I've got a Web API written with ASP.NET MVC 5 (Auth Template) which uses Facebook Authentication with OWIN Middleware. The Web API is used by a Xamarin.Forms app. The Facebook authentication Workflow on the app side is implemented through the Xamarin.Auth library.
So far so good. Unfortunately on the Xamarin app the external cookie gets lost after authentication. The backend (API) is setting all claims correctly and when it goes back to the GetExternalLogin method, the external cookie is missing. As the cookie is not set, it tries to set the claims again and again and finally I've got a too many redirects error on the app. If I perform the same request from the app in Chrome or Firefox on my PC, the external cookie will be set and everything is working correctly. Furthermore I don't believe it's related to the Xamarin.Auth library, as it's even not working if i try to fire the same REST call in chrome on android.
I'm aware, that there are some issues with Cookies set by OWIN and others set by ASP.NET, but that shouldn't be a problem here, as it's working on a desktop client.
On the app as well as on the backend I'm using the latest nuget packages.
I really appreciate any kind of help as I really don't know what it could be.
Related
I have an ASP.NET Core 3.1 website hosted on Azure. Works great loading via the "mysite".azurewebsites.net URL. Still, when I try to access via my custom domain, configured via the "Custom Domains" option in the Azure portal, the site then starts throwing 307 redirect errors, redirecting to itself (subdomain => subdomain) repeatedly until the page bombs.
All of the DNS settings are configured via Cloudflare.
For the subdomain, I have a CNAME record defined, where the "name" is just the subdomain, and the "content" value is the "mysite".azurewebsites.net.
I also have another subdomain configured the EXACT the same way, but it's running ASP.NET Core 1.0.
I read a little about ASP.NET Core 3.1 having HTTPS on by default, but all my sites are running HTTPS already.
If the site is getting called via the subdomain.mydomain.com, yet transmitting a 307, with the same URL, where am I going wrong?
website redirecting (ASP.NET Core 3.1): https://d3.wrestlestat.com
azurewebsites version (ASP.NET Core 3.1): https://d3wrestlestat.azurewebsites.net
the different subdomain that works (ASP.NET Core 1.0): https://d2.wrestlestat.com
EDIT: Ok, I've figured out why it's throwing the redirect/error, it's because of this in the Startup.cs:
app.UseHttpsRedirection();
But, don't I want that? Why would commenting that out make everything work ok? If you navigate to the d3.wrestlestat.com, everything works fine now. But, I WANT to enforce HTTPS, or is this redundant for some reason?
Check that you have set the TLS/SSL Settings of your Appservice plan to Https only = On?
With this on the http call should not reach your code, your will therefore not trigger a http 307 temporary redirect.
There are ways to implement a permanent redirect in code.
There is a mobile application which is developed via Xamarin. It mainly uses Web-API services to do its job, but at some point, application calls an MVC project, which is different from the Web-API project, but under the same solution.
I set up a Basic JWT authentication for security issues between communication of mobile app and Web-API. Thus, mobile app simply sends a token in header when requesting anything from Web-API.
Authorization: Basic eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
The point where I'm stuck is how could I handle that JWT which is sent in header from mobile app to MVC. Should it be included into the URL string which is triggering MVC controller?
I have run into questions which shows how to call a remove service from MVC controller by using WebClient, but couldn't see its vice versa.
Thank you in advance!
I have an existing MVC application that I inherited from someone else.
I am now trying to take some of the API calls from the old application and move them into a new application.
The problem is, when the MVC application tries to call the API calls in the new application, it gets a 401.2 (unauthorised) response.
I have read that 401.2 means that the front end and the back end are using different authentication protocols, which would make sense to me.
Here is a snip of the response headers for the account call in the new application:
and here is a snip of the same response headers when calling the same API from the old application:
This looks to me like they are using different protocols - am I correct? The main difference seems to be the 'WWW-Authenticate:Negotiate' on the failed request - but I do not know how I can fix this?
If so, can anyone advise what I need to change in my MVC project to make it use the Auth type of the first project?
Both aps use the same database if that is any help?
I know this question is a bit vague, but I have no idea where to look to fix this.
Any help would be greatly appreciated...
You would need a Single Sign-on to maintain your credentials through different apps, you could:
Use Identity Server 4 or Identity Server 3 To generate token credentials for you WEB API Projects.
MVC
JS
User Forms authentication on your mvc Projects:
Example
Use cookie based Authorization:
Cookie authorization with OWIN
I recommend Using Identity Server.
My question is based on ASP.net 5 and authentication. In particular, I'm trying to achieve integrating oAuth (2.0) into my solution as my logon method (the users can either logon using oAuth if this is how they registered, or directly with my own app). Using the template for an ASP.net 5 web app, I've successfully achieved the above but this isn't quite what I need.
I'm have an ASP.net 5 MVC (app1) for my front end UI and an ASP.net 5 web api application (app2) for my REST services, serving data to the UI. Nothing new to this approach.
I want my MVC front end (app1) to have no Entity Framework references and no reference to things like Sign in manager (if possible). Just keeping it as simple as possible. I have a login screen and I want to present the option to logon via facebook or google oAuth accounts. Instead of using the nice code MS kindly provides out of the box when you start a new ASP.net 5 web app (hey, why make life easy!), I want to use my web api to do as much as the work as it can (I realise somethings need to happen in app1 to make this work).
My goal is to keep my UI as simple as possible and offloading complex functionality (business logic, database access and other things such as caching) off to the web api app.
I'm having difficulties extracting the parts of the web app demo around oAuth, and moving it into the web api, to utilise from app1. Has anyone managed to do this before? Is this a bad idea? Has anyone a sample of this approach in new ASP.net 5 MVC.
Thanks for advice in advance!
We (that is ASP.NET) recommend you look at Identity Server. v4 is now built on top of .NET core. The OAuth components you see in templates for facebook, twitter et al aren't suitable for using against a WebAPI, they're there for interactive, browser based logins, not for javascript.
You would have your interactive app handle registrations as normal, then use Identity Server to issue a bearer token, pointing it to your identity database, and validate that within your WebAPI.
We don't recommend rolling your own.
You can build a WebAPI app with membership manager using ASP.NET Identity. ASP.NET Membership is now called ASP.NET Identity.
From the link you will see how you can create a WebAPI app that will support all basic ASP.NET membership functionalities (log-in, register, etc).
Once you have WebAPI setup with your (custom) ASP.NET membership storage (DB is auto-generated once you run the app.), you are set up with a RESTful web layer with data access. You can also customize the storage provider. See here: Overview of Custom Storage Providers for ASP.NET Identity.
The ASP.NET website (www.asp.net) has all the necessary information sufficient to create all that you said from scratch. For integrations with Facebook or others, you can check out this link: External Authentication Services with ASP.NET Web API (C#)
I'm trying to implement GoogleDrive into my .net application
but on the tutorial i'm using from http://www.daimto.com/google-drive-authentication-c/ it says that it simply send the user to a login page of GoogleDrive but the question is where ? i don't see any code that sends the user to a login page.
so my question is how can i let the user authenticate before starting of?
Trying several days now and i don't have a clue how to do it.
hope someone can point me to the right direction.
What you are looking for is called External Authentication Services with ASP.NET Web API. MVC supports many external providers and is reasonably easy to implemented them within Visual Studio and a MVC project.
For implementing a login from ASP.NET have a look at the OAuth 2.0 Web applications (ASP.NET MVC). You can also have a look at this MVC tutorial MVC 5 App with Facebook, Twitter, LinkedIn and Google OAuth2 Sign-on C# - it contains exactly what you ask for - a redirect to the Google login page.
The Access-URL's are embedded into the Nuget-Package Google.Drive.API.v2/Auth/Client - when you use the assembly/the classes the url's are internally known:
A thorough explanation (and also the URL's when using pure REST to access the service) could be found here GDrive .NET Quickstart and here Using OAuth 2.0 for Server to Server Applications