I am developing an app that is presented with a login screen containing the usual username and password text inputs.
When pressing the Login button the code is supposed to make a HTTP Web Request to the Wordpress website as an attempt to log in.
I have had a look at the WP plugins called JSON API and JSON API USER
but the documentation is very limited.
How would I go about to properly log in to the Wordpress website as well as retrieving user information from databases?
NOTE:
I'm developing in Xamarin but any code examples from any language is fine, as I could easily port the code.
To connect to the Wordpress website's system and interact with it, you need to indeed make a few API calls.
Using the plugins JSON API and JSON API USER is the easiest way to do so.
Install JSON API and JSON API USER plugins from the website control panel
Make a Web Requests, one after another, to get nonce and get authorization cookie using the the following calls:
Nonce: http://www.mywordpresswebsite.com/api/get_nonce/?controller=user&method=generate_auth_cookie&insecure=cool
and
Auth Cookie: http://www.mywordpresswebsite.com/api/user/generate_auth_cookie/?username=USERNAME_HERE&password=PASSWORD_HERE&insecure=cool
NOTE:
At the end of the requests you can see the parameter insecure=cool.
This is used for unsecured communication.
Related
I am new to .NET core and while I have .NET experience, I have never built authentication, in the past I've always worked on project not started by me. I am just trying to learn and find good resources and I would greatly appreciate if anyone knows tutorial or if it can explain how to solve this.
When using external logins, I followed those instructions here. This all works well if I create simple web api project and run, I get a web page where I can login, authenticate, works perfect. But this is not my end goal, I am building Web APIs not a Web Application. In my case let's say I have iOS and Android apps and my external login is done on the app itself, how would I pass token to Web APIs? I want to use [Authorize] method in Web APIs to make sure that no un-authorized access is made agains APIs and in addition to that I would like to use roles.
I am assuming token information is passed in header. But what is the header name for token? Can external authentication be used with roles or that is only possible if I store username/password? Can you point me to some good tutorial or anywhere I can learn more because all google search returns back to same like I have mentioned above and it is not very descriptive.
In general , your web api will work like a identity provider , it will issue and validate the JWT tokens :
http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
You can also implement authorization with the help of your external login provider .If you have SDK or own code in your client app to help do authentication , for authorization part , you can also register your web api in the same identity provider . For example , you are using the google authentication external login in your client app , you will should register your client app and web api on google's application registration page , then you could use OpenID Connect hybrid Flow to authentication user and get access token for accessing web api . Each identity provider provides how to implement authentication/authorization with lots of documents.
You can have an endpoint that allows anonymous access and takes the token and verifies it. Then it can send back a JWT that contains claims/roles that you want to enforce on the specific user. Every time the client accesses a secure endpoint, it can send your JWT in the header which gets verified before the specific method in your API controller is called. You can look into OAuth flows if you want to integrate social logins.
For example, Google has this documentation for OAuth-
https://developers.google.com/identity/sign-in/web/backend-auth
I'm building a rest API in ASP.Net that will be used by both a web site and a mobile app. The mobile portion of it is done, and it generates an Auth Token that the app hangs on to and sends as a header for every request to the API.
I'm now trying to build out the web app portion of the API and am realizing I may have made a mistake in my security of the API. It seems to me that I cannot simply pass back an Auth Token to the web app that gets sent back and forth as that would leave my API vulnerable to CSRF. I also cannot have the API check for a cookie from mobile, as mobile can't set cookies.
What would be the best way to secure this API so it can be safely used by both a website and a mobile app?
Turns out that using headers to pass the auth key back and forth is perfectly fine, so long as the auth key expires in a reasonable amount of time.
I have Asp.Net MVC application and Xamarin.Forms mobile application with Azure Mobile App as back end. All will be hosted in Azure cloud. I need to integrate Google, Microsoft and Azure AD authentication into it.
I came across many tutorials/blogs on how to do this, but none on how to create my own redirect URI.
I would like to create one universal redirect URI for each of the authentication provide and host it in cloud. Basically it should process the token, and I would like to retrieve basic user properties like user ID and name to be returned back to the calling app - in my case either the MVC or Xamarin mobile app.
Appreciate any sample project on this.
I think following two urls should be able to give you good idea about how to use oauth in azure mobile:
http://www.strathweb.com/2014/02/running-owin-pipeline-new-net-azure-mobile-services/
http://blog.nankov.com/azure-mobile-services-configuring-the-owin-pipeline/
As per oauth itself. The you will need to understand (if you havent already) different oauth flow types and decide which one best suits your scenario.
https://www.rfc-editor.org/rfc/rfc6749
For e.g. if you are using pure javascript client then implicit grant will be the best option in my view.
If you look at the implicit grant flow (for e.g.) it uses redirect uri. So When client makes a request , it uses a predefined url (given by the auth server to the client before hand). The server look at the url (and the client_id) and if it matches then it sends the response back (with a token) to that url only.
The url is location at the client's app would be something like https://client.com/someuniquelocation/ (for e.g.)
Hope this helps.
Edit:
Have a look at the following:
Redirect to ReturnUrl after successful cookie authentication in Owin, Katana & Nancy
http://xabikos.com/web%20application/interception/middleware/2015/01/26/asp.net---create-an-owin-middleware-to-trigger-a-permanent-redirect.html
https://msdn.microsoft.com/en-us/library/microsoft.owin.owinresponse.redirect(v=vs.113).aspx
I looked everywhere for an answer about securing my webApi but always i'm pointed to OAuth or openID, but i don't want the user to login or authenticate. This is my problem:
I have a webapi which is called via Javascript to get the data in Json. This data is used in the Html of that page. (deployed on Azure)
Now i don't want someone else to get that data via Javascript or with a simple GET request. Only my html page is allowed to do so.
I'm looking for something to secure my Webapi to be only consumed by the applications i want. If i look to the OAuth and Azure stuff, people always have to login, but i want this page to be public, but only the webapi needs to be secure.
I can't check on IP, because the call is done at client side in the browser.
It is not possible to authenticate and thus secure the API to be used by a specific client (run entirely in the browser - like SPAs) app. You cannot protect the data the app sends to the API. (see for more details Protecting REST API behind SPA against data thiefs)
You could build some modules server side and then use some token based server to server communication if you do not want to introduce users and end user authentication.
Of course it is also a question of how you interpret security.
If it is just that you do not want other web apps to use the data -
CORS policies will do the job. It is unlikely that there will be more
than some isolated cases of users using a browser other than the
popular once which respect CORS.
If it is you do not want data to be mass downloaded you could
implement some client filtering based on IP. This could even be done
on the networking layer so the API do not need to be modified in any
way.
As a suggestion, you can have it secured making sure the request has some headers defined by you. For example, you can set an Authorization header with a token that only you know. You can for example, create a token based on a key that you and the webapi share, encrypt it with the time you are calling the api. The web api receives the request and:
1 - Check if the request has the token it requires;
2 - if it does, it creates a token the same way your page did;
3 - matches its token with the requests token;
If you are calling the webapi via javascript, the method may be exposed. However, it's one idea
Take a look to CORS (Cross Origin Resource Sharing), it may be your solution.
In synthesis you can allow requests to the Api only from some specific websites. Most, nearly all browsers, support it.
This is how you enable and configure it in Web Api 2.
I've been trying to find out a solution to my problem for a couple of days.
Searching out gave me many options, none of them I could adapt to my scenario.
I have a web application (C# ASP.NET) which have to post some data to another application, in another domain, working as a SSO. (HTTP POST to another domain with SSL with redirection)
The application on the other domain is expecting a post with some data in plain text on JSON format, to then redirect the user to another page.
I can't use form submit, because it send the form itself to the application, not only my data, so it can't read the data I'm sending.
XMLHttpRequest did work, but then, as an ajax call, it doesn't redirect the user, and I can't get back the Location header from the response.
I don't have control over the other application, and I'm allowed to use only our libraries, so JQuery is not an option.
Does anyone knows how can I achieve this? Server side or client side.
Most POST-based cross-domain SSO scenarios work like this:
fresh unauthenticated browser goes to service provider
service provider redirects to SSO url with certain query string (usually containing small request signed by service provider, to identify this service provider to SSO gate)
browser performs a GET to SSO gateway url
SSO gateway responds with some interactive logon UI
browser gets user's name/password input and posts them to SSO gateway
SSO gateway verifies and responds with an HTML page with a small Javascript in it, containing the authentication response data
Javascript in its turn instructs browser to POST authentication response data back to the service provider URL
Read here: http://en.wikipedia.org/wiki/SAML_2.0#HTTP_POST_Binding
You will also greatly benefit from reading through SAML2, OAuth and WS-Federation specs.