I have Web APIs built in .NET 6 and has JWT authentication in place for security. As far as I know, UI client application uses to send userName/password as first request to API and then API will validate the credentials and send response back to client with JWT token, from there client application uses that token for any subsequent requests. In my case, client will not be sending explicit userName/password as it's UI is being launched by SSO. So in this case my API will not receive user validation request and no JWT will be generated. I am confused now, how and when will I generate token for client to use other API endpoints for fetching data from my API. Any idea/suggestions please.
Or shall I change the authentication process to any other which is suitable to my scenario. Thanks
Related
I have a web api server on lets say, api.app.com which serves data for my app and i have a separate web server on www.app.com which serves users the pages for the app. I am using a JWT created on the webapi to Authorize the user. The token is created when the client logs in from the login page served on www.app.com with a username and a password. I want www.app.com (web server) to send a request to api.app.com (web api) to authenticate the user and then store the token gotten from the web api inside a cookie on the client.
Then i want only api authenticated clients to have access to pages on the web server, while the web server gets data from the web api on the behalf of the client per request.
I have checked everywhere online, without a clear solution to this
Web apis are usually consumers of JWT tokens. Once received they validate the token, and check claims and proceed based on the result. Your environment is a little confusing to me.
It seems your api app is used as an identity server as well as data provider. It is best to separate these concerns.
I'm building a Chrome Extension that connects to a .net 5 server for handling all the heavy works. It typically needs to call Google APIs, hence must be OAuth2.0 authenticated. Here is how I approach this:
First approach: Authentication in Chrome Extension
Use chrome.identity.getAuthToken to retrieve an access token in the service worker and pass it to backend server.
Backend server will then make API callsusing the served token.
The drawback of this approach is it won't work for the long-run background tasks in backend as the access token might be expired during the task and client's chrome browser is closed (hence, can't send a new token to the backend).
Second approach: Backend handles authentication
Make backend server handle the authentication and exchange for a new token upon expiration.
When chrome extension makes a request to backend, if the request hasn't been authenticated/authorized, backend signals back the url and extension redirects user to a new tab and asks user to sign in and to grant access.
There are some uncertainties about the second one:
How do we identify whether a request has authenticated by oauth2.0? (My guess is via cookie)
I've been following this guide https://developers.google.com/api-client-library/dotnet/guide/aaa_oauth but have not been able to authenticate on post request (when UI calling this).
I'm super new to this OAuth world. It doesn't seem like the JWT bearer token process.
Thanks in advance.
I am recently having the idea about programming my own web-app, with functions which i will decide later on.
I implemented a ASP.NET Core 3.1 Web Api=> purpose of the api => authenticate users for my applications.
it has endpoints like => login(here the user will be authenticated with ef core sql etc), refreshtoken,
still pondering about if a "logout" endpoint is useful? is expireson=15min for jwt token enough?
this api will be used for many differenct projects i am planning on.
but i am having problems how i should approach the implenting on my web application.
should i make api calls to my api => get the token => then its just blank. i have no idea how to approach the next step
Can you help me with some tips?
it has endpoints like => login(here the user will be authenticated
with ef core sql etc), refreshtoken, still pondering about if a
"logout" endpoint is useful? is expireson=15min for jwt token enough?
For the logout endpoint and token expired time, it depends on your requirement. Through the logout endpoint, we could clear the current user identifiable information or personal data. For the expired time, you could set it by yourself.
should i make api calls to my api => get the token => then its just
blank. i have no idea how to approach the next step
Without any sample code or error message, it is hard to narrow down the problem. So, it is better to post the Enough code to reproduce the problem as in Minimal, Complete, and Verifiable example.
Generally, when we using JWT authentication, the workflow as below:
Client sends a request (which contains the user information, such as: name and password) to server for token
Server receives the user information and checking for authorization. If validated success, server generates a JWT token.
Client receives the token and stores it somewhere locally.
Client sends the token in the future requests.
Server gets the token from request header, computes Hash again by using a) Header from token b) payload from token c) secret key which server already has.
If ("newly computed hash" = "hash came in token"), token is valid otherwise it is tempered or not valid
After configure your application uses Asp.net core Identity and JWT authentication. When a User login, you could send the user information to the server side and check if the current user is valid or not, then generate a JWT token, and on the client side you could store the token in the web storage. After that, when you want to access the resource by passing this token into the authentication HTTP header.
More detail information about using JWT token, please refer to the following article:
JWT Authentication In ASP.NET Core
ASP.NET Core 3.1 API - JWT Authentication with Refresh Tokens
I am trying to wrap my ahead around using JWT to secure a WEB API written in C#, but am getting hung up on a few things. From my understanding the flow should be something like this:
Client provides username/password to the Web API from some client application (Angular, .NET, Mobile, etc)
The Web API validates that the username/password is correct and then generates a JWT (JSON Web Token) that contains the user's roles, information, expiration date, and other relevant information.
The JWT is sent back to the client application.
The client application hangs on to the JWT and sends it with future requests.
Assuming the above is correct (and please let me know if it is not), I am having trouble understanding the following things.
Once the Web API has validated the username/password and created the JWT, how does the JWT get passed back? Do I somehow add it to an HttpResponseMessage object? I can't seem to find a clear answer on this.
How should the client application pass the JWT back? Is this in the JSON data, appended to the URL, added to headers?
I see plenty of tutorials referencing OWIN and OAUTH. What are these and why do I need them? I am holding the user credentials and roles in the database used by the WEB API.
Once the Web API has validated the username/password and created the
JWT, how does the JWT get passed back? Do I somehow add it to an
HttpResponseMessage object?
Common practice is on success, the response from the service has the status code 200 OK in the response header, and token related data in the response body
200 OK
Content-Type: application/json;charset=UTF-8
{
"access_token": "NgCXRK...MzYjw",
"token_type": "Bearer",
"expires_at": 1372700873,
"refresh_token": "NgAagA...Um_SHo"
}
How should the client application pass the JWT back? Is this in the
JSON data, appended to the URL, added to headers?
Using the access token to make authenticated requests
Now that you have a token, you can make authenticated requests to the API. This is done by either setting the HTTP Authorization header or query string in the request depending on how the server is configured.
in a header
Authorization: Bearer NgCXRK...MzYjw
as a parameter
GET http://localhost:35979/v2/endpoint?access_token=NgCXRK...MzYjw
I see plenty of tutorials referencing OWIN and OAUTH. What are these
and why do I need them?
OWIN — Open Web Interface for .NET http://owin.org/
OWIN defines a standard interface between .NET web servers and web
applications. The goal of the OWIN interface is to decouple server and
application, encourage the development of simple modules for .NET web
development, and, by being an open standard, stimulate the open source
ecosystem of .NET web development tools.
OWIN OAuth 2.0 Authorization Server
The OAuth 2.0 framework enables a third-party app to obtain limited
access to an HTTP service. Instead of using the resource owner’s
credentials to access a protected resource, the client obtains an
access token (which is a string denoting a specific scope, lifetime,
and other access attributes). Access tokens are issued to third-party
clients by an authorization server with the approval of the resource
owner.
I'm developing a Web API and was looking to use Azure Mobile Services to authenticate users before allowing calls made to the Web API.
So the user would navigate to a website, choose to log in using their Google/Facebook/etc account and the user would be authenticated using the Mobile Services JavaScript client. From what I understand Mobile Services will then return a authentication token in the form of a JSON Web Token.
What I would like to do is when website calls the Web API it would pass along the authentication token, the Web API would check that it's a valid token issued by Mobile Services and if all is good, then allow the call to be executed.
So my question is...is this possible? If so, could the JSON Web Token Handler for .NET be used to perform the validation on the Web API side?
Yes, that is possible.
If you perform a login using the MobileServiceClient, you will get a token that you can pass along with every request to a Web Api endpoint.
var client = new WindowsAzure.MobileServiceClient('https://yourservice.azure-mobile.net', 'your-client-key');
client.login('facebook').then(success);
function success(result) {
alert('login ok');
}
So when making a request, set the value of header 'X-ZUMO-AUTH' to the current users token you find in client.currentUser.mobileServiceAuthenticationToken after a successful login.
On the server side, add the attribute [AuthorizeLevel(AuthorizationLevel.User)] to Web Api methods that require the user to be authenticated. Thats all.
But make sure, that identity is configured properly on WAMS, and also at the provider side you want to integrate (client id's, client secrets, callback urls, etc.).