SquareWidget.HMAC.Server.Core
8.0.0
Prefix Reserved
See the version list below for details.
dotnet add package SquareWidget.HMAC.Server.Core --version 8.0.0
NuGet\Install-Package SquareWidget.HMAC.Server.Core -Version 8.0.0
<PackageReference Include="SquareWidget.HMAC.Server.Core" Version="8.0.0" />
paket add SquareWidget.HMAC.Server.Core --version 8.0.0
#r "nuget: SquareWidget.HMAC.Server.Core, 8.0.0"
// Install SquareWidget.HMAC.Server.Core as a Cake Addin #addin nuget:?package=SquareWidget.HMAC.Server.Core&version=8.0.0 // Install SquareWidget.HMAC.Server.Core as a Cake Tool #tool nuget:?package=SquareWidget.HMAC.Server.Core&version=8.0.0
SquareWidget.HMAC.Server.Core
Middleware HMAC-based authentication service for .NET Core 8.0
Status
Prerequisites
.NET Core 8.0
Getting Started
See the documentation for usage. Download the NuGet package in your API. Implement a shared secret store service from abstract base class SharedSecretStoreService as in this example:
using SquareWidget.HMAC.Server.Core;
using System.Threading.Tasks;
namespace SquareWidget.ExampleApi
{
public class MySharedSecretStoreService : SharedSecretStoreService
{
public override Task<string> GetSharedSecretAsync(string clientId)
{
// TODO: Use clientId to get the shared secret from
// Azure Key Vault, IdentityServer4, or a database
return Task.Run(() => "P@ssw0rd");
}
}
}
Add to ConfigureServices method in Startup.cs to register the authentication handler:
services
.AddAuthentication(HmacAuthenticationDefaults.AuthenticationScheme)
.AddHmacAuthentication<MySharedSecretStoreService>(o => { });
Options
By default the authentication handler looks for two request headers called "Hash" and "Timestamp" but these can be overridden if the client passes in another value in the request header:
services
.AddAuthentication(HmacAuthenticationDefaults.AuthenticationScheme)
.AddHmacAuthentication<MySharedSecretStoreService>(o =>
{
o.HashHeaderName = "MyHash";
o.TimestampHeaderName = "MyTimestamp";
});
There is a replay attack value of 15 seconds. This can be overridden which is especially useful when debugging code:
services
.AddAuthentication(HmacAuthenticationDefaults.AuthenticationScheme)
.AddHmacAuthentication<MySharedSecretStoreService>(o =>
{
o.ReplayAttackDelayInSeconds = 900; // 15 mins
});
Client Side
Use SquareWidget.HMAC.Client.Core package. See the documentation. Bring in the package and use HmacHttpClient:
var baseUri = "https://localhost:12345";
var credentials = new ClientCredentials
{
ClientId = "testClient",
ClientSecret = "testSecret"
};
var requestUri = "api/widgets/1";
using (var client = new HmacHttpClient(baseUri, credentials))
{
var widget = client.Get<Widget>(requestUri).Result;
// do something with widget ID 1...
}
Versioning
Version 6.0.0 targets.NET Core 8.0
Authors
License
This project is licensed under the MIT License.
Acknowledgments
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
-
net8.0
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.
Now targets .NET 8.0. Also timestamp now uses unix timestamp to faciliate API testing with javascript.