I am able to add Web API in my existing Web Form website project using approach given at http://www.kashyapas.com/2013/05/16/web-api-in-asp-net-web-forms-application/
Now I want to add token based authentication for my API. Please help me to add it?
Mainly client will pass username and password. After authentication for all further requests client should pass toke to access information.
Thank you
Related
I have a web api server on lets say, api.app.com which serves data for my app and i have a separate web server on www.app.com which serves users the pages for the app. I am using a JWT created on the webapi to Authorize the user. The token is created when the client logs in from the login page served on www.app.com with a username and a password. I want www.app.com (web server) to send a request to api.app.com (web api) to authenticate the user and then store the token gotten from the web api inside a cookie on the client.
Then i want only api authenticated clients to have access to pages on the web server, while the web server gets data from the web api on the behalf of the client per request.
I have checked everywhere online, without a clear solution to this
Web apis are usually consumers of JWT tokens. Once received they validate the token, and check claims and proceed based on the result. Your environment is a little confusing to me.
It seems your api app is used as an identity server as well as data provider. It is best to separate these concerns.
I am new to .NET core and while I have .NET experience, I have never built authentication, in the past I've always worked on project not started by me. I am just trying to learn and find good resources and I would greatly appreciate if anyone knows tutorial or if it can explain how to solve this.
When using external logins, I followed those instructions here. This all works well if I create simple web api project and run, I get a web page where I can login, authenticate, works perfect. But this is not my end goal, I am building Web APIs not a Web Application. In my case let's say I have iOS and Android apps and my external login is done on the app itself, how would I pass token to Web APIs? I want to use [Authorize] method in Web APIs to make sure that no un-authorized access is made agains APIs and in addition to that I would like to use roles.
I am assuming token information is passed in header. But what is the header name for token? Can external authentication be used with roles or that is only possible if I store username/password? Can you point me to some good tutorial or anywhere I can learn more because all google search returns back to same like I have mentioned above and it is not very descriptive.
In general , your web api will work like a identity provider , it will issue and validate the JWT tokens :
http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
You can also implement authorization with the help of your external login provider .If you have SDK or own code in your client app to help do authentication , for authorization part , you can also register your web api in the same identity provider . For example , you are using the google authentication external login in your client app , you will should register your client app and web api on google's application registration page , then you could use OpenID Connect hybrid Flow to authentication user and get access token for accessing web api . Each identity provider provides how to implement authentication/authorization with lots of documents.
You can have an endpoint that allows anonymous access and takes the token and verifies it. Then it can send back a JWT that contains claims/roles that you want to enforce on the specific user. Every time the client accesses a secure endpoint, it can send your JWT in the header which gets verified before the specific method in your API controller is called. You can look into OAuth flows if you want to integrate social logins.
For example, Google has this documentation for OAuth-
https://developers.google.com/identity/sign-in/web/backend-auth
I'm developing a Web API and was looking to use Azure Mobile Services to authenticate users before allowing calls made to the Web API.
So the user would navigate to a website, choose to log in using their Google/Facebook/etc account and the user would be authenticated using the Mobile Services JavaScript client. From what I understand Mobile Services will then return a authentication token in the form of a JSON Web Token.
What I would like to do is when website calls the Web API it would pass along the authentication token, the Web API would check that it's a valid token issued by Mobile Services and if all is good, then allow the call to be executed.
So my question is...is this possible? If so, could the JSON Web Token Handler for .NET be used to perform the validation on the Web API side?
Yes, that is possible.
If you perform a login using the MobileServiceClient, you will get a token that you can pass along with every request to a Web Api endpoint.
var client = new WindowsAzure.MobileServiceClient('https://yourservice.azure-mobile.net', 'your-client-key');
client.login('facebook').then(success);
function success(result) {
alert('login ok');
}
So when making a request, set the value of header 'X-ZUMO-AUTH' to the current users token you find in client.currentUser.mobileServiceAuthenticationToken after a successful login.
On the server side, add the attribute [AuthorizeLevel(AuthorizationLevel.User)] to Web Api methods that require the user to be authenticated. Thats all.
But make sure, that identity is configured properly on WAMS, and also at the provider side you want to integrate (client id's, client secrets, callback urls, etc.).
I have a website which contains lot of user informations. I want to share those with client website through proper authentication. As I am going to develop this api using asp.net mvc 4, I selected DotnetOauth for providing authentication.
If a website want to access my data from website, they have to register with my developer website, after the registration that website will generate Consumer key and Secret Key. After the registration, for each api request the client will pass these keys. Up to this is done.
Using this Consumer Key and Secret Key, client will send api request and if the valid token is not available in the request, it will redirect to login page. After the successful login, a token will generate and client can use this token for furthor request up to the expiry.
Anybody have idea about creating token based on Consumer Key and Secret Key with the help of DotnetOauth. Iam using Asp.net MVC
Thanks
In order to create an access token using DNOA, you should implement the interface IAuthorizationServerHost. The method CreateAccessToken is the responsible of creating the token.
I recommend you to download DotNetOpenAuth samples, and have a look to 'OAuthAuthorizationServer' project.
Hope this help.
I have the following solution:
Web api project.
MVC 4 project.
I need to authenticate user by sending its credentials using a JSON request (https is a must).
is it a good approach ? and how can i authenticate the user on both web api and MVC .
is it a good approach ?
Yeah, why not.
and how can i authenticate the user on both web api and MVC .
If the Web API requires authentication you could use the same Forms Authentication as the MVC application. So you could configure Forms Authentication in the web.config of the Web API application and then decorate the actions that require authentication with the [Authorize] attribute. Then clients that need to query those methods will need to include the Forms Authentication cookie along with the request.
It is important to note that in order for the Web API to be able to decrypt the forms authentication cookie that was emitted the MVC application, both applications need to share the same machine keys.
You can use Basic Authentication. You need to create Authenticationfilter.
There is an opensource library. (WEbAPIDoddle)
https://github.com/WebAPIDoodle/WebAPIDoodle