none
Web Api access token misuse RRS feed

  • Question

  • Hi 

    I have implemented token based authentication in my web api project,

    http://www.dotnetawesome.com/2016/09/token-based-authentication-in-webapi.html

    As usual after providing the valid credentials the api send back a response with access token,

    {
        "access_token": "a4_UcBwGm6rZOzokFEmd0sBdhPkDr-tmVkuLUADAnsR_cioWj796DACeiR72iMEXS7Lmg9zt5VPWX1ptlIdsfhmbumLUfe8wyFZE0IWYHfjphjKn6Y2gHZBKRkl8E5QVSMzrcE1jE-_gviwcPUroIYPXFVju8ZOd72JteL9YbZBGcl_SWuywbSnJyeJwWqYKB-OZKLwJSKMEYEYYMu4jBmuuOLC8bvrivdo8uP4aYIjTYfpmQDY-sR9ZmO6_veh4QLA-JrWMNiJD6QvAwc4a66Jj4ypL2nD6p56ZgdLi_X8nHYjgAY48fXhTMw72R0Warub5Nz5hvfqe1ZpglVFN-5J17xo9c6Ry0eZ2FRdFJPvj-qLtDWG1P25FGpIbATQsRUhdbEpl639m1NE_6TqCQ_Is76JoggYYCR_k9ke2A-B7r_G1b_LsCuLS2eYsZhtqz_BjUHqDixtQ3dbz_c118ULyGVo_V5-y2mInM0n8MKY",
        "token_type": "bearer",
        "expires_in": 1209599,
        "userName": "a1@b.com",
        ".issued": "Fri, 08 Sep 2017 06:04:04 GMT",
        ".expires": "Fri, 22 Sep 2017 06:04:04 GMT"
    }

    My doubt is someone can missus this token ?, if he knows all the api uris and he got the token(not by logging, stealing from another user), he can access all the services right ? How we can avoid this ?

    someone can help me.

    Thanks

    • Moved by CoolDadTx Friday, September 8, 2017 1:36 PM ASP.NET related
    Friday, September 8, 2017 9:50 AM

All replies

  • hi mjs 

    It's a possibility :  the so called man in the middle attack. Someone searching the network and finds out a call to the rest service with  an acces token and steals the token. 

    in order to defend and preven it. 

    you need SSL 

    This is what SSL helps prevent against: by encrypting your NETWORK traffic from your computer -> some server when authenticating, a third party who is monitoring your network traffic can NOT see your tokens, passwords, or anything like that unless they're somehow able to get a copy of the server's private SSL key (unlikely). This is the reason SSL is MANDATORY for all forms of authentication.

    Read this article about ssl

    https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/working-with-ssl-in-web-api

    Friendly regards

    Laurens


    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Friday, September 8, 2017 10:23 AM
  • Hi laurens

    I have web client consuming these apis, so saving the access token to the browser session storage, someone can steal it from here ?, or he can steal it from by watching network traffic. these are possible situations right ?

    Enabling SSL can restrict this ?

    Thanks

    Friday, September 8, 2017 10:37 AM
  • Getting a SSL provider cost money, just so you know and the cost is not trivial.

    You should look into implementing a Service Layer.

    https://msdn.microsoft.com/en-us/library/ee658090.aspx

    You could use the concept as an abstraction away from the WebAPI services.

    https://docs.microsoft.com/en-us/aspnet/mvc/overview/older-versions-1/models-data/validating-with-a-service-layer-cs

    WebAPI can be discussed at the ASP.NET forum.

    http://forums.asp.net/

    Friday, September 8, 2017 11:43 AM
  • Hi mjs_123 

    this is what microsoft recommend ,you  should follow these steps :

    Though a party must authenticate first to receive the token, if the required steps are not taken to secure the token in transmission and storage, it can be intercepted and used by an unintended party. While some security tokens have a built-in mechanism for preventing unauthorized parties from using them, tokens do not have this mechanism and must be transported in a secure channel such as transport layer security (HTTPS). +
    If a token is transmitted in the clear, a man-in the middle attack can be used by a malicious party to acquire the token and use it for an unauthorized access to a protected resource. The same security principles apply when storing or caching tokens for later use. Always ensure that your application transmits and stores tokens in a secure manner.
    You can revoke a token if a user is no longer permitted to make requests on the API or if the token has been compromised.

    https://docs.microsoft.com/en-us/r-server/operationalize/how-to-manage-access-tokens

    and use https

    https://docs.microsoft.com/en-us/r-server/operationalize/configure-https

    Kind regards

    Laurens



    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    • Edited by laurens vdb Friday, September 8, 2017 12:06 PM
    Friday, September 8, 2017 12:05 PM
  • Please post questions related to ASP.NET and Web API in the ASP.NET forums.
    Friday, September 8, 2017 1:36 PM