There is a mobile application which is developed via Xamarin. It mainly uses Web-API services to do its job, but at some point, application calls an MVC project, which is different from the Web-API project, but under the same solution.
I set up a Basic JWT authentication for security issues between communication of mobile app and Web-API. Thus, mobile app simply sends a token in header when requesting anything from Web-API.
Authorization: Basic eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
The point where I'm stuck is how could I handle that JWT which is sent in header from mobile app to MVC. Should it be included into the URL string which is triggering MVC controller?
I have run into questions which shows how to call a remove service from MVC controller by using WebClient, but couldn't see its vice versa.
Thank you in advance!
Related
I have on one side NoPCommerce on the other side our own REST API. I need that NopCommerce to send a post request to our REST API. That part is done.
I want to test this locally, so I started both projects. NopCommerce runs on localhost:5001, our REST API on localhost:7521.
When NopCommerce sends the request, I got an SSL error.
Is there a way to do this?
Thanks
I have an existing CRM built in ASP.NET MVC 5 using a razorhtml front end. I would like to break off part of the project into an Angular front end with .Net Core web api backend.
Essentially when a customer hits a "next" button on a certain page, the web api would be called and return a page in angular. The customer then completes a couple pages in the angular front end, sends info to the DB via the web api, which then returns the user to the old MVC project.
The issue I'm worried about is security. How can I authenticate the customer between the two applications?
Assuming your WebAPI is hosted on the same domain as your existing MVC solution you could opt for good old cookies (mind the HttpOnly and Path properties though). Given difference in technologies this might require some sort of reverse proxying to be put in place.
Alternatively you can generate a token on MVC application side and make your angular app pass it along through request headers to your API. On server side you would either write a custom middleware to handle opaque tokens or leverage existing .Net Core Identity that supports JWT out of the box.
Given you didn't share any specifics of your environment - it's hard to say if JWT would be an overkill for your use case but hopefully this gives you some context for further exploration.
I've got a Web API written with ASP.NET MVC 5 (Auth Template) which uses Facebook Authentication with OWIN Middleware. The Web API is used by a Xamarin.Forms app. The Facebook authentication Workflow on the app side is implemented through the Xamarin.Auth library.
So far so good. Unfortunately on the Xamarin app the external cookie gets lost after authentication. The backend (API) is setting all claims correctly and when it goes back to the GetExternalLogin method, the external cookie is missing. As the cookie is not set, it tries to set the claims again and again and finally I've got a too many redirects error on the app. If I perform the same request from the app in Chrome or Firefox on my PC, the external cookie will be set and everything is working correctly. Furthermore I don't believe it's related to the Xamarin.Auth library, as it's even not working if i try to fire the same REST call in chrome on android.
I'm aware, that there are some issues with Cookies set by OWIN and others set by ASP.NET, but that shouldn't be a problem here, as it's working on a desktop client.
On the app as well as on the backend I'm using the latest nuget packages.
I really appreciate any kind of help as I really don't know what it could be.
I'm starting a new project with Angular 7, Asp.net core 2, Asp.net Identity, IdentityServer4.
Briefly, my project architecture is like the following:
A web API project (resource server)
Data access layer project (c# project library)
Identity server 4 using Asp identity
And one Angular 7 client, this project is generated using two cli commands : "dotnet new angular", to generate the backend. And "ng new" to generate the front end code.
So, since angular project has a back-end, I have chosen the hybrid flow for security reasons.
My goal is to authenticate an angular client user with cookies, using angular client back-end. I have easily made this work using an MVC client but I still couldn't figure out how to achieve the same thing with an angular client.
My current idea is to serve angular using two actions, one that renders a razor cshtml page for anonymous users, and another one for "authorized" users, but I'm still not sure if this is achievable or not.
Is it a good approach or is there a better way?
I've started a similar project recently and contemplated how to approach authentication/authorization.
Ended up treating the Angular front end the AspNetCore back end as two similar projects (even though they were under the same project). You can use some oidc library for angular (like this for example) and your angular part would basically be a js client using Hybrid flow (preferably). You can use Angular router and route guarding in conjunction with one of the oidc libraries to automatically redirect user to the identity provider should they try to access protected resource and handle the token callback and do the cookie auth.
Your backend part in AspNetCore would then become simply an ApiResource that your Angular client would have to be allowed to access (in the AllowedScopes) and would only be concerned with serving data to your Angular client (minus the fact that the AspNetCore razor engine serves the initial Angular AppComponent). It would not be concerned at all about guardian any routes and would only be concerned about validating bearer tokens that your Angular client would inject into Http calls to this backend Api.
I have an existing MVC application that I inherited from someone else.
I am now trying to take some of the API calls from the old application and move them into a new application.
The problem is, when the MVC application tries to call the API calls in the new application, it gets a 401.2 (unauthorised) response.
I have read that 401.2 means that the front end and the back end are using different authentication protocols, which would make sense to me.
Here is a snip of the response headers for the account call in the new application:
and here is a snip of the same response headers when calling the same API from the old application:
This looks to me like they are using different protocols - am I correct? The main difference seems to be the 'WWW-Authenticate:Negotiate' on the failed request - but I do not know how I can fix this?
If so, can anyone advise what I need to change in my MVC project to make it use the Auth type of the first project?
Both aps use the same database if that is any help?
I know this question is a bit vague, but I have no idea where to look to fix this.
Any help would be greatly appreciated...
You would need a Single Sign-on to maintain your credentials through different apps, you could:
Use Identity Server 4 or Identity Server 3 To generate token credentials for you WEB API Projects.
MVC
JS
User Forms authentication on your mvc Projects:
Example
Use cookie based Authorization:
Cookie authorization with OWIN
I recommend Using Identity Server.