppressWWWAuthenticateHeader is not set.
+		// If an implementation of IApiKeyProvider interface is registered in the dependency register as well as OnValidateKey delegete on options.Events is also set then this delegate will be used instead of an implementation of IApiKeyProvider.
 		services.AddAuthentication(ApiKeyDefaults.AuthenticationScheme)
-			//// use below to accept API Key either in header or query parameter
-			.AddApiKeyInHeaderOrQueryParams<ApiKeyProvider>(options => 
-			{ 
-				options.Realm = "My App"; 
-				options.KeyName = "X-API-KEY";	// Your api key name which the clients will require to send the key.
-			});
 
-			//// use below instead to only accept API Key in header
-			//.AddApiKeyInHeader<ApiKeyProvider>(options => 
-			//{ 
-			//	options.Realm = "My App"; 
-			//	options.KeyName = "X-API-KEY";	// Your api key name which the clients will require to send the key.
-			//});
+			// The below AddApiKeyInHeaderOrQueryParams without type parameter will require OnValidateKey delegete on options.Events to be set unless an implementation of IApiKeyProvider interface is registered in the dependency register.
+			// Please note if OnValidateKey delegete on options.Events is also set then this delegate will be used instead of ApiKeyProvider.*
+			//.AddApiKeyInHeaderOrQueryParams(options =>
 
-			//// use below instead to only accept API Key in query parameter
-			//.AddApiKeyQueryParams<ApiKeyProvider>(options => 
-			//{ 
-			//	options.Realm = "My App"; 
-			//	options.KeyName = "X-API-KEY";	// Your api key name which the clients will require to send the key.
-			//});
+			// The below AddApiKeyInHeaderOrQueryParams with type parameter will add the ApiKeyProvider to the dependency register. 
+			// Please note if OnValidateKey delegete on options.Events is also set then this delegate will be used instead of ApiKeyProvider.
+			.AddApiKeyInHeaderOrQueryParams<ApiKeyProvider>(options =>
+			{
+				options.Realm = "Sample Web API";
+				options.KeyName = "X-API-KEY";
+			});
 
 		services.AddControllers();
 
@@ -99,39 +86,24 @@ public class Startup
 using AspNetCore.Authentication.ApiKey;
 public class Startup
 {
-	public Startup(IConfiguration configuration)
-	{
-		Configuration = configuration;
-	}
-
-	public IConfiguration Configuration { get; }
-
 	public void ConfigureServices(IServiceCollection services)
 	{
-		// Add the API Key authentication here..
-		// AddApiKeyInHeaderOrQueryParams extension takes an implementation of IApiKeyProvider for validating the key. 
-		// It also requires Realm and KeyName to be set in the options.
+		// Add the ApiKey scheme authentication here..
+		// It requires Realm to be set in the options if SuppressWWWAuthenticateHeader is not set.
+		// If an implementation of IApiKeyProvider interface is registered in the dependency register as well as OnValidateKey delegete on options.Events is also set then this delegate will be used instead of an implementation of IApiKeyProvider.
 		services.AddAuthentication(ApiKeyDefaults.AuthenticationScheme)
-			//// use below to accept API Key either in header or query parameter
-			.AddApiKeyInHeaderOrQueryParams<ApiKeyProvider>(options => 
-			{ 
-				options.Realm = "My App"; 
-				options.KeyName = "X-API-KEY";	// Your api key name which the clients will require to send the key.
-			});
 
-			//// use below instead to only accept API Key in header
-			//.AddApiKeyInHeader<ApiKeyProvider>(options => 
-			//{ 
-			//	options.Realm = "My App"; 
-			//	options.KeyName = "X-API-KEY";	// Your api key name which the clients will require to send the key.
-			//});
+			// The below AddApiKeyInHeaderOrQueryParams without type parameter will require OnValidateKey delegete on options.Events to be set unless an implementation of IApiKeyProvider interface is registered in the dependency register.
+			// Please note if OnValidateKey delegete on options.Events is also set then this delegate will be used instead of ApiKeyProvider.*
+			//.AddApiKeyInHeaderOrQueryParams(options =>
 
-			//// use below instead to only accept API Key in query parameter
-			//.AddApiKeyInQueryParams<ApiKeyProvider>(options => 
-			//{ 
-			//	options.Realm = "My App"; 
-			//	options.KeyName = "X-API-KEY";	// Your api key name which the clients will require to send the key.
-			//});
+			// The below AddApiKeyInHeaderOrQueryParams with type parameter will add the ApiKeyProvider to the dependency register. 
+			// Please note if OnValidateKey delegete on options.Events is also set then this delegate will be used instead of ApiKeyProvider.
+			.AddApiKeyInHeaderOrQueryParams<ApiKeyProvider>(options =>
+			{
+				options.Realm = "Sample Web API";
+				options.KeyName = "X-API-KEY";
+			});
 
 		services.AddMvc();
 
@@ -160,7 +132,7 @@ public class ApiKeyProvider : IApiKeyProvider
 {
 	private readonly ILogger<ApiKeyProvider> _logger;
 
-	public BasicUserValidationService(ILogger<ApiKeyProvider> logger)
+	public ApiKeyProvider(ILogger<ApiKeyProvider> logger)
 	{
 		_logger = logger;
 	}
@@ -199,6 +171,46 @@ class ApiKey : IApiKey
 }
 ```
 
+## Configuration (ApiKeyOptions)
+#### KeyName
+Required to be set. It is the name of the header if it is setup as in-header or the name of the query parameter if set as in-query-string.
+
+#### Realm
+Required to be set if SuppressWWWAuthenticateHeader is not set to true. It is used with WWW-Authenticate response header when challenging un-authenticated requests.  
+   
+#### SuppressWWWAuthenticateHeader
+Default value is false.  
+When set to true, it will NOT return WWW-Authenticate response header when challenging un-authenticated requests.  
+When set to false, it will return WWW-Authenticate response header when challenging un-authenticated requests.
+
+#### Events
+The object provided by the application to process events raised by the api key authentication middleware.  
+The application may implement the interface fully, or it may create an instance of ApiKeyEvents and assign delegates only to the events it wants to process.
+- ##### OnValidateKey
+	A delegate assigned to this property will be invoked just before validating the api key.  
+	You must provide a delegate for this property for authentication to occur.  
+	In your delegate you should either call context.ValidationSucceeded() which will handle construction of authentication principal from the api key which will be assiged the context.Principal property and call context.Success(), or construct an authentication principal from the api key & attach it to the context.Principal property and finally call context.Success() method.  
+	If only context.Principal property set without calling context.Success() method then, Success() method is automaticalled called.
+
+- ##### OnAuthenticationSucceeded  
+	A delegate assigned to this property will be invoked when the authentication succeeds. It will not be called if OnValidateKey delegate is assigned.  
+    It can be used for adding claims, headers, etc to the response.
+
+- ##### OnAuthenticationFailed  
+	A delegate assigned to this property will be invoked when the authentication fails.
+
+- ##### OnHandleChallenge  
+	A delegate assigned to this property will be invoked before a challenge is sent back to the caller when handling unauthorized response.  
+	Only use this if you know what you are doing and if you want to use custom implementation.  Set the delegate to deal with 401 challenge concerns, if an authentication scheme in question deals an authentication interaction as part of it's request flow. (like adding a response header, or changing the 401 result to 302 of a login page or external sign-in location.)  
+    Call context.Handled() at the end so that any default logic for this challenge will be skipped.
+
+- ##### OnHandleForbidden  
+	A delegate assigned to this property will be invoked if Authorization fails and results in a Forbidden response.  
+	Only use this if you know what you are doing and if you want to use custom implementation.  
+	Set the delegate to handle Forbid.  
+	Call context.Handled() at the end so that any default logic will be skipped.
+
+
 ## Additional Notes
 Please note that, by default, with ASP.NET Core, all the requests are not challenged for authentication. So don't worry if your *ApiKeyProvider* is not hit when you don't pass the required api key authentication details with the request. It is a normal behaviour. ASP.NET Core challenges authentication only when it is specifically told to do so either by decorating controller/method with *[Authorize]* filter attribute or by some other means. 
 

samples/ApiKeySamplesClient.postman_collection.json

@@ -0,0 +1,131 @@
+{
+	"info": {
+		"_postman_id": "d1468654-1b2a-4caf-9380-6ae0e6d03f6f",
+		"name": "ApiKeySamplesClient",
+		"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
+	},
+	"item": [
+		{
+			"name": "Get Values No Auth",
+			"request": {
+				"auth": {
+					"type": "noauth"
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "{{base_url}}/api/values",
+					"host": [
+						"{{base_url}}"
+					],
+					"path": [
+						"api",
+						"values"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "Get Values",
+			"request": {
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "{{base_url}}/api/values",
+					"host": [
+						"{{base_url}}"
+					],
+					"path": [
+						"api",
+						"values"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "Claims",
+			"request": {
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "{{base_url}}/api/values/claims",
+					"host": [
+						"{{base_url}}"
+					],
+					"path": [
+						"api",
+						"values",
+						"claims"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "Forbid",
+			"request": {
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "{{base_url}}/api/values/forbid",
+					"host": [
+						"{{base_url}}"
+					],
+					"path": [
+						"api",
+						"values",
+						"forbid"
+					]
+				}
+			},
+			"response": []
+		}
+	],
+	"auth": {
+		"type": "apikey",
+		"apikey": [
+			{
+				"key": "value",
+				"value": "Key1",
+				"type": "string"
+			},
+			{
+				"key": "key",
+				"value": "X-API-Key",
+				"type": "string"
+			}
+		]
+	},
+	"event": [
+		{
+			"listen": "prerequest",
+			"script": {
+				"id": "28b765c6-41cd-4b65-8801-02fba6cac26b",
+				"type": "text/javascript",
+				"exec": [
+					""
+				]
+			}
+		},
+		{
+			"listen": "test",
+			"script": {
+				"id": "939052e9-9216-4135-b1c9-45ce33bcfc6f",
+				"type": "text/javascript",
+				"exec": [
+					""
+				]
+			}
+		}
+	],
+	"variable": [
+		{
+			"id": "c46c2023-75a9-4c27-8c41-dbb222f466af",
+			"key": "base_url",
+			"value": "https://localhost:44304/"
+		}
+	],
+	"protocolProfileBehavior": {}
+}

samples/SampleWebApi.Shared/Models/ApiKey.cs

@@ -0,0 +1,20 @@
+using AspNetCore.Authentication.ApiKey;
+using System.Collections.Generic;
+using System.Security.Claims;
+
+namespace SampleWebApi.Models
+{
+	class ApiKey : IApiKey
+	{
+		public ApiKey(string key, string owner, List<Claim> claims = null)
+		{
+			Key = key;
+			OwnerName = owner;
+			Claims = claims ?? new List<Claim>();
+		}
+
+		public string Key { get; }
+		public string OwnerName { get; }
+		public IReadOnlyCollection<Claim> Claims { get; }
+	}
+}

samples/SampleWebApi.Shared/Repositories/IApiKeyRepository.cs

@@ -0,0 +1,13 @@
+using AspNetCore.Authentication.ApiKey;
+using System.Threading.Tasks;
+
+namespace SampleWebApi.Repositories
+{
+    /// <summary>
+    /// NOTE: DO NOT USE THIS IMPLEMENTATION. THIS IS FOR DEMO PURPOSE ONLY
+    /// </summary>
+    public interface IApiKeyRepository
+	{
+		Task<IApiKey> GetApiKeyAsync(string key);
+	}
+}

samples/SampleWebApi.Shared/Repositories/InMemoryApiKeyRepository.cs

@@ -0,0 +1,27 @@
+using AspNetCore.Authentication.ApiKey;
+using SampleWebApi.Models;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+
+namespace SampleWebApi.Repositories
+{
+    /// <summary>
+    /// NOTE: DO NOT USE THIS IMPLEMENTATION. THIS IS FOR DEMO PURPOSE ONLY
+    /// </summary>
+    public class InMemoryApiKeyRepository : IApiKeyRepository
+	{
+		private List<IApiKey> _cache = new List<IApiKey>
+		{
+			new ApiKey("Key1", "Admin"),
+			new ApiKey("Key2", "User"),
+		};
+
+		public Task<IApiKey> GetApiKeyAsync(string key)
+		{
+			var apiKey = _cache.FirstOrDefault(k => k.Key.Equals(key, StringComparison.OrdinalIgnoreCase));
+			return Task.FromResult(apiKey);
+		}
+	}
+}

samples/SampleWebApi.Shared/SampleWebApi.Shared.projitems

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
+    <HasSharedItems>true</HasSharedItems>
+    <SharedGUID>e544fb20-29f3-41f5-a78e-6164f9c43b3c</SharedGUID>
+  </PropertyGroup>
+  <PropertyGroup Label="Configuration">
+    <Import_RootNamespace>SampleWebApi.Shared</Import_RootNamespace>
+  </PropertyGroup>
+  <ItemGroup>
+    <Compile Include="$(MSBuildThisFileDirectory)Models\ApiKey.cs" />
+    <Compile Include="$(MSBuildThisFileDirectory)Services\ApiKeyProvider.cs" />
+    <Compile Include="$(MSBuildThisFileDirectory)Repositories\InMemoryApiKeyRepository.cs" />
+    <Compile Include="$(MSBuildThisFileDirectory)Repositories\IApiKeyRepository.cs" />
+  </ItemGroup>
+</Project>