I'm tasked with authenticating an access token being passed by a react client in my .net core API. The access token in question is issued by google. Now I'm trying to figure out how to structure my API such that the endpoints are restricted to a predetermined set of google accounts. What is the best way and best practice to go about enforcing the restriction? Should I store a set of google IDs in my database and check the google Ids against the payload of the token being passed by the client? I'm relatively new to the whole concept of OpenID and OAuth and authentication so I'm not sure if the process I described follows specifications. Any help is appreciated.
Related
As a design requirement, I need:
create a reactjs application where users will single sign-on using msal.
Once authenticated, the application will access several http azure functions endpoints that will be developed in C# and whose access authorization must be based on application roles.
I'm still in my infancy with MSAL and would like to know where I can find a tutorial that helps me with all this.
I understand that I somehow need:
Authenticate the user and acquire an access token.
Having this token, somehow forward it to the endpoints.
On the endpoints, read the token that was forwarded and check if the user has authorization or not.
Thank you very much
I am a student working on a NLP app for the Google Home for my senior design project. I am wondering specifically:
What is the correct way to implement Google Account Linking and what does Google Account linking provide for registering/authenticating users via Dialogflow (i.e. what the dataflow looks like from initial query to Google logging in, back to Dialogflow, then to my ASP.NET Core API handler).
Does Account Linking return a bearer token in the header back to Dialogflow and thus, back to my handler? Or do I have to parse the originalRequest JSON object to get the user information then validate it against the identity provider?
How can I get the user’s information from the Dialogflow request in my webhook (ASP.NET Core API)? Do I have to parse the originalRequest JSON object to get the user info? From my understanding, and from this awesome tutorial, the HttpContext should be populated after verifying the JWT token. What is still unclear, is how to get the token from Dialogflow and Google Account linking.
I appreciate any help or guidance you can provide for implementing user authentication/authorization from Dialogflow to my .NET webhook.
Lots of questions. Let's take them one by one and try to clear up some things.
What is the correct way to implement Google Account Linking [between the Google Assistant and my system]?
First - you need to understand what Account Linking is.
It lets you provide a way for you to authorize a user access to your services. Google uses this to connect a Google Assistant account to an account on your system.
Since this is against your system, the "correct way" depends on your infrastructure. But in general - it means that you'll be issuing OAuth tokens for Google to use and hand back to your webhook. Details for what is expected are in the Actions on Google documentation.
To be clear - you need to be an OAuth server.
What does Google Account linking provide for registering/authenticating users via Dialogflow?
Nothing.
Well, mostly nothing.
All it will do is hand the user off to your OAuth authorization endpoint if it does not already have authorization for that user. It expects you to hand back tokens that it will use.
Does Account Linking return a bearer token in the header back to Dialogflow and thus, back to my handler? Or do I have to parse the originalRequest JSON object...
The auth token (which you have issued, because you're the OAuth server) will be sent in the JSON object at originalRequest.data.user.accessToken.
...to get the user information then validate it against the identity provider?
You are responsible for validating that the access token is one that you issued and is still valid and then... doing whatever you want with it. One assumes that you'll use it to figure out who the user is, however. How you do that (looking it up in a table, passing it to another service, getting the info out of a JWT, etc) is entirely up to you and how you've implemented the OAuth service and what the format of the token is.
How can I get the user's information from the Dialogflow request?
It depends what "user information" you're expecting. By default, Actions on Google and Dialogflow won't give you any information unless you ask for it - and you don't ask for it via Account Linking. You ask for it via using the Actions on Google permission system. But even the permission system won't give you information you may want (most people want email address - which you can't request).
If you want to do it via account linking - you need to request that information when you setup their account.
Do I have to parse the originalRequest JSON object to get the user info?
If you are using permissions, then yes.
If you're not, then while you can parse the JSON to get whatever is sent (the anonymous user ID), it won't just give you information from their Google Assistant account.
Account linking isn't about getting access to their Actions on Google account - it is about getting access to the account in your system when they access your service via the Google Assistant.
HttpContext should be populated after verifying the JWT token
That article talks about using Firebase Authentication as the OAuth server and how to handle it as a client.
Actions on Google turns this around. You need to be the server. It is the client.
It is certainly possible to build a server that uses Firebase Authentication to authenticate users if that is what you wish to do, and to issue JWT tokens as your bearer tokens, but neither of those are requirements.
I need to develop an external API, and I want to implement authentication with a client ID and a secret key just like Facebook, Twitter, Google and Microsoft do.
I have read some tutorials about OAuth2, but his generated token is temporary, and clients need to pass the username and password to get a token.
So, what I want is to give a client ID and a secret key to every client that will use my API, and they should pass this data on every method they call. Before returning the result, API checks if the request is valid.
What is the best way to do this?
I think what you're looking for is 'Basic Authentication'. Here's a very simple tutorial to follow in order to fulfill your requirements: http://www.c-sharpcorner.com/blogs/basic-authentication-in-webapi
It goes without saying that you should set your site to force https so that the credentials in request header are encrypted.
I am building a reactjs website that will communicate with asp.net web api 2 to save and retreive data.
but I am not sure how to do this.
I know to accomplish this on a high level it would be something like
User comes to my site and hits signup/log
Chooses which provider then want to use(google, facebook and etc). I am only want to support external providers(ie I don't want to have to deal with usernames/pwds)
User it sent to authenticated part of site
User clicks "add course" that data send via ajax to webapi with some sort of token to prove they have access to these methods.
I am not sure how to implement this problems I see is
Reactjs I guess is handling the authentication part? then once they been authenticated it would have to be saved in my db via webapi so it knows about this new user?
Reactjs would have to block users from going to secure pages till they are authenticated
Web api would have to generate a token for the user for that session so they can access the web api(I want to stop people from consuming my api).
Is there some simple example out there how to achieve this?
Reactjs I guess is handling the authentication part? then once they been authenticated it would have to be saved in my db via webapi so it knows about this new user
Better use some third party auth library here like PassportJS that does the auth for you using strategies like Passport-Facebook. This will give you an Oauth access token from Facebook upon authentication. You can now save this token in your cookies (or localStorage), take a look at the security considerations.
Should you store it in a DB? Here are some arguments about it.
Reactjs would have to block users from going to secure pages till they are authenticated
This can be done by checking if they have a valid token.
Web api would have to generate a token for the user for that session so they can access the web api(I want to stop people from consuming my api).
This can be easily achieved by using JSON Web Tokens. Note that you will have to store the JWT in your client side locally, along side your FB-Google oauth tokens (or you can relegate that to a single API by storing them in DB?. Its a design choice, I would prefer to store them separately and save a lot of hassle).
I'd like to create an application using Angular2 as frontend and the new ASPNET 5 WebApi as backend, but when it comes to authentication/authorisation I feel I'm totally missing the point despite all the reading...
Ideally I'd like to authenticate users using an identity provider such as Google or Facebook using Hello.js, I don't really want to have any sort of local registration for users. And then I'd also like to use an ASPNET 5 WebApi backend to access my database.
This article describes exactly what I want, but not with an ASPNET 5 WebApi backend: https://ole.michelsen.dk/blog/social-signin-spa-jwt-server.html
I'm not sure I understand the process right:
After receiving an access token from the identity provider, the SPA should send/forward it to the backend for verification. The WebApi backend should validate it against the provider (at least the first time), and create its own token (JWT) to be sent to the SPA. The SPA simply stores it (local store or session store) and the result is that the user is logged into my application.
Is this correct? Is what I want to achieve possible?
I've looked into other options such as OpenIddict, IdentityServer3/4 but as I understand it, I'd be creating my own identity provider using those, and it's not really what I need. Am I misunderstanding?
Thanks.
As far as i understand, you want:
Authentication with google(you don’t want to use google access token for using google resources)
Authorization with jwt token for web api backend.
So, you need Identity Server3/4, OpenIddict or writing own implementation for creating jwt token. There is similar question with good answers(especially #Tseng’s answer).
For managing jwt token in client side(angular2), see below links:
https://auth0.com/blog/2015/11/10/introducing-angular2-jwt-a-library-for-angular2-authentication/
https://damienbod.com/2016/03/02/angular2-openid-connect-implicit-flow-with-identityserver4/
There is an easy answer here. Use https://auth0.com/ It's free on a small scale and all the details are handled for you. Good samples and good open source participant. No affiliation, just a fan.