I have created a webhook custom sender project as described in here. When I try to subscribe to the webhook using postman I get a login error. As per my understanding to subscribe, I must provide a dashboard sort of thing where users come and subscribe to events. I want the user to call the subscription API directly from there own app. how I can do that? I don't see any documentation which tells me about all the parameters in the subscription request. need help.
You get the login error because you probably decorated the controller with Authorize attribute and you need to be logged in in order to access the actions within. You can replace AllowAnonymous attribute if you don't need to be logged in.
If you do, then login normally on the site and grab that cookie(token, etc.) which holds the authentication information and send that along with the Postman request.
Related
I need to set a custom claim in the access_token from within a C# application. Is there a way to achive this?
So that I can create custom access_tokens on the fly.
I read though the Keycloak API reference but wan not able to find a solution.
I need this because I have a User that, depending on the application state, should get access to different ressources. I dont want to create different user to achive this. I do not want to save information into the cookies to achive this. And I also do not want to save information in URL to achive this.
I already tried to use a uma-ticket token for this as described here. But all i got was this error:
{
"error": "invalid_grant",
"error_description": "Invalid bearer token"
}
The most common option is to implement dynamic behaviour via claims. At the time of token issuance, the authorization server can reach out to an API endpoint (or database), to send account attributes and receive back custom attributes.
In Keycloak you need to use a protocol mapper for this. The last time I looked you had to develop one in Java, then configure it in the Admin UI for your client app. There is a worked example here.
This is usually a better design than trying to issue new user level access tokens on the fly. Eg an access token contains the important values used for authorization, such as role=manager or subscription_level=gold, so that the claims are trusted. The resources they grant access to could then vary a little based on runtime conditions.
I am currently working on the logic of custom token validation. I need to deactivate the token when the user's password is changed (change-password endpoint is public).
I have implemented the ICustomTokenRequestValidator interface and resolved my class via DI
.AddCustomTokenRequestValidator<TokenHashValidatorService>();
However, I can see the following problem, my implementation of ICustomTokenRequestValidator only works when I generate a token and during only the first request to my API.
In logs I see the following information:
JWKS request from log
During first request to API request to /.well-known/openid-configuration and /.well-known/openid-configuration/jwks is sent. But when I send a second, third, etc. requests my breakpoint in TokenHashValidatorService is skipped.
Is there any way I can forcefully initiate second /.well-known/openid-configuration and /.well-known/openid-configuration/jwks requests?
Or maybe I can somehow mark that "token validation needed" during the change-password flow?
I'm really stuck and out of options, I've read all the articles out there, any ideas?
I have been trying to wrap my head around this concept but have many questions and unfortunately, all official documents and tutorials are based on Visual Studio templates with individual user accounts.
My goal is pretty straightforward I believe. I have a web application which will only support external provider logins (namely: Facebook, Twitter, and LinkedIn). I do not want to support cookie authentication since there won't be a support for custom username/password.
My first problem is to define a default AuthenticationScheme. Below is my startup.cs:
services.AddAuthentication()
.AddFacebook(/* options */)
.AddTwitter(/* options */)
If I define a controller action with Authorize attribute I get no default authentication scheme defined error when I hit that route. However, I want users to be redirected to my login route if they are unauthorized. If I modify startup.cs like below it all works but then I think I support cookie (old forms authentication?) authentication which I don't want to.
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie()
.AddFacebook(/* options */)
My other issue is that I don't know what happens under the hood of AddFacebook() call. If I set up my middleware this way and log in with Facebook I magically get all the necessary tokens, claims and suddenly I have an application cookie set and my fb_login callback route can access to Facebook's token! When I check the network requests I see there is a hit to the signin-facebook route -which I didn't define- and I guess under the hood it calls HttpContext.SignInAsync() etc... but if I refresh my fb-login callback and check if
HttpContext.AuthenticateAsync(FacebookDefaults.AuthenticationScheme)
returns Success = true no! it returns false! But it was true just one second ago?
Also, when should I be using methods like AuthenticateAsync() and SignInAsync()?
Long story short I need a tutorial or documentation that explains this middleware without asp.net Identity framework, EntityFramework and templates.
I want to understand how a simple AddFacebook() call binds everything, and if I want to manually do that (say with AddOauth) how can I achieve the same functionality?
I'm not a fan of "automagically working" code so if someone can explain what's going on here I'd be very appreciated.
Cookie auth is used to persist the authenticated state between the requests. There is no substitute for this, and no it's not the same as forms auth, though cookies are used in both cases. The reason for that is simply that cookies are what makes state work over the HTTP protocol, which is itself stateless. If exclude the use of cookies, then there is no other mechanism to maintain state.
Using something like the Facebook auth scheme directly authorizes the initial request, but again, because there is no state, the next request is no longer authenticated without going through the Facebook OAuth flow again.
Long and short, the other auth schemes are there for things like APIs, where each request is typically authenticated individually via something like the Authorization header. A web browser doesn't work this way, and instead relies on cookies handle subsequent authorization. No cookies, no auth.
I'm developing an ASP.NET MVC Web Api with Visual Studio 2013, C# and .NET Framework 4.5.1.
I was reading this article and it is very interesting. It only talks about ASP.NET MVC applications and it doesn't say anything about how to implemented it with Web Api.
I think I can use it with Web Api but I don't know how because, as I read on the article, I will need a login page and a web api doesn't have one.
If I will consume that web api from mobile phones (iOS, Android, Windows Phone, etc.); what do I have to do?
Maybe I will need a login form on the mobile app, or maybe I will need a login page on my web api to allow login on Google, Facebook, etc.
Any advice?
#VansFannel, this is an old question and I'm guessing you have moved on, but I'm leaving this here for future seekers.
You are correct, it does not offer a login page, but it does offer what the login page itself would use.
Before I begin, go download a Chrome plugin called PostMan. I'll show a few screenshots as I go along using it. I've setup a basic WebAPI with the sample Values controller still in it, but protected with [Authorize]. I'm running my sample WebAPI at http://localhost:54211 for this example.
Here is a high level process:
Creating a User
I'm guessing your don't have any users in this new DB yet, but if you do just skip this. Otherwise, this is how you create them without a UI.
POST to http://localhost:54211/api/Account/Register
The post should be x-www-form-urlencoded, and should include the following fields:
email --- For example "test#somedomain.com"
password --- For example "Test123!"
confirmpassword --- For example "Test123!"
If the body is empty and the header status was 200, then it was successful:
If it failed, you'll get back a header status error of 400 and some kind of error in the body like:
Authenticating
Ok, we have a user in the database, lets authenticate with the WebAPI.
POST to http://localhost:54211/token
The post should be x-www-form-urlencoded, and should include the following fields:
grant_type --- Set it to "password"
username --- For example "test#somedomain.com"
password --- For example "Test123!"
In the results from the server, if successful (status 200), you will get back what is called a "Bearer Token" - its located in the "access_token" field like this:
For your test, copy that token value to the clipboard (in your app you could store this away in a variable).
Calling a WebAPI method with a Bearer Token
If you try to call an [Authorize] protected method without being authenticated, you will see something like this returned:
But you already authenticated, right? So why doesn't it know you anymore? Because it's REST based and it's stateless - it doesn't know you anymore after the call is complete. So, you have to "remind" it of who you are each time a call is made. You do this by passing the token you received earlier with every request.
Call the URL (http://localhost:54211/api/Values/) using whatever verb you need (GET,POST,etc). I'm using GET below, because in the ValuesController that is what is required.
In the Header of the request, I add the following field: "Authorization" and it's value as "Bearer [token]" where [token] is the token you stored away earlier.
If you get back a success (200) you can check it's body data and it will have your response:
And that is how it's done! I hope that helps you or others down the road.
Web api providees support for integrating with social networks like facebook, twitter, microsoft, google via the owin pipeline.
Find a sample here which provides facebook login support for a web api.
I'm currently trying to implement the MembershipProvider class, but my user repository isn't typical to most of the examples I'm finding on the net. Instead of retrieving a user, we simply check the user's identity against an auth server for the requested URL:
User attempts to "POST" to ws.example.com/jobA
Attribute validates the user with the auth server to see if they have access to this action/url
Rejects or accepts the request
A couple other posts pointed me in this direction for implementing a custom membership provider. The way I figure it, in order to make this work, I need to be able to see what the requested URL was, and be able to look at their cookies. In Filters, i have access to the HttpRequestMessage. How do I get at the info i need in this context??
[Despite this thread is not specifically about SharePoint Membership Providers, I will just leave this solution here because I couldn't find it anywhere else, and kept being redirect to this thread while looking for solutions on Google. I hope it helps someone]
For SharePoint Membership Providers, we have the Security Token Service, which is a WCF Service. In this case, System.Web.HttpContext.Current is always null, but you can get the actual Request URL using this property:
System.ServiceModel.OperationContext.Current.RequestContext