I have an Azure-based .NET Core Web API application that I want to communicate with an Azure-based MVC5 application. The MVC5 application requires its clients to have a credential in our Azure AD instance. We connect to this app with our SSO Azure AD credentials.
The .NET Core app does not authenticate against Azure; there's no credential pass-through possible for its consumers. BUT... it's hosted in the same Azure instance, so it seems like I should be able to send an authenticated request from the web api to the MVC app with relative ease.
The documentation on this is quite confusing though. There's talk about x.509 certs (this really doesn't seem necessary), OAuth 2.0 grants and flows (I may not be able to get around that, I don't know)... but is there some simple, relatively "brainless" way to have the one service talk securely with the other without building some kind of complicated scaffolding and/or configuration? I'm kinda hoping there's a way to just instantiate a HttpClient or WebRequest, call some method to get the proper Authorization header (or maybe cookie?), and send my request on its merry way... but if it exists, it remains elusive to me.
Any elucidation on this would be helpful, thanks.
This sort of depends. First, to be clear, you are trying to call an action in the MVC app from the API app? This seems a little odd (more often, a MVC front-end might need to call the api). Regardless, it should still be the same.
Question: Do you want you api app to always call the MVC app as "itself"? So, your api app would have an identity that is authorized to call an action on your MVC app? If so, this is exactly what the OAuth Client Credentials flow is for:
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service
With this flow, you create an Azure AD application registration that represents your API app. Then, at runtime, your API app uses its client id and client secret to acquire a token it can use to call the MVC app (typically passed as a bearer token in the Authorization header). Part of what you can do with the app registration is give it delegated access to your MVC app, but you can also manage which "clients" you want to allow access in your MVC app.
Hopefully this makes sense.
Related
I'm working on a project that uses a C# Web API. We are using JWT tokens.
We have the authentication setup for the main application that is hitting our web API.
We also have a side service that needs to authenticate to use the web API, but they do not have the necessary items to authenticate because they do not have an account.
Is there a "secure" way to authenticate a side service that does not have the normal login functionality?
Looks like you want an app that is not authenticated by login but still protected?. This is really not a very good implementation. In case you want to do this. You can try the solution using rsa body request encryption algorithms with signature includes in header and check. If it matches then you can implement your logics. Hope to be useful.
I've seen a million different answers and none of them work.
Can someone please give me a link that works for:
I have a web api, I've registered it on Azure. I have Azure Active Directory configured.
I have a tenantId, a clientId, a client Secret, and every other variable I should need.
I can log a user into my system through AD via an MVC controller, how can I do the same with web api?
I basically need to generate the AD token so I can continue to use the API outside of my MVC controllers.
It must be the same token, because I need to access microsoft graph from the client side of the API.
HELP!
It’s up to the client to get a token and pass it to your API. You don’t specify what the client is (I.e. web, iOS, Android) but since you’re using Azure AD you could just use the appropriate ADAL library provided by Microsoft to do this.
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-libraries
I can log a user into my system through AD via an MVC controller, how
can I do the same with web api?
If you are interested in server-to-server interactions without direct interaction from the user side, you may have a look at OAuth 2.0 Client Credentials Grant Flow for AZAD.
The attached article contains simple examples of implementation. I think for your case, example with a daemon/console app (just replace it w/ Web API) is what you need. Download the example, replace configurations (Instance, TenantId, ClientId, and ClientSecret) in appsettings.json w/ yours, and try to play around with it.
I am new to .NET core and while I have .NET experience, I have never built authentication, in the past I've always worked on project not started by me. I am just trying to learn and find good resources and I would greatly appreciate if anyone knows tutorial or if it can explain how to solve this.
When using external logins, I followed those instructions here. This all works well if I create simple web api project and run, I get a web page where I can login, authenticate, works perfect. But this is not my end goal, I am building Web APIs not a Web Application. In my case let's say I have iOS and Android apps and my external login is done on the app itself, how would I pass token to Web APIs? I want to use [Authorize] method in Web APIs to make sure that no un-authorized access is made agains APIs and in addition to that I would like to use roles.
I am assuming token information is passed in header. But what is the header name for token? Can external authentication be used with roles or that is only possible if I store username/password? Can you point me to some good tutorial or anywhere I can learn more because all google search returns back to same like I have mentioned above and it is not very descriptive.
In general , your web api will work like a identity provider , it will issue and validate the JWT tokens :
http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
You can also implement authorization with the help of your external login provider .If you have SDK or own code in your client app to help do authentication , for authorization part , you can also register your web api in the same identity provider . For example , you are using the google authentication external login in your client app , you will should register your client app and web api on google's application registration page , then you could use OpenID Connect hybrid Flow to authentication user and get access token for accessing web api . Each identity provider provides how to implement authentication/authorization with lots of documents.
You can have an endpoint that allows anonymous access and takes the token and verifies it. Then it can send back a JWT that contains claims/roles that you want to enforce on the specific user. Every time the client accesses a secure endpoint, it can send your JWT in the header which gets verified before the specific method in your API controller is called. You can look into OAuth flows if you want to integrate social logins.
For example, Google has this documentation for OAuth-
https://developers.google.com/identity/sign-in/web/backend-auth
I am trying to make use to IdentityServer4 for authentication and authorization. We have set of new and existing applications.
At this moment in time we have:
- 1 ReactJs application - (there is no authentication as it's a new application) but it will use Implicit Flow using oidc-client
- 1 quite old Web Form application - which will possibly use Hybrid flow (I still need to figure it out)
- 2 .NetCore MVC web applications - they both will use Hybrid Flow
There are Few apis project that we want to protect using IDS4.
WebForm and MVC Applications both uses their own Web Services to talk to the some database to verify user credentials and let the user login to the application.
Eventually we want to migrate users from that existing database to a seperate User database. IdentityServer will also make use of this new User Database for SSO + Api Authrization.
I am thinking of creating a seperate api just for User Authentication (possibly AspNetIdentity as a webapi) and IdentityServer4 to communicate with this api to validate username/password? Does that seems right?
Also How do I configure IDServer4 to use Api for authentication rather than using services.AddIdentityServer().AddAspNetIdentity() which will directly talk to my AspNewIdentity database? and How to sure this api? Any samples I can find?
I had to do something like this, I found these useful
http://docs.identityserver.io/en/release/quickstarts/1_client_credentials.html
http://docs.identityserver.io/en/release/quickstarts/2_resource_owner_passwords.html
I used it to protect an api via users that came from Asp Identity.
Hope that helps.
IdentityServer4 doesn't really do users out of the box. The ASP.Net Identity integration just exists to get you up and running quickly. If you want to implement your own user store and sign in/out/up flows then you're totally free to do that however you want.
That said, I'm a fan of having the IDP own its own data - i.e. the users and their credentials. This helps keep you on the straight and narrow when it comes to not mixing authentication and authorization. The Auth in OAuth is client authorization don't forget.
I am looking at adding custom authentication to my existing Xamarin.Forms app through Azure Mobile Services. Currently, my app authenticates itself against an existing WebAPI but the authentication isn't secure and I don't really want to start trying to create my own secure authentication process for production. I thought that Azure Mobile Services would be a good way of being able to keep the custom authentication side of my app (authentication against a current identity provider isn't an option) however I already have all the storage etc set up in an existing SQL database by sending it to the WebAPI first and then saving details.
I guess my question is: Is it possible to set up Azure Mobile Services with my current WebAPI acting as a kind of middleman? The basic workflow would include my app sending the log in details to the WebAPI, the WebAPI passing these on to Azure Mobile Services for authentication and then returning the response including token to the app after being stored on the WebAPI side.
The reason I thought that Azure Mobile Services would be a good choice was because it also provides support for push notifications as well as the custom authentication side of things.
Thanks.
Take a look at the following for custom authentication: https://adrianhall.github.io/develop-mobile-apps-with-csharp-and-azure/chapter2/custom/
Short version - yes, it is possible. You create a custom WebAPI that mints a ZUMO token within your Azure Mobile Apps SDK Within that minting process, you can check the users credentials (either a token, remote API or whatever) any way you want.
I am not sure if that is possible. You are trying authenticate through two different application. It might be possible to write the mobile service client login code in your web API app to use authentication from Mobile Service app and get the token back. But then you still have to manage the user sessions between your Xamarin app and web api app, cross origin stuff and etc,
Since mobile service app really is a web api wrapped with some extra functionality, have you considered moving your web api app to mobile service? That might be easier in my opinion.
Yes, this is possible.
In our app the user is able to register and to login with twitter and Facebook but with own email + pw, too.
In wams we sync the social account and "our" account (stored in the db).
Have a look at ClaimsIdentity and Microsoft.WindowsAzure.Mobile.Service.Security IServiceTokenHandler to implement custom authentication and returning a custom token.