I have configured emberjs to use IDS4 before but I use it with simple auth and torii - however - on the site I am building now I do not want a pop up for auth and i also want to allow users to register through my site.
WRT the 1st issue - no popup - I can see that I can use
mgr.signinRedirect();
As shown in https://github.com/IdentityServer/IdentityServer4.Samples/blob/release/Quickstarts/7_JavaScriptClient/src/JavaScriptClient/wwwroot/app.js#L41
But that would mean hosting the login page as part of IDS and that means maintaining the CSS, markup and JS to make it look like it's a part of the main site - this I do not want to have to do.
What is the way to handle this?
The EmberJs site has a .NET webapi backing it - is there a way to POST the username / pass to the API and have the API proxy the auth?
WRT the 2nd issue - registration - I guess the question is - is there a way to do the same as above? send the new user details to the API and have that issue the request to IDS to create the user?
[UPDATE]
From looking around the quickstarts it seems there is no way to allow a JS client to register and authenticate without using a popup or a redirect to the views hosted on IDS... am i right?
This is crazy...
Related
I am using C# Razor in order to make a social network. There are wepages that contain sensible data and I don't want someone to go to that url and see it. Not even by going to the Inspect Element and open it through there. So is there a way to warn the user that "This web page is not allowed"?
You have to implement authentication and authorization in order to control who can actually access any given route in an mvc application. I can only recommend that you start by reading the official site www.asp.net/mvc/overview/security about authorization and authentication.
With the proper authentication/authorization the server will simply not send any data, or you could redirect to a specific "not allowed page"
I agree with Louis, you should get this book here which helped me a ton. http://www.apress.com/9781430257523
The literal answer you are looking for concerns the use of authorization attributes you place above controller actions or controllers themselves. So an action might look like this
[Authorize]
public ActionResult UserAccount(Guid id){...}
By setting up authentication using ASP.Net Identity you will be able to automatically redirect visitors who are not logged in to another page etc.
Also if you need to make sure that the current logged in user is not going to (for example) another user's personal page (account settings?) you would do a simple check on the server side to prevent this. Something like so (Pseudo code)
if(User.Identity.GetUserId() != account.OwningUserId)
return RedirectToAction("404", "Shared");
I'm trying to perform login request in C#, but i don't know how to do it. I tried to find aspx web API but with no result. Do you know something about it?
here you have url: https://www.bikes-srm.pl/Login.aspx
Everything I tried is send request witch this header:
webreq.Headers["Authorization"] = "Basic " + Convert.ToBase64String(Encoding.UTF8.GetBytes("login:password"));
Seeing how you tagged ASP.NET and mentioned "c# mobile app," here's one potential answer to your problem. This article covers the approach in detail, summarized below:
You can use a WebBrowser control to login to a website, wait until the content is loaded, and then retrieve the HTML data, cookies, get/set values of input elements, and access running scripts.
However, keep in mind:
Security: If more than one person can login, you will need to sandbox each user, clear tracking data, cookies, etc. at the end of each session and manage multiple states. If financial transactions occur through that website, you're taking risks.
Harder to maintain: The id's / names for the form fields or URLs can change, and when they do, your program may break.
Liability: from a legal perspective, who's responsible for what happens through your program? Do you have written permission to access their website from your program?
WebBrowser control is a part of System.Windows.Forms, but it looks like you'll be using it from within an ASP.NET site or a mobile app. What are the consequences? Research this.
On an existing host I've added Web API Models & Controllers. I've added the following four:
Products
Orders
Categories
Users
When someone accesses the localhost:port\api\products, it returns all the products in JSON format.
The Create, Update and Delete statements are completely disabled, so we are only able to use GET-requests on the API (so either \api\products for a list of all products or api\products\# for a single products with id #).
Because the other CRUD's aren't used, there isn't a lot of security that should be added to the Web API, except for one thing: The Users
These will also return emails and such, which would be better to keep private and unreadable without the proper authorization (without entire log-in pages, but a way to authenticate yourself when accessing the Web API in for example Android HttpGetRequests).
So, the question: How should I add authorization for only the UsersController accessed by the Web API.
And, how can I encrypt the JSON in C# and decrypt it in Android again. If this second part is too big to answer I'll make a new question later on, my main focus is the low-end [<- without log-in pages, so built in into the GET-request] authorization of the Web API's GET-request for Users.
Edit 1: I did found this link where a new project is made with Authorization Changed to Individual Users. I also see that the user is registered and then logged in with POST and GET requests.
The following questions came into mind when reading through this link:
How to change the Web API's Authorization to Individual Users on an existing project?
Our authorization is done through OAuth (mainly Google-account) with our work e-mail address. I guess it's not possible / easy to authorize in the same way as in the link with a Google-account on Web API GET-requests.
Edit 2: After using the first link provided by Vladimir Gondarev I've added the [Authorize] to both the Get methods in the UsersController. In my project everything else was already used before, like a class that uses the AuthorizeAttribute, so just adding the [Authorize] was already enough for the first step. Now in the browser I get an unauthorized (JSON) back when I'm not logged in, which is good.
The next step would be to add the OAuth-authorization to the Android app, but that is an entire new problem / question that I will look into first before asking a new stackoverflow-question.
The simplest solution would be "Basic Authentification". In order to to implement it you have to derive from AuthorizeAttribute and then apply it to a method or a controller.
Here you find further info:
What is basic Authentification:
http://www.asp.net/web-api/overview/security/basic-authentication
Implementation:
ASP.net Web API RESTful web service + Basic authentication
You don't have to encrypt anything as long as you use HTTPS transport.
I'm using the Thinktecture.IdentityServer.v2 app to perform SSO for a couple of internal apps but would like to customize the login page for each application to have a smoother user experience. I can't seem to find a way to do that.
Can the login page be customized depending on the source application from where the client is comming?
"I can't seem to find a way to do that." - How hard have you tried? ;)
The RP has the extra data fields - so you can hang like a CSS name off the RP in the registration database. Further you can get to that RP data from the signin page - quoting the comment in AccountController:
// you can call AuthenticationHelper.GetRelyingPartyDetailsFromReturnUrl to get more information about the requested relying party
btw - IdentityServer's github repo has an issue tracker - you should use that for questions.
You can always have the RP pass a custom query string param and customize off of that. But you're outside the bounds of WS-Federation at that point. Plus, you must think about the nature of SSO -- the user is really signing into the IdP, not the app. So changing the IdP to look like the app is somewhat disingenuous.
I have solved this by customizing the SignIn.cshtml to adjust the style to what I need. Additionally, I have server side code in the top of SignIn.cshtml that does some string matching on the ReturnUrl (Request.QueryString["ReturnUrl"]). Then I show a different logo and header text based on some values I know to be unique for the different RP urls.
When upgrading to a new version of the ThinkTecture MVC, it will be a small job to update only this file to your specifics (just remember to have a copy of your modified SignIn.cshtml before you upgrade).
Ok I had a huge Issue giving this a proper title, my excuses for that.
Anyways I have started slowly to look at Web and ASP.NET again, I am a C# developer but I have mostly worked with Windows applications the past 5 years or so, It is not that I haven't touched the web as such in that time, but this is as web services (Restfull as well as the ugly SOAP services) I have also worked with more "raw" web requests.
But I have not worked with IIS or ASP.NET in all that time.
What I would like to do is hos a web page that uses a URL style I could best describe with "like rest", hence the "Restfull urls" title. Because I think most people thinks of such URL's in terms of:
http://example.com/item/
http://example.com/item/23/
and so forth. Not that they have to look like that, however I would like to use such URL's instead of
http://example.com/item?id=23
I know subtext does this, but i have not had any luck finding it in their code base.
Now as far as I can tell I could just implement some IHttpHandler's, but at least for the examples I have seen of that, they write the page source back in code, and I still have master pages etc. I wish to use instead of taking over all that stuff my self, I really just kinda wants to route http://example.com/item/23/ to http://example.com/item and asking for the item with id 23...
I hope this makes sense at all >.<... And that someone has some better examples at hand that what I have been able to find.
You can achieve this using Routing here is a link to an MSDN blog, The .Net Endpoint - Using Routes to Compose WCF WebHttp Services that should get you started.
If you're looking at asp.net/IIS, another option to look at is ASP.Net MVC. It's pretty straight forward to create RESTful services.
Here's a tutorial:
http://www.codeproject.com/Articles/233572/Build-truly-RESTful-API-and-website-using-same-ASP
So here are your options-
For .net 3.5 sp1 framework with IIS7 you can use asp.net routing feature to have MVC style urls that you mentioned should create a custom route handler implementing IRouteHandler interface as explained here How to: Use Routing with Web Forms and register your route rules in Application_Start method in Global.asax. For your example you can register a route like this
routes.Add("ItemRoute", new Route
(
"item/{itemId}",
new CustomRouteHandler("~/item.aspx")
));
and then you can access itemId in your routed item.aspx page by checking request context item
requestContext.HttpContext.Items["itemId"]
For .net framework 4 MVC you dont have to create a custom handler, you can directly use
routes.MapPageRoute("ItemRoute", "item/{itemId}", "~/item.aspx");
in you global.asax Application_Start method.
This link explains more about the Routing
A way of achieve this is using URL rewriting.
If you're planning to host your Web application in Internet Information Services 7.x, you can take advantage of IIS URL Rewriting Module:
http://www.iis.net/download/urlrewrite
URL rewriting is just mapping a friendly URL to an unfriendly, common one, which is programming-friendly to inspect GET parameters.
For example:
http://yourdomain.com/item/48 => http://yourdomain.com/Items.aspx?Id=48