I am trying to make use to IdentityServer4 for authentication and authorization. We have set of new and existing applications.
At this moment in time we have:
- 1 ReactJs application - (there is no authentication as it's a new application) but it will use Implicit Flow using oidc-client
- 1 quite old Web Form application - which will possibly use Hybrid flow (I still need to figure it out)
- 2 .NetCore MVC web applications - they both will use Hybrid Flow
There are Few apis project that we want to protect using IDS4.
WebForm and MVC Applications both uses their own Web Services to talk to the some database to verify user credentials and let the user login to the application.
Eventually we want to migrate users from that existing database to a seperate User database. IdentityServer will also make use of this new User Database for SSO + Api Authrization.
I am thinking of creating a seperate api just for User Authentication (possibly AspNetIdentity as a webapi) and IdentityServer4 to communicate with this api to validate username/password? Does that seems right?
Also How do I configure IDServer4 to use Api for authentication rather than using services.AddIdentityServer().AddAspNetIdentity() which will directly talk to my AspNewIdentity database? and How to sure this api? Any samples I can find?
I had to do something like this, I found these useful
http://docs.identityserver.io/en/release/quickstarts/1_client_credentials.html
http://docs.identityserver.io/en/release/quickstarts/2_resource_owner_passwords.html
I used it to protect an api via users that came from Asp Identity.
Hope that helps.
IdentityServer4 doesn't really do users out of the box. The ASP.Net Identity integration just exists to get you up and running quickly. If you want to implement your own user store and sign in/out/up flows then you're totally free to do that however you want.
That said, I'm a fan of having the IDP own its own data - i.e. the users and their credentials. This helps keep you on the straight and narrow when it comes to not mixing authentication and authorization. The Auth in OAuth is client authorization don't forget.
Related
We have built some Asp.Net Core web API, with the authentication/authorization built on top of Asp.Net Core identy, with some JWT token exchange for our angular frontend. Basically, the users can login with username+password, this provide them a JWT with a short validity that the frontend regularly refresh. If the token is not valid anymore, the user will have to login again.
This part works great.
Now, we have to add another concept, a bit like on Azure Devop, we need to add "agent", those are not users, they will just need to be authenticated, in a slightly different way:
They will run on unnattended(locked) computers
They will be configured once and then run forever
Each agent should NOT be considered as a user. They should not be stored as such(or at least provide a way to distinguish them)
Those agent should only have some kind of token/private key to authenticate themself, that doesn't expire. This method of authentication should not be allowed to other users
So based on this:
Is this something that already exists, or have this pattern a name?
Is there a way to achieve this through Asp.Net Core identity or am I better off ?
Any link or lead on how to implement in parallel of an existing auth would be highly appreciated.
I am looking for a way how to implement authentication and authorization fo several applications.
I have one main application and several child application.
I have only one domain so I access my child applications like a mydomain.com/app1.
My goal:
Use one account for all web applications
Have specific permission for each user, for each application
Implement register, login views only once.
My thoughts are:
- Create one WebApp/API which will maintain user accounts
- Call this webapp from other apps
I was googling a lot and I found some technologies which could be useful:
Jwt bearer token - generate token with claims and in each app
implement logic which claims are necessary for specific policy
Identity server 4
I am so confused from identity server so I don't undestand how to use it (but according to description I thnik it could help to solve my problem)
Something like this scenario:
Request web page
WebApp checks authentication (proprably Jwt token?) if user is not authenticated call auth server --> some login page
After authentication Jwt is generated, Jwt & webpage from web app is returned to user
I saw lot of samples, but most of them are for fronted backend solutions, mobile applications etc..
I would like to use simple MVC, Razor pages apps..
Are my thoughts right or it should be done in other way?
Could you recommend me some technologies, tutorials how to achieve this?
Thank you very much!
I have created a Web API application, an MVC application, and a mobile application.
The Web API should be decoupled from the other two applications as much as possible. I'm using the Password Grant flow here: clients using the Web API needs to send a POST to /Token with username and password. The returned access token is then used for further calls to the API using standard Authorization: Bearer <access_token>.
The MVC application is only accessible for a select few users, and it has its own database which contains the information and roles of these users. Some parts of the MVC application should be restricted to only one or two users (for example), while other parts should be accessible for all registered users. This can be done by using Authorize attributes on the specific controllers within the MVC application - all good. Furthermore, the MVC application should be able to interact with the Web API.
Secondly, I want to have a mobile application to be able to interact with the Web API. A key point here is that I won't require users to register in the app. So essentially, (how it's in my head right now) the only thing the API would see is "this token belongs to the "AndroidApp" user and has password X - sure thing, you're known to me, I'll grant you access". This seems to me a bit 'insecure', meaning that all users of the mobile app will share the same auth credentials.
Questions:
User A is one of the users who are allowed to access the MVC application - I want him to be recognized by both the MVC app, and thereafter the Web API. Is there an easy way to synchronize data between two databases, or should I just register him in both databases (one for MVC, one for API)? There is probably a better third option I haven't thought about.
User B is a user of the mobile application, and he should not be able to access the MVC application. How can this be ensured? Obviously, the MVC user database won't have any info about mobile app users. I'm just wondering about the security aspect of just having one single pair of auth credentials embedded in the app - doesn't sound good to me.
I stumbled upon this question, which basically is the same as mine. But I don't really see the need for Authorization Code Grant flow for the web app (MVC application in my case) as the accepted answer suggests.
I hope my questions make sense, otherwise please let me know :)
My answer doesn't directly answer your question but rather offers an alternative.
In the past when developing similar solutions I've used a specialist third party identity service Auth0.
With Auth0 you can have different application keys, profiles and also create rules (webhooks) which are executed as part of the authentication pipeline. They offer a range of social login as well as AD integration. They offer free and paid pricing.
I am not affiliated with Auth0 in any way, but will use their service as the starting point for any projects going forward - Yes it's a really impressive service!
I have an Owin-based MVC application which uses my web api to provide many functionalities. At the moment the user should login to both of them separately (using ajax calls, at the login page I do the login for web api and receive the token as well), but both use the same table, so there is only one place to store the user information.
Unfortunately other MVC applications are using separate username and passwords and are not using the mentioned api. As now I should create a new MVC app which is again the same domain I am looking for a way to use a single username and password (managed by one main MVC app) for whatever reason it's needed, i.e., all the MVC apps and the web APIs use the same username and password, and therefore for example I can use the [Authorize] attribute or roles, ... in all of them.
Is there any known solution for this? Does Creating an OAuth authorization server suit this problem?
Implementing Single-Sign on using OpenID Connect on top of OAuth2 fits your requirement. checkout identityServer3 or identityServer4 if you are using .net core.
basically, you will need to setup a shared STS authority, and all your applications will use this authority to validate a requests using a OWIN middleware to check for token validity.
On first login, The STS authority will issue a token for the user, and you will need to manage through your front-end/back-end code, re-using the token when navigating across multiple applications/domains.
C# ASP.NET Single Sign-On Implementation
I currently have two web applications, one of which is a web api, which both have it's own implementation of ASP.NET Identity for authenticating users (first one is cookie and second one is bearer tokens).
I need, in the near future, to add a third web site to the family and was thinking to move the authentication logic in a standalone web application which could serve all the orhers.
For example: instead of authenticating to www.mysite.com and/or api.mysite.com, I would like that both the applications could authenticate against a new website, like e.g. login.mysite.com, as microsoft does.
How can I achieve something like this? Does somebody has any direction to start with?
What you need is an Identity Server which will authenticate the requests and give you back an access token. You can then use the access token to make subsequent requests to APIs and websites etc. As long as the access token is valid you will be able to make requests. There is great .net based open source solution available for Identity Server. Have a look at Thinktecture. You can download the source and demo projects to try yourself.