I'm working on a Windows Desktop application that needs to authenticate to a Web API that uses JWT.
We are using the authentication based on if the end-user of the desktop client is successfully logged into their computers with a smart card. So if they are logged into their computers, we pass a specific piece of that data to our Web API to verify that value is in the database of the Web API, and then that particular data will use that to determine the roles. JWT works excellent and has no issues. We are accomplishing JWT via this article: https://auth0.com/blog/add-auth-to-native-desktop-csharp-apps-with-jwt/
Is there another way to make sure they are coming from our desktop applications and not hitting our API via another application in the network? Or do we not need to worry about that since they have been pre-authenticated into the computer itself.
Related
We have a Azure AD secured web api which calls a backend azure service. It basically acts as a middle tier. This web api can be called by client applications with/without signed in users. We needed the web api to call azure service on behalf of clients. We implemented this for signed in users scenario based on
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow.
Now, we want to implement it for "without signed in users" scenario. We want to call azure service on behalf of calling client application. My understanding from reading the above blog is that on-behalf-of flow is not supported for applications without signed in users. Am I understanding it correctly ? Is there a way to achieve it ?
I am currently building an api along side our external app developers. I have read that the Authorization Flow with PKCE is definitely what we need for this set up however I am looking for some more detailed advice.
Our existing api uses the implicit flow and the app sends credentials + secret etc to the /Token endpoint in the api this then looks up the passed in data and compares with our users table. If that passes an Access Token is returned to the app.
With this new flow I have the following questions.....
Do I have to use Okta Portal/Dashboard and set up the api there?
Do all app users have to be stored in Okta dashboard? We usually manage our own users table where we add users from a custom tool. However I am presuming when using Okta our custom tool would need to call Okta api endpoint and register the user from there and then get and store the users Okta ID in our own table. **Does anyone have an example of how I do this from a C# Wpf application?
Do I then need to request the Redirect URL's from the App developer and set them up as a Native App in Okta dashboard. Presuming I need to give them some set values to hold their end to allow them to call Okta at authorization.
OpenID????? do I need this if so how and where does this get implemented?
I have read through so many tutorials but just havent quite found the exact fit yet.
Many thanks
You will need to access Okta admin console to register a client application. Once done, you can use Okta OIDC API's: https://developer.okta.com/docs/reference/api/oidc/.
You can use Okta SDK's to simplify the development process. Ex: https://github.com/okta/okta-oidc-ios
If Okta is going to be the authorization server, users and their credentials will need to exist in Okta
When you create a native App in Okta admin console, you will need to provide the redirect URI's that will be whitelisted
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. When you create a native application in Okta, will be a OIDC application.
I have an Azure-based .NET Core Web API application that I want to communicate with an Azure-based MVC5 application. The MVC5 application requires its clients to have a credential in our Azure AD instance. We connect to this app with our SSO Azure AD credentials.
The .NET Core app does not authenticate against Azure; there's no credential pass-through possible for its consumers. BUT... it's hosted in the same Azure instance, so it seems like I should be able to send an authenticated request from the web api to the MVC app with relative ease.
The documentation on this is quite confusing though. There's talk about x.509 certs (this really doesn't seem necessary), OAuth 2.0 grants and flows (I may not be able to get around that, I don't know)... but is there some simple, relatively "brainless" way to have the one service talk securely with the other without building some kind of complicated scaffolding and/or configuration? I'm kinda hoping there's a way to just instantiate a HttpClient or WebRequest, call some method to get the proper Authorization header (or maybe cookie?), and send my request on its merry way... but if it exists, it remains elusive to me.
Any elucidation on this would be helpful, thanks.
This sort of depends. First, to be clear, you are trying to call an action in the MVC app from the API app? This seems a little odd (more often, a MVC front-end might need to call the api). Regardless, it should still be the same.
Question: Do you want you api app to always call the MVC app as "itself"? So, your api app would have an identity that is authorized to call an action on your MVC app? If so, this is exactly what the OAuth Client Credentials flow is for:
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service
With this flow, you create an Azure AD application registration that represents your API app. Then, at runtime, your API app uses its client id and client secret to acquire a token it can use to call the MVC app (typically passed as a bearer token in the Authorization header). Part of what you can do with the app registration is give it delegated access to your MVC app, but you can also manage which "clients" you want to allow access in your MVC app.
Hopefully this makes sense.
I am looking at adding custom authentication to my existing Xamarin.Forms app through Azure Mobile Services. Currently, my app authenticates itself against an existing WebAPI but the authentication isn't secure and I don't really want to start trying to create my own secure authentication process for production. I thought that Azure Mobile Services would be a good way of being able to keep the custom authentication side of my app (authentication against a current identity provider isn't an option) however I already have all the storage etc set up in an existing SQL database by sending it to the WebAPI first and then saving details.
I guess my question is: Is it possible to set up Azure Mobile Services with my current WebAPI acting as a kind of middleman? The basic workflow would include my app sending the log in details to the WebAPI, the WebAPI passing these on to Azure Mobile Services for authentication and then returning the response including token to the app after being stored on the WebAPI side.
The reason I thought that Azure Mobile Services would be a good choice was because it also provides support for push notifications as well as the custom authentication side of things.
Thanks.
Take a look at the following for custom authentication: https://adrianhall.github.io/develop-mobile-apps-with-csharp-and-azure/chapter2/custom/
Short version - yes, it is possible. You create a custom WebAPI that mints a ZUMO token within your Azure Mobile Apps SDK Within that minting process, you can check the users credentials (either a token, remote API or whatever) any way you want.
I am not sure if that is possible. You are trying authenticate through two different application. It might be possible to write the mobile service client login code in your web API app to use authentication from Mobile Service app and get the token back. But then you still have to manage the user sessions between your Xamarin app and web api app, cross origin stuff and etc,
Since mobile service app really is a web api wrapped with some extra functionality, have you considered moving your web api app to mobile service? That might be easier in my opinion.
Yes, this is possible.
In our app the user is able to register and to login with twitter and Facebook but with own email + pw, too.
In wams we sync the social account and "our" account (stored in the db).
Have a look at ClaimsIdentity and Microsoft.WindowsAzure.Mobile.Service.Security IServiceTokenHandler to implement custom authentication and returning a custom token.
I am writing two applications which communicate with the facebook servers. The first one is an ASP .NET application which gets an access token for the user and another console application which runs on a schedule and gets some data from the server. My issue is how to send the access token to the console application since I cannot get a user access token from a pure C# application right?
There are many ways to pass data between applications. You can use database, file system if your applications are running on one server. You can also try web service, wcf service or web api in distributed systems.