Pull Request or New Project: Secured APIs for backoffice users API calls with JWT Auth Tokens

[Warren Buckley]

Hello all,
I wanted to share with you my working POC for using JWT (JSON Web Tokens) for auth tokens to create public APIs for the Umbraco backoffice.

I talked to Niels & explained the idea at the Umbraco UK Festival in the open workshop/show & tell sessions and with the Core team planning to do
something similar in the core on the roadmap that was presented in the keynote, so I wanted to share my work with this so far.

What are JWTs?
They are an auth token that allows you to send a piece of JSON encoded as a token and are the more modern approach to deal with auth in applications
especially as we build applications across different devices. The videos below will do a lot better trying to explain it than I can do.

Why do this?
I needed to create this POC for an upcoming pet project I am currently hacking & building. I needed a way to authenticate to any Umbraco backoffice using
the same credentials as the Umbraco backoffice user & ensure they have access to specific section/s on that user. The user will only need to login once and we
then store the auth token in local storage or cookies and use that token from storage or cookie for any future secured/protected API calls.

More Resources on JWTs
NG Europe talk from 0Auth.com guys
https://www.youtube.com/watch?v=lDb_GANDR8U&list=UUEGUP3TJJfMsEM_1y8iviSQ

Another good talk on JWT
https://www.youtube.com/watch?v=vIGZxeQUUFU#t=83

Debugger tool
http://jwt.io

Class Library & Nuget Package I use 
Didn't use M$ one as was massively complex as opposed to single class file
Authored by FireBase, Twilio & others
http://www.nuget.org/packages/JWT/
https://github.com/johnsheehan/jwt/blob/master/JWT/JWT.cs

Explaining how my implementation works

1. A user will do a HTTP post of their backoffice Umbraco username & password to a normal API Controller
1. Controller verifies credentials
2. If a token already exists for the user (matches against user id) in custom PetaPoco DB table
3. If no token exists create a new token for the user & store in the DB table
4. Return existing or newly created token in the response
   
   
2. A user can then store that token say in LocalStorage or Cookie
   
   
3. User calls secured API sends bearer auth token in HTTP header for request (From LocalStorage or cookie)
   
1. Server finds token in request
2. Tries to decode the token with secret
3. If token not encoded with same secret Send 401
4. If token can be decoded correctly find user id in JSON
5. Check if user has the same token stored in the DB
6. If so process method on API controller
   
   
4. User changes password in Umbraco backoffice
1. If no token exists in DB - nothing happens
2. If token exists in DB - generate new token with new datetime stamp to make it unique from last time

Why do you not just store the username & password in the JWT?
The payload of the JSON object in the JWT can be decoded easily, paste in a token into jwt.io and you can see it easily.
However the part to do with JWT is that we verify that the AuthToken is using the signed secret/string to ensure our server created the JWT & it's validity.

So in my implementation I only store the username, user ID, user role and Created Date of the token. The date ensures that the token is different every time
a new one is generated for easy revoking.

Do the tokens expire?
My implementation allows the tokens to work indefinitely until the user in the Umbraco backoffice changes their password.
Which creates a new token and thus revoking access to the API for any clients or services using it.

However it is easily possible to store an expiry date in the JSON payload of the Auth Token and when decoding it verifying the expiry date on it.

Where's the code?
I currently have it in a pet project I am working on and need to do a bit of tidying up and decoupling from the project it's currently in and
plan to put it on GitHub to discuss & review with everyone here (If there is interest, that is)

Separate Project or Pull Request?
So the question I ask is that until the core supports Identity 2 from Microsoft for members & backoffice users (I know Shannon has a project that works with members currently)
Do I submit this idea/approach to the core as a Pull Request to help move this forward or will it only be superseded at a later date by Identity is it worth it?

Thanks
I look forward to any feedback or thoughts you have on this

Cheers,
Warren :)

[Richard Terris]

Hi Warren,

This sounds interesting to me and I'm also keen to hear (read) about the situations you might use this in.

Richard

[Warren Buckley]

Hi Richard,
Well you could apply this to anything really.

An API into your Umbraco backoffice site (that allows you with the Services API for content, media, etc) and most of these APIs require the context of the backoffice user.
So when creating a node I know for audit logs etc who created the node.

Also you wouldn't want it open up publicly without any Auth for people to start adding deleting stuff from your site.

But there are endless workflows you could do though.

Cheers,
Warren

[Richard Terris]

Hi Warren,

That's great!

I thought that's what you were describing but I thought it best to double check.

So if you wanted to expose content from Umbraco via a REST endpoint, this would be the way to authenticate the requests?

The project sounds really interesting and I look forward to seeing the code, and perhaps I can contribute :)

Thanks again,

Richard

[Devin Bost]

I am definitely interested in this. (It is currently already on my "To do" list.) Warren, are you planning on using Node.js or going the .NET direction? I apologize if the answer should already be clear from what you previously mentioned.

-Devin

[Warren Buckley]

Hi all,

OK I have been hacking a little in the nights currently on this and I would LOVE a cod review, feedback & thoughts on this.

It's still not 100% complete as I have been mega busy, but this should be enough to look over & give me feedback on guys & gals.

https://github.com/warrenbuckley/Umbraco-JWT-AuthTokens

Thanks,
Warren :)

[Warren Buckley]

Another good little topic/tutorial on JWT tokens and why they are the way forward/future. If you want a better understanding of it all.

http://code.tutsplus.com/tutorials/token-based-authentication-with-angularjs-nodejs--cms-22543

[Devin Bost]

Thanks for the article. To what extent do you think this might be affected by the MVC5/Web API 2 (specifically OAuth2) changes discussed in this thread? (For example, involving OAuth2.)

-Devin