edited tags

Link

edited Feb 9, 2023 at 9:59

10.8k
1
16
36

Bumped by Community user

occurred Dec 11, 2022 at 16:04

Improved readability, removed concern from the title (save it for the question body), removed request for alternative implementations. This is Code Review, not Code Alternatives Implementations.

Source Link

edited Nov 10, 2022 at 20:16

Mast ♦

13.8k
12
57
127

Decrypt incoming httpHTTP request headers- best practices?

During each Http RequestHTTP request incoming from my Angular front-end I send encrypted pair of access & refresh token. On On the back end an-end ASP.NET Webweb APIs are used. The

The way I decrypt them currently is by creating 2 custom middlewares in one of the APIs (one after another): The first one decrypt the access token, modifies the http request header with the decrypted information and passes it to the next middleware. The second one checks if the (decrypted) access token is expired and depending on this - issues new access token, using the (decrypted) refresh token and again modifies the Http header with the new access token.

The first one decrypt the access token, modifies the http request header with the decrypted information and passes it to the next middleware.

The second one checks if the (decrypted) access token is expired and depending on this - issues new access token, using the (decrypted) refresh token and again modifies the HTTP header with the new access token.

Here is my implementation: 1st.

1st middleware:

I issue my tokens using Identity Server. My

My question is - is this methodology of mine according to good practicepractices or not? And can you recommend any better implementations?

Decrypt incoming http request headers- best practices?

During each Http Request incoming from my Angular front-end I send encrypted pair of access & refresh token. On the back end an ASP.NET Web APIs are used. The way I decrypt them currently is by creating 2 custom middlewares in one of the APIs(one after another): The first one decrypt the access token, modifies the http request header with the decrypted information and passes it to the next middleware. The second one checks if the (decrypted) access token is expired and depending on this - issues new access token, using the (decrypted) refresh token and again modifies the Http header with the new access token.

Here is my implementation: 1st middleware:

I issue my tokens using Identity Server. My question is - is this methodology of mine good practice or not? And can you recommend any better implementations?

Decrypt incoming HTTP request headers

During each HTTP request incoming from my Angular front-end I send encrypted pair of access & refresh token. On the back-end ASP.NET web APIs are used.

The way I decrypt them currently is by creating 2 custom middlewares in one of the APIs (one after another):

The first one decrypt the access token, modifies the http request header with the decrypted information and passes it to the next middleware.

The second one checks if the (decrypted) access token is expired and depending on this - issues new access token, using the (decrypted) refresh token and again modifies the HTTP header with the new access token.

Here is my implementation.

1st middleware:

I issue my tokens using Identity Server.

My question is - is this methodology of mine according to good practices or not?

Source Link

asked Nov 10, 2022 at 19:29

Andrеw

21
1

Decrypt incoming http request headers- best practices?

During each Http Request incoming from my Angular front-end I send encrypted pair of access & refresh token. On the back end an ASP.NET Web APIs are used. The way I decrypt them currently is by creating 2 custom middlewares in one of the APIs(one after another): The first one decrypt the access token, modifies the http request header with the decrypted information and passes it to the next middleware. The second one checks if the (decrypted) access token is expired and depending on this - issues new access token, using the (decrypted) refresh token and again modifies the Http header with the new access token.

Here is my implementation: 1st middleware:

 public async Task InvokeAsync(HttpContext context)
        {
            string decryptedAccessToken = await tokenService.DecryptToken(context);

            if (string.IsNullOrEmpty(decryptedAccessToken))
            {
                await _next(context);
                return;
            }

            context.Request.Headers.Remove("Authorization");
            context.Request.Headers.Add("Authorization", "Bearer " + decryptedAccessToken);

            await _next(context);
        }

2nd middleware:

public async Task InvokeAsync(HttpContext context)
        {
            var tokenExpirationString = await tokenService.ExtractTokenClaimValue(context, ExpirationClaimName);
            var tokenExpirationValue = 0l;

            if (string.IsNullOrWhiteSpace(tokenExpirationString) || !long.TryParse(tokenExpirationString, out tokenExpirationValue))
            {
                await _next(context);
                return;
            }

            var tokenExpirationTime = DateTimeOffset.FromUnixTimeSeconds(tokenExpirationValue).LocalDateTime;
            var currentTime = DateTime.Now;
            
            if (tokenExpirationTime <= currentTime)
            {
                await tokenService.GetNewAccessToken(context);
                await _next(context);
                return;
            }

            await _next(context);
        }

I issue my tokens using Identity Server. My question is - is this methodology of mine good practice or not? And can you recommend any better implementations?

.net asp.net-web-api jwt

Stack Exchange Network

Return to Question

Decrypt incoming httpHTTP request headers- best practices?

Decrypt incoming http request headers- best practices?

Decrypt incoming HTTP request headers

Decrypt incoming http request headers- best practices?