Table of Contents

Interface IAuthentication

Namespace
The.Security
Assembly
Instagile.dll

Implementations of IAuthentication ("authenticators") represent methods of acquiring and validating identities. All authenticators support the following use cases: - produce an identity from supplied credentials (which may be null in the case of an "ambient" identity) - validate asserted credentials or the ambient identity For client/server authentication, extra features may optionally be supported - sign/verify a message, used to mutually authenticate on a per-operation basis - encrypt/decrypt a message, used to mutually authenticate a session key - enter credentials from user input, which can then be used to support any of the above functions

public interface IAuthentication

Properties

CanEncrypt

true if the authenticator supports secured key exchange

bool CanEncrypt { get; }

Property Value

bool

Remarks

this is used to establish shared secrets. implementations could be based on public key cryptography, diffie-helmann, or out of band methods

CanLookup

true if the authenticator supports looking up an IUserAccount for an authenticator-specific username

bool CanLookup { get; }

Property Value

bool

CanSign

true if the authenticator supports digital signatures (not necessarily cryptographic)

bool CanSign { get; }

Property Value

bool

Remarks

signature doesn't have to be based on the operation; it can use some other capability like ambient windows logon

IsAuthoritative

If true, the returned identity should be accepted without server verification

bool IsAuthoritative { get; }

Property Value

bool

Remarks

May depend on ambient state - don't cache the result. As well as enabling automatic login, this is used by SecurityService to decide whether it's ok to perform purely-local authentication without calling IEntityStore.Connect.

Realm

Describes identities within the purview of this authenticator

string Realm { get; }

Property Value

string

RequiresCredentials

Expects non-empty Credentials in order to perform client-side identity operations

bool RequiresCredentials { get; }

Property Value

bool

Methods

CheckSignatureAsync(IEntityContext, Identity, byte[], byte[])

check a signature by the specified identity (which may be from various realms)

Task<AuthenticationResult> CheckSignatureAsync(IEntityContext scopedContext, Identity subject, byte[] operation, byte[] token)

Parameters

scopedContext IEntityContext
subject Identity
operation byte[]
token byte[]

Returns

Task<AuthenticationResult>

(signature found for user, null/reason for failure)

CreateSignatureAsync(Credentials, byte[])

sign a message using the supplied credentials

Task<AuthenticationResult<byte[]>> CreateSignatureAsync(Credentials credentials, byte[] operation)

Parameters

credentials Credentials
operation byte[]

Returns

Task<AuthenticationResult<byte[]>>

opaque signature

DecryptDataAsync(IAlgorithmProvider, Credentials, byte[])

decrypt a message addressed to the supplied credentials

Task<AuthenticationResult<byte[]>> DecryptDataAsync(IAlgorithmProvider algorithmProvider, Credentials credentials, byte[] data)

Parameters

algorithmProvider IAlgorithmProvider
credentials Credentials
data byte[]

Returns

Task<AuthenticationResult<byte[]>>

(decrypted message/null, null/reason for failure)

EncryptDataAsync(IAlgorithmProvider, IEntityContext, Identity, byte[])

create an encrypted message which can only be decrypted by the specified subject (which will be an account username if CanLookup)

Task<AuthenticationResult<byte[]>> EncryptDataAsync(IAlgorithmProvider algorithmProvider, IEntityContext scopedContext, Identity subject, byte[] data)

Parameters

algorithmProvider IAlgorithmProvider
scopedContext IEntityContext
subject Identity
data byte[]

Returns

Task<AuthenticationResult<byte[]>>

encrypted message

GetIdentity(Credentials)

Extract a subject from the environment or the supplied credentials.

AuthenticationResult<string> GetIdentity(Credentials credentials)

Parameters

credentials Credentials

Returns

AuthenticationResult<string>

subject name, unverified - from local knowledge only

LookupAccount(string)

Find the username of an IUserAccount for a username produced by this authenticator. Available synchronously only if IsAuthoritative returns true.

AuthenticationResult<string> LookupAccount(string subject)

Parameters

subject string

Returns

AuthenticationResult<string>

LookupAccountAsync(IEntityContext, string)

Find the username of an IUserAccount for a username produced by this authenticator.

Task<AuthenticationResult<string>> LookupAccountAsync(IEntityContext scopedContext, string subject)

Parameters

scopedContext IEntityContext
subject string

Returns

Task<AuthenticationResult<string>>

VerifyIdentity(Credentials, string)

Verify that the subject matches the supplied credentials. Available synchronously only if IsAuthoritative returns true.

AuthenticationResult VerifyIdentity(Credentials credentials, string subject)

Parameters

credentials Credentials
subject string

Returns

AuthenticationResult

(true/false for authentication state, null/reason for failure)

VerifyIdentityAsync(Credentials, IEntityContext, string)

verify that the subject matches the supplied credentials

Task<AuthenticationResult> VerifyIdentityAsync(Credentials credentials, IEntityContext scopedContext, string subject)

Parameters

credentials Credentials
scopedContext IEntityContext
subject string

Returns

Task<AuthenticationResult>

(true/false for authentication state, null/reason for failure)