I currently have an app built in MVC 5 that uses individual authentication and has Web API access if the user is authenticated within the browser using their username and password.
I am looking to now add in the ability for Token based authentication so that users can GET and POST data to my app from other applications they utilize. I have been searching forums but unable to find a great method that explains the entire process.
Does anyone have any tutorials for this?
Use JWTs. This is a fast and secure way to let users authenticate and act securely with the APIs of your solution
see here
Related
I am looking for a way how to implement authentication and authorization fo several applications.
I have one main application and several child application.
I have only one domain so I access my child applications like a mydomain.com/app1.
My goal:
Use one account for all web applications
Have specific permission for each user, for each application
Implement register, login views only once.
My thoughts are:
- Create one WebApp/API which will maintain user accounts
- Call this webapp from other apps
I was googling a lot and I found some technologies which could be useful:
Jwt bearer token - generate token with claims and in each app
implement logic which claims are necessary for specific policy
Identity server 4
I am so confused from identity server so I don't undestand how to use it (but according to description I thnik it could help to solve my problem)
Something like this scenario:
Request web page
WebApp checks authentication (proprably Jwt token?) if user is not authenticated call auth server --> some login page
After authentication Jwt is generated, Jwt & webpage from web app is returned to user
I saw lot of samples, but most of them are for fronted backend solutions, mobile applications etc..
I would like to use simple MVC, Razor pages apps..
Are my thoughts right or it should be done in other way?
Could you recommend me some technologies, tutorials how to achieve this?
Thank you very much!
I am new to .NET core and while I have .NET experience, I have never built authentication, in the past I've always worked on project not started by me. I am just trying to learn and find good resources and I would greatly appreciate if anyone knows tutorial or if it can explain how to solve this.
When using external logins, I followed those instructions here. This all works well if I create simple web api project and run, I get a web page where I can login, authenticate, works perfect. But this is not my end goal, I am building Web APIs not a Web Application. In my case let's say I have iOS and Android apps and my external login is done on the app itself, how would I pass token to Web APIs? I want to use [Authorize] method in Web APIs to make sure that no un-authorized access is made agains APIs and in addition to that I would like to use roles.
I am assuming token information is passed in header. But what is the header name for token? Can external authentication be used with roles or that is only possible if I store username/password? Can you point me to some good tutorial or anywhere I can learn more because all google search returns back to same like I have mentioned above and it is not very descriptive.
In general , your web api will work like a identity provider , it will issue and validate the JWT tokens :
http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
You can also implement authorization with the help of your external login provider .If you have SDK or own code in your client app to help do authentication , for authorization part , you can also register your web api in the same identity provider . For example , you are using the google authentication external login in your client app , you will should register your client app and web api on google's application registration page , then you could use OpenID Connect hybrid Flow to authentication user and get access token for accessing web api . Each identity provider provides how to implement authentication/authorization with lots of documents.
You can have an endpoint that allows anonymous access and takes the token and verifies it. Then it can send back a JWT that contains claims/roles that you want to enforce on the specific user. Every time the client accesses a secure endpoint, it can send your JWT in the header which gets verified before the specific method in your API controller is called. You can look into OAuth flows if you want to integrate social logins.
For example, Google has this documentation for OAuth-
https://developers.google.com/identity/sign-in/web/backend-auth
I have created a web API application with OAuth2 (token bearer). The application is working fine. But now I want to implement google/facebook sign in with it so that both web and mobile users can use it.
After a bit of search, I found that firebase is a good option for this. But I am not able to find a way to authenticate the external token to the access token of the API. Pardon my understanding with firebase, I am completely new to it (just started a couple of hours ago). I have a few questions regarding this.
Do I have to change my current authentication method and use firebase authentication for internal login as well or is there some other way?
I am storing the data in an external DB. Do I will have to use the firebase db for the user to validate.
How do I validate the access token with external login token?
Kindly suggest. If there's any alternative approach, that too will be appreciated.
PS: I am using Owin for Authentication right now
For use external login with firebase you need a token thats all.
https://firebase.google.com/docs/auth/admin/create-custom-tokens
Not, you can use your un service for validate your user.
Please Read the link that i posted
I have created a Web API application, an MVC application, and a mobile application.
The Web API should be decoupled from the other two applications as much as possible. I'm using the Password Grant flow here: clients using the Web API needs to send a POST to /Token with username and password. The returned access token is then used for further calls to the API using standard Authorization: Bearer <access_token>.
The MVC application is only accessible for a select few users, and it has its own database which contains the information and roles of these users. Some parts of the MVC application should be restricted to only one or two users (for example), while other parts should be accessible for all registered users. This can be done by using Authorize attributes on the specific controllers within the MVC application - all good. Furthermore, the MVC application should be able to interact with the Web API.
Secondly, I want to have a mobile application to be able to interact with the Web API. A key point here is that I won't require users to register in the app. So essentially, (how it's in my head right now) the only thing the API would see is "this token belongs to the "AndroidApp" user and has password X - sure thing, you're known to me, I'll grant you access". This seems to me a bit 'insecure', meaning that all users of the mobile app will share the same auth credentials.
Questions:
User A is one of the users who are allowed to access the MVC application - I want him to be recognized by both the MVC app, and thereafter the Web API. Is there an easy way to synchronize data between two databases, or should I just register him in both databases (one for MVC, one for API)? There is probably a better third option I haven't thought about.
User B is a user of the mobile application, and he should not be able to access the MVC application. How can this be ensured? Obviously, the MVC user database won't have any info about mobile app users. I'm just wondering about the security aspect of just having one single pair of auth credentials embedded in the app - doesn't sound good to me.
I stumbled upon this question, which basically is the same as mine. But I don't really see the need for Authorization Code Grant flow for the web app (MVC application in my case) as the accepted answer suggests.
I hope my questions make sense, otherwise please let me know :)
My answer doesn't directly answer your question but rather offers an alternative.
In the past when developing similar solutions I've used a specialist third party identity service Auth0.
With Auth0 you can have different application keys, profiles and also create rules (webhooks) which are executed as part of the authentication pipeline. They offer a range of social login as well as AD integration. They offer free and paid pricing.
I am not affiliated with Auth0 in any way, but will use their service as the starting point for any projects going forward - Yes it's a really impressive service!
Okay, So I want to basically use a single sign on...I read about it, but I cant seem to find good documentation or tutorials on how to implement it for MVC asp.net 4.5. I have an application which allows users to register... I want to be able to allow users from that application to be logged into the second application if they have access. Also, both of these applications would be in different databases... Any suggestions? Btw this is not using webforms...
Is it possible to apply the roles manager from that first application into the second? Or would I just need to create new roles in the second application?
What I have tried:
I have to implement a number of solutions that were on google but most seem to be using webforms... which i dont know how to use...
You need to configure an API which will act as an Authorization Server.
The "Auth" server will issue JSON Web Tokens for authenticated users and those users will present this JWT to the protected end points (Resource Servers) in order to access them.
Your MVC web applications will act as Resource Servers.
Read Implement JSON Web Tokens Authentication in ASP.NET Web API and and Identity 2.1