Welcome,
I have project asp.net core mvc 3.1 and I have full rest api in PHP. In my .net app I would like to use the token downloaded from api in my .net project.
My goal is to make my own auth attribute which will get the user from usercontext(httpcontext?) and check if he has a token.
I spent several hours searching for a solution but I found nothing similar.
Has anyone encountered a similar problem? Please help.
For example I can use Authorize attribute example attribute with UserManager and SignInManger example managers.
I need the same solution but for tokens. Every user after login receive token from rest api written in php. I need to somehow keep this token and bind it with logged user. Also I would like use attribute in my controller/action which automatically detect if concrete user has token.
I need the same solution but for tokens. Every user after login receive token from rest api written in php. I need to somehow keep this token and bind it with logged user. Also I would like use attribute in my controller/action which automatically detect if concrete user has token.
There are lots of ways to store the state for user level in asp.net core. For example, using cookie, session and HttpContext.Items etc. You can refer to the document below for the details:
Session and state management in ASP.NET Core
And if you are using session, then you need to implement the customer policy authorization to verify the token as your requirement. To use IHttpContextAcessor to access session from HttpContext inside of an authorization handler, see
Access MVC request context in handlers
Use HttpContext from custom components
Related
We have built some Asp.Net Core web API, with the authentication/authorization built on top of Asp.Net Core identy, with some JWT token exchange for our angular frontend. Basically, the users can login with username+password, this provide them a JWT with a short validity that the frontend regularly refresh. If the token is not valid anymore, the user will have to login again.
This part works great.
Now, we have to add another concept, a bit like on Azure Devop, we need to add "agent", those are not users, they will just need to be authenticated, in a slightly different way:
They will run on unnattended(locked) computers
They will be configured once and then run forever
Each agent should NOT be considered as a user. They should not be stored as such(or at least provide a way to distinguish them)
Those agent should only have some kind of token/private key to authenticate themself, that doesn't expire. This method of authentication should not be allowed to other users
So based on this:
Is this something that already exists, or have this pattern a name?
Is there a way to achieve this through Asp.Net Core identity or am I better off ?
Any link or lead on how to implement in parallel of an existing auth would be highly appreciated.
I have create a react application in which I have used Azure AD authentication for logging in.
Now for the part of authorization I want to create a .net api that can authorize with the help of a token that whether this person is the right one or not.
In frontend I have used ReactJS and in backend I want to use .net for this issue.
You can use EntityFramework with JwtBearer for that. You'll be able to create tokens for each session and you can put your users in a Role-based authorization access to your app.
I'm in the process of converting a website from using a third-party identity provider to use ASP.NET Identity 2 instead. The site currently does not use any OWIN middleware but simply passes user-provided credentials to the identity provider. We then create a session token if the credentials are correct, and we use the session token on subsequent requests to reconstruct the user's session.
My goal is to get away from using the third-party provider with the minimum of code changes, so my idea is to use the UserManager class in ASP.NET Identity as a drop-in replacement for our third-party provider. In other words, we wouldn't use any Startup.Auth.cs magic to configure automatic challenge-response or cookie setting/validation middleware. We would simply take the user-provided credentials, test them using UserManager.FindAsync, and then continue using our existing flow.
My problem comes with dealing with Facebook logins. Currently, we show a login dialog that, upon successful login, sends us a Facebook token. We then send this token to the third-party provider, who validates it and magically turns it into an email address, first name, and last name. I can't figure out how to do this myself.
I see that if I use the out-of-the-box sample application for ASP.NET Identity, it will do the same thing via OWIN middleware. What I don't see is any way for me to take the token and use some classes somewhere in ASP.NET Identity to convert the token into usable data myself, manually.
(Note: I do see that I can use the Facebook Graph API along with my app ID, app secret, and user token, to recover the name of the user, but I don't get the email address, so something about this approach must be different from what the OWIN middleware is doing.)
Therefore, my questions are:
How do I do manually validate and decode the Facebook token in the same way that ASP.NET Identity OWIN middleware is doing it?
Is this a really dumb idea?
Thanks in advance for any help.
I'd like to create an application using Angular2 as frontend and the new ASPNET 5 WebApi as backend, but when it comes to authentication/authorisation I feel I'm totally missing the point despite all the reading...
Ideally I'd like to authenticate users using an identity provider such as Google or Facebook using Hello.js, I don't really want to have any sort of local registration for users. And then I'd also like to use an ASPNET 5 WebApi backend to access my database.
This article describes exactly what I want, but not with an ASPNET 5 WebApi backend: https://ole.michelsen.dk/blog/social-signin-spa-jwt-server.html
I'm not sure I understand the process right:
After receiving an access token from the identity provider, the SPA should send/forward it to the backend for verification. The WebApi backend should validate it against the provider (at least the first time), and create its own token (JWT) to be sent to the SPA. The SPA simply stores it (local store or session store) and the result is that the user is logged into my application.
Is this correct? Is what I want to achieve possible?
I've looked into other options such as OpenIddict, IdentityServer3/4 but as I understand it, I'd be creating my own identity provider using those, and it's not really what I need. Am I misunderstanding?
Thanks.
As far as i understand, you want:
Authentication with google(you don’t want to use google access token for using google resources)
Authorization with jwt token for web api backend.
So, you need Identity Server3/4, OpenIddict or writing own implementation for creating jwt token. There is similar question with good answers(especially #Tseng’s answer).
For managing jwt token in client side(angular2), see below links:
https://auth0.com/blog/2015/11/10/introducing-angular2-jwt-a-library-for-angular2-authentication/
https://damienbod.com/2016/03/02/angular2-openid-connect-implicit-flow-with-identityserver4/
There is an easy answer here. Use https://auth0.com/ It's free on a small scale and all the details are handled for you. Good samples and good open source participant. No affiliation, just a fan.
I'm writing a tutorial of using IMAP XOAUTH2 authentication in .NET (the standard MVC5 web app which is created by the MVC5 wizard).
I now have all parts except access_token from which I'll create XOAUTH2 IMAP key (the app authenticates, token seems to get refreshed if required, and I know how to build XOAUTH2 IMAP key and do IMAP login when access_token is available). I just need that token.
Although I have some ideas how this can be done I need to make sure I'm not doing anything stupid. For instance, I think I can use something like context.Identity.AddClaim in ConfigureAuth to put the access_token to our identity and then get it from there when doing IMAP login (on another page) but not sure if this info isn't already available.
Maybe, I can have access to that access_token in any place in the code without the need to manually put it in some object (which would be redundant and look silly for a reader experienced in OWIN and MVC5)? I develop .net components for SMTP/IMAP, I'm not a MVC5 expert, just need to write a simple example for using my IMAP lib with it.
Well, looks like saving access/refresh token details in ASP.NET Identity database makes sense anyway (despite the fact is's stored in encrypted cookies). This lets the access token data be accessible even when the browser is not available. For instance, if someone registers in a web app with their Google and Microsoft account and then another app (e.g. Windows service) consumes the access token initially retrieved by the web app to access the user's account (to check for new e-mails or whatever).
Also, it's possible to make sure both versions of access token details (in ASP.NET Identity database and cookies) stay in sync. This is useful if the access token gets updated with a refresh token (as access tokens need to be updated every hour). The standard ASP.NET MVC5 app cannot refresh access access tokens so you need to refresh them by your own code. I extended ASP.NET MVC5 template with refresh tokens, saving access/refresh tokens in ASP.NET Identity database and updating access tokens in cookies to make sure that access tokens in both locations match.
If anyone interested, you can grab some code and explanations at:
http://www.afterlogic.com/mailbee-net/docs/OAuth2RegularAccountsWebApps.html#SyncingTokens