Stateless authentication
This document provides an overview on how to enable stateless authentication in your Nancy application. Stateless authentication enables you to inspect each incoming request and, based on information about that request, decide if it should be treated as an authenticated request or not.
For instance, you could inspect the request to make sure that a query string parameter was passed in (perhaps an api key), that a certain header is available, or that the request originated from a certain ip-address. A good solution for transferring stateless authentication information is using JWT
The full request is at your disposal!
Stateless authentication can be setup for requests on a
- All modules (ie. application wide)
- Per module (ie. on a specific module only).
To enable stateless authentication, in your application, you need to complete the following steps
- Install the
Nancy.Authentication.Statelesspackage - Configure and enable Stateless Authentication
- Secure your modules
Stateless Authentication can be enabled for:
StatelessAuthentication.Enable(pipelines, statelessAuthConfiguration);This should be called from either ApplicationStartup or RequestStartup methods of your bootstrapper.
StatelessAuthentication.Enable(this, statelessAuthConfiguration);If you want to enable it per module, it has to be done in the module constructor.
The statelessAuthConfiguration variable, that is passed into StatelessAuthentication.Enable method, is an instance of the StatelessAuthenticationConfiguration type, which enables you to customize the behavior of the stateless authentication provider.
When creating an instance of the StatelessAuthenticationConfiguration type, it expects a single parameter of type Func<NancyContext, IUserIdentity>. The function is what is used to inspect the request (or anything else in the context for that matter) and return null if the request should not be treated as authenticated, or the appropriate IUserIdentity if it should.
var configuration =
new StatelessAuthenticationConfiguration(ctx =>
{
if (!ctx.Request.Query.apikey.HasValue)
{
return null;
}
// This would where you authenticated the request. IUserApiMapper is
// not a Nancy type.
var userValidator =
container.Resolve<IUserApiMapper>();
return userValidator.GetUserFromAccessToken(ctx.Request.Query.apikey);
});Sample for securing a single module with JWT using jose-jwt library :
var configuration =
new StatelessAuthenticationConfiguration(ctx =>
{
var jwtToken = ctx.Request.Headers.Authorization;
try
{
var payload = Jose.JWT.Decode<JwtToken>(jwtToken, SecretKey);
var tokenExpires = DateTime.FromBinary(payload.exp);
if (tokenExpires > DateTime.UtcNow)
{
return new ClaimsPrincipal(new HttpListenerBasicIdentity(payload.sub, null));
}
return null;
}
catch (Exception)
{
return null;
}
});
StatelessAuthentication.Enable(this, configuration);Where JwtToken is a simple data class:
public class JwtToken
{
public string sub;
public long exp;
}
« Part 22. Authentication — Documentation overview — Part 22. Forms Authentication »
- Introduction
- Exploring the Nancy module
- Routing
- Taking a look at the DynamicDictionary
- Async
- View Engines
- Using Models
- Managing static content
- Authentication
- Lifecycle of a Nancy Application
- Bootstrapper
- Adding a custom FavIcon
- Diagnostics
- Generating a custom error page
- Localization
- SSL Behind Proxy
- Testing your application
- The cryptography helpers
- Validation
- Hosting Nancy with ASP.NET
- Hosting Nancy with WCF
- Hosting Nancy with Azure
- Hosting Nancy with Suave.IO
- Hosting Nancy with OWIN
- Hosting Nancy with Umbraco
- Hosting Nancy with Nginx on Ubuntu
- Hosting Nancy with FastCgi
- Self Hosting Nancy
- Implementing a Host
- Accessing the client certificate when using SSL
- Running Nancy on your Raspberry Pi
- Running Nancy with ASP.NET Core 3.1