I'm in the process of converting a website from using a third-party identity provider to use ASP.NET Identity 2 instead. The site currently does not use any OWIN middleware but simply passes user-provided credentials to the identity provider. We then create a session token if the credentials are correct, and we use the session token on subsequent requests to reconstruct the user's session.
My goal is to get away from using the third-party provider with the minimum of code changes, so my idea is to use the UserManager class in ASP.NET Identity as a drop-in replacement for our third-party provider. In other words, we wouldn't use any Startup.Auth.cs magic to configure automatic challenge-response or cookie setting/validation middleware. We would simply take the user-provided credentials, test them using UserManager.FindAsync, and then continue using our existing flow.
My problem comes with dealing with Facebook logins. Currently, we show a login dialog that, upon successful login, sends us a Facebook token. We then send this token to the third-party provider, who validates it and magically turns it into an email address, first name, and last name. I can't figure out how to do this myself.
I see that if I use the out-of-the-box sample application for ASP.NET Identity, it will do the same thing via OWIN middleware. What I don't see is any way for me to take the token and use some classes somewhere in ASP.NET Identity to convert the token into usable data myself, manually.
(Note: I do see that I can use the Facebook Graph API along with my app ID, app secret, and user token, to recover the name of the user, but I don't get the email address, so something about this approach must be different from what the OWIN middleware is doing.)
Therefore, my questions are:
How do I do manually validate and decode the Facebook token in the same way that ASP.NET Identity OWIN middleware is doing it?
Is this a really dumb idea?
Thanks in advance for any help.
Related
I have a Next.js website I'm working on and a dotnet core API connected to a SQL Server database. I have a login page and intend to create a page to add new users and was wondering how I could do this using dotnet core identity? I added the NextAuth.js package thinking I could utilize it, however it seems to work best if connecting directly to the database and not go through an API.
I managed to return the token to NextAuth.js but I don't know where to go from there. How can I use next-auth to manage the session? Or is there a better way to go about doing this without using NextAuth.js?
My reason for using dotnet core identity is because it already has support for roles and setup is fairly simple and makes authorizing different sections of the API easy. Based on a user's role, they should be authorized to access certain routes or view certain pages.
I tried looking at the following doc from microsoft Intro to auth for SPA, but it's not exactly clear to me how I can manage the session.
First, generally, when we using JWT authentication, the workflow as below:
Client sends a request (which contains the user information, such as: name and password) to server for token
Server receives the user information and checking for authorization. If validated success, server generates a JWT token.
Client receives the token and stores it somewhere locally.
Client sends the token in the future requests.
Server gets the token from request header, computes Hash again by using a) Header from token b) payload from token c) secret key which server already has.
If ("newly computed hash" = "hash came in token"), token is valid otherwise it is tempered or not valid
After configure your application uses Identity and JWT authentication. When a User login, you could send the user information to the server side and check if the current user is valid or not, then generate a JWT token, and on the client side you could store the token in the web storage. After that, when you want to access the resource by passing this token into the authentication HTTP header. More detail information, please refer to the following article: JWT Authentication In ASP.NET Core
Welcome,
I have project asp.net core mvc 3.1 and I have full rest api in PHP. In my .net app I would like to use the token downloaded from api in my .net project.
My goal is to make my own auth attribute which will get the user from usercontext(httpcontext?) and check if he has a token.
I spent several hours searching for a solution but I found nothing similar.
Has anyone encountered a similar problem? Please help.
For example I can use Authorize attribute example attribute with UserManager and SignInManger example managers.
I need the same solution but for tokens. Every user after login receive token from rest api written in php. I need to somehow keep this token and bind it with logged user. Also I would like use attribute in my controller/action which automatically detect if concrete user has token.
I need the same solution but for tokens. Every user after login receive token from rest api written in php. I need to somehow keep this token and bind it with logged user. Also I would like use attribute in my controller/action which automatically detect if concrete user has token.
There are lots of ways to store the state for user level in asp.net core. For example, using cookie, session and HttpContext.Items etc. You can refer to the document below for the details:
Session and state management in ASP.NET Core
And if you are using session, then you need to implement the customer policy authorization to verify the token as your requirement. To use IHttpContextAcessor to access session from HttpContext inside of an authorization handler, see
Access MVC request context in handlers
Use HttpContext from custom components
I have an Owin-based MVC application which uses my web api to provide many functionalities. At the moment the user should login to both of them separately (using ajax calls, at the login page I do the login for web api and receive the token as well), but both use the same table, so there is only one place to store the user information.
Unfortunately other MVC applications are using separate username and passwords and are not using the mentioned api. As now I should create a new MVC app which is again the same domain I am looking for a way to use a single username and password (managed by one main MVC app) for whatever reason it's needed, i.e., all the MVC apps and the web APIs use the same username and password, and therefore for example I can use the [Authorize] attribute or roles, ... in all of them.
Is there any known solution for this? Does Creating an OAuth authorization server suit this problem?
Implementing Single-Sign on using OpenID Connect on top of OAuth2 fits your requirement. checkout identityServer3 or identityServer4 if you are using .net core.
basically, you will need to setup a shared STS authority, and all your applications will use this authority to validate a requests using a OWIN middleware to check for token validity.
On first login, The STS authority will issue a token for the user, and you will need to manage through your front-end/back-end code, re-using the token when navigating across multiple applications/domains.
C# ASP.NET Single Sign-On Implementation
I'd like to create an application using Angular2 as frontend and the new ASPNET 5 WebApi as backend, but when it comes to authentication/authorisation I feel I'm totally missing the point despite all the reading...
Ideally I'd like to authenticate users using an identity provider such as Google or Facebook using Hello.js, I don't really want to have any sort of local registration for users. And then I'd also like to use an ASPNET 5 WebApi backend to access my database.
This article describes exactly what I want, but not with an ASPNET 5 WebApi backend: https://ole.michelsen.dk/blog/social-signin-spa-jwt-server.html
I'm not sure I understand the process right:
After receiving an access token from the identity provider, the SPA should send/forward it to the backend for verification. The WebApi backend should validate it against the provider (at least the first time), and create its own token (JWT) to be sent to the SPA. The SPA simply stores it (local store or session store) and the result is that the user is logged into my application.
Is this correct? Is what I want to achieve possible?
I've looked into other options such as OpenIddict, IdentityServer3/4 but as I understand it, I'd be creating my own identity provider using those, and it's not really what I need. Am I misunderstanding?
Thanks.
As far as i understand, you want:
Authentication with google(you don’t want to use google access token for using google resources)
Authorization with jwt token for web api backend.
So, you need Identity Server3/4, OpenIddict or writing own implementation for creating jwt token. There is similar question with good answers(especially #Tseng’s answer).
For managing jwt token in client side(angular2), see below links:
https://auth0.com/blog/2015/11/10/introducing-angular2-jwt-a-library-for-angular2-authentication/
https://damienbod.com/2016/03/02/angular2-openid-connect-implicit-flow-with-identityserver4/
There is an easy answer here. Use https://auth0.com/ It's free on a small scale and all the details are handled for you. Good samples and good open source participant. No affiliation, just a fan.
I'm writing a tutorial of using IMAP XOAUTH2 authentication in .NET (the standard MVC5 web app which is created by the MVC5 wizard).
I now have all parts except access_token from which I'll create XOAUTH2 IMAP key (the app authenticates, token seems to get refreshed if required, and I know how to build XOAUTH2 IMAP key and do IMAP login when access_token is available). I just need that token.
Although I have some ideas how this can be done I need to make sure I'm not doing anything stupid. For instance, I think I can use something like context.Identity.AddClaim in ConfigureAuth to put the access_token to our identity and then get it from there when doing IMAP login (on another page) but not sure if this info isn't already available.
Maybe, I can have access to that access_token in any place in the code without the need to manually put it in some object (which would be redundant and look silly for a reader experienced in OWIN and MVC5)? I develop .net components for SMTP/IMAP, I'm not a MVC5 expert, just need to write a simple example for using my IMAP lib with it.
Well, looks like saving access/refresh token details in ASP.NET Identity database makes sense anyway (despite the fact is's stored in encrypted cookies). This lets the access token data be accessible even when the browser is not available. For instance, if someone registers in a web app with their Google and Microsoft account and then another app (e.g. Windows service) consumes the access token initially retrieved by the web app to access the user's account (to check for new e-mails or whatever).
Also, it's possible to make sure both versions of access token details (in ASP.NET Identity database and cookies) stay in sync. This is useful if the access token gets updated with a refresh token (as access tokens need to be updated every hour). The standard ASP.NET MVC5 app cannot refresh access access tokens so you need to refresh them by your own code. I extended ASP.NET MVC5 template with refresh tokens, saving access/refresh tokens in ASP.NET Identity database and updating access tokens in cookies to make sure that access tokens in both locations match.
If anyone interested, you can grab some code and explanations at:
http://www.afterlogic.com/mailbee-net/docs/OAuth2RegularAccountsWebApps.html#SyncingTokens