I've been in the process of updating a .Net Framework 4.8 web & web API to .Net 6. This app is hosted in Azure App Services and used the authentication settings/easy auth for both Azure AD (with personnel accounts) and Google. We allow unauthenticated request, so users can access the home page and the download for the client.
I'm having issues with this after the .Net 6 update, as User.Identity.IsAuthenticated is not being set and I can't retrieve any claims to pick up the users email address. /.auth/login/aad works and I can see information at /.auth/me.
According to documentation from Microsoft, they say that there shouldn't be any code needed, but that is seems to not be the case: https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-authentication-app-service#automatic-authentication-provided-by-app-service
I've also found this https://github.com/AzureAD/microsoft-identity-web/wiki/1.2.0#integration-with-azure-app-services-authentication-of-web-apps-running-with-microsoftidentityweb
Things that aren't working:
builder.Services.AddAuthentication(AppServicesAuthenticationDefaults.AuthenticationScheme)
.AddAppServicesAuthentication();
Also not working (have the Azure Ad section created in the app settings)
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));
I have tried many more things over the last couple of days, but can't remember them all.
I would rather have easy auth working with the same end points as this app has a WPF client that is using /.auth/login/aad to login in. I don't want to have to rewrite how auth is done completely in the frontend client.
So how do you set up Easy Auth in Azure App Services and have the claims brought in to the app?
Thank you in advance!
While I did try KK.AspNetCore.EasyAuthAuthentication & MaximeRouiller.Azure.AppService.EasyAuth. I finally had success with NEasyAuthMiddleware! That bridged the gap successfully between the App Services Authentication & populating the claims. Nice and clear instructions on how to implement as well.
Related
I need help.
I need to create an app, which takes all events from different calendars from my company, and display them in computers in conferences rooms. This is created, works good. To authenticate I use Oauth 2.0 like google wants, but I tested it only on my computer. When the app was launched on the computer in the conference room, the app needed logging into google account, which surprised me, because I put my oauth 2.0 credentials into my code, so I thought that this would be enough.
How can I skip that part, to authenticate only from code level and not display Oauth popup message to user?
When you run your code locally you are authorizing it. If you are using the official Google api .net client library then it is storing your authorization credentials in the %appdata% folder on your machine. Once you move this to the computers in the conference rooms they have not been authorized and there for will require that you authorize them. So you should be able to just run it once on each machine and authorize it and it will be all set.
If you do however have a google workspace account, I would recommend you look into using a service account and configuring domain wide delegation this would stream line your process a bit.
The following example shows how to use a service account with domain wide deligation.
var credential = GoogleCredential.FromFile(PathToServiceAccountKeyFile)
.CreateWithUser("user#yourdomain.com") // delegate to user on workspace.
.CreateScoped(new[] {CalendarService.ScopeConstants.Calendar});
I am currently building an api along side our external app developers. I have read that the Authorization Flow with PKCE is definitely what we need for this set up however I am looking for some more detailed advice.
Our existing api uses the implicit flow and the app sends credentials + secret etc to the /Token endpoint in the api this then looks up the passed in data and compares with our users table. If that passes an Access Token is returned to the app.
With this new flow I have the following questions.....
Do I have to use Okta Portal/Dashboard and set up the api there?
Do all app users have to be stored in Okta dashboard? We usually manage our own users table where we add users from a custom tool. However I am presuming when using Okta our custom tool would need to call Okta api endpoint and register the user from there and then get and store the users Okta ID in our own table. **Does anyone have an example of how I do this from a C# Wpf application?
Do I then need to request the Redirect URL's from the App developer and set them up as a Native App in Okta dashboard. Presuming I need to give them some set values to hold their end to allow them to call Okta at authorization.
OpenID????? do I need this if so how and where does this get implemented?
I have read through so many tutorials but just havent quite found the exact fit yet.
Many thanks
You will need to access Okta admin console to register a client application. Once done, you can use Okta OIDC API's: https://developer.okta.com/docs/reference/api/oidc/.
You can use Okta SDK's to simplify the development process. Ex: https://github.com/okta/okta-oidc-ios
If Okta is going to be the authorization server, users and their credentials will need to exist in Okta
When you create a native App in Okta admin console, you will need to provide the redirect URI's that will be whitelisted
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. When you create a native application in Okta, will be a OIDC application.
I am new to .NET core and while I have .NET experience, I have never built authentication, in the past I've always worked on project not started by me. I am just trying to learn and find good resources and I would greatly appreciate if anyone knows tutorial or if it can explain how to solve this.
When using external logins, I followed those instructions here. This all works well if I create simple web api project and run, I get a web page where I can login, authenticate, works perfect. But this is not my end goal, I am building Web APIs not a Web Application. In my case let's say I have iOS and Android apps and my external login is done on the app itself, how would I pass token to Web APIs? I want to use [Authorize] method in Web APIs to make sure that no un-authorized access is made agains APIs and in addition to that I would like to use roles.
I am assuming token information is passed in header. But what is the header name for token? Can external authentication be used with roles or that is only possible if I store username/password? Can you point me to some good tutorial or anywhere I can learn more because all google search returns back to same like I have mentioned above and it is not very descriptive.
In general , your web api will work like a identity provider , it will issue and validate the JWT tokens :
http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
You can also implement authorization with the help of your external login provider .If you have SDK or own code in your client app to help do authentication , for authorization part , you can also register your web api in the same identity provider . For example , you are using the google authentication external login in your client app , you will should register your client app and web api on google's application registration page , then you could use OpenID Connect hybrid Flow to authentication user and get access token for accessing web api . Each identity provider provides how to implement authentication/authorization with lots of documents.
You can have an endpoint that allows anonymous access and takes the token and verifies it. Then it can send back a JWT that contains claims/roles that you want to enforce on the specific user. Every time the client accesses a secure endpoint, it can send your JWT in the header which gets verified before the specific method in your API controller is called. You can look into OAuth flows if you want to integrate social logins.
For example, Google has this documentation for OAuth-
https://developers.google.com/identity/sign-in/web/backend-auth
I am building a Xamarin app which will authenticate with Identity Server. I have this working with ASP.NET Identity Core. However, I'd like to be able to use AD as well. The documentation states this is possible but gives no examples. My biggest issue is that I'm using IdentityModel to manage my login calls, and I don't see any calls that seem to relate to AD.
I've discovered IExtensionGrantValidator, but I don't see any way, in that code, to work out the AD user logged in, in the client application. I could obviously make the user my payload, but at that stage it doesn't seem secure enough to me. I could make it work that way easily, but I'm hoping for a way that IdentityServer validates against the AD user, hopefully including that they are associated with a specific role.
I am hoping someone can point me to sample code for using AD (not Azure AD) with Identity Server.
Thanks
Here is the documentation about the Windows Authentication. Also in the AcountOptions.cs set public static bool WindowsAuthenticationEnabled = true;, and have in mind:
to enable windows authentication, the host (IIS or IIS Express) also must have windows auth enabled.
Then in the AccountController.cs you have a method "ExternalLogin" and there you have a check for Windows Authentication, where you can follow what happens, but the important work is the above.
I am looking at adding custom authentication to my existing Xamarin.Forms app through Azure Mobile Services. Currently, my app authenticates itself against an existing WebAPI but the authentication isn't secure and I don't really want to start trying to create my own secure authentication process for production. I thought that Azure Mobile Services would be a good way of being able to keep the custom authentication side of my app (authentication against a current identity provider isn't an option) however I already have all the storage etc set up in an existing SQL database by sending it to the WebAPI first and then saving details.
I guess my question is: Is it possible to set up Azure Mobile Services with my current WebAPI acting as a kind of middleman? The basic workflow would include my app sending the log in details to the WebAPI, the WebAPI passing these on to Azure Mobile Services for authentication and then returning the response including token to the app after being stored on the WebAPI side.
The reason I thought that Azure Mobile Services would be a good choice was because it also provides support for push notifications as well as the custom authentication side of things.
Thanks.
Take a look at the following for custom authentication: https://adrianhall.github.io/develop-mobile-apps-with-csharp-and-azure/chapter2/custom/
Short version - yes, it is possible. You create a custom WebAPI that mints a ZUMO token within your Azure Mobile Apps SDK Within that minting process, you can check the users credentials (either a token, remote API or whatever) any way you want.
I am not sure if that is possible. You are trying authenticate through two different application. It might be possible to write the mobile service client login code in your web API app to use authentication from Mobile Service app and get the token back. But then you still have to manage the user sessions between your Xamarin app and web api app, cross origin stuff and etc,
Since mobile service app really is a web api wrapped with some extra functionality, have you considered moving your web api app to mobile service? That might be easier in my opinion.
Yes, this is possible.
In our app the user is able to register and to login with twitter and Facebook but with own email + pw, too.
In wams we sync the social account and "our" account (stored in the db).
Have a look at ClaimsIdentity and Microsoft.WindowsAzure.Mobile.Service.Security IServiceTokenHandler to implement custom authentication and returning a custom token.