I'm trying to find a full tutorial on creating your own extent authentication service. Similar to the ones you see that say "Login with Google" or Facebook or Twitter... How do I create my own version of those? Including allowing creation of "apps", creating their app key and secret.
Maybe I'm searching for the wrong terms when looking, I'm not sure.
Ive have a need for a central login service where applications will be able to login a user and receive their information if they have sufficient permissions.
I'm using c# and web api 2 if this helps.
Thanks
IdentityServer (3 or 4 depending on your .Net preference) would be a good place to start. It is an open source project that supports the OAuth2 / Open ID protocols and is very well documented to show you where to plug in your app into the pipeline. https://identityserver4.readthedocs.io/en/release/index.html
Related
I have a c#-based program that can send messages and files to our SlackWorkspace via my SlackApp (I'm using HttpClient to communicate with Slack).
Now, to distribute this program in my workspace and to make it so that every user will have his own identity, it says that I have to use OAuth and create verification-tokens, specific for each user.
It says in the Slack-documentation I have to use a redirect-URL (as per docs) to my own server.
We have a server that I potentially could use for this. But I have never done anything like this before and I am unclear on what "answer" I have to provide from our server. I thought the verification-process would be handled by Slack.
Anyone has an idea on how to approach this?
And before anyone asks - yes we need to install it for everyone and make them identifiable as themselves. We can't use the "SlackApp" as user. :)
I would be very grateful for code examples(in c#) and explanations on how this whole redirect-thing is working.
Slack uses the standard Oauth 2.0 protocol to authenticate apps, similar to Google and Facebook.
So the "verification-process" is indeed mostly handled by Slack (as outlined here), but your Slack app needs to initiate it and handle the responses properly. Also its a multi-step process and includes the user having to login into Slack with their credentials. This why you need a web app to handle the whole process.
To enable a Slack app to generate tokens via Oauth a web app is needed:
can be reached from the Internet
able to handle HTTP requests like a web server
has persistent storage for the newly generated tokens
This is probably easier to implement with ASP.NET Web Pages, which can utilize many functions from an existing web server.
But for this answer, lets look on an implementation in .NET Core. For that we need to create our own web server and some rudimentary session handling. Main concepts include:
HttpListener class for providing fundamental ability to listen and respond to HTTP requests
Handle multiple requests in parallel
Cookies / Session handling
MD5 hashes
The details go a bit beyond the scope of one answer. But I am happy to share a working example implementation on this GitHubGist.
Btw: For the local development of such a web app its recommend to use a VPN tunnel like ngrok, that allows one to expose a local machine securely to the Internet and Slack.
I am trying to set up an IDP-Initiated SSO. I am helping out the IT department at the company I work at and do not have access to Active Directory right now (I am in intern doing IT in another department and they seem to think I can test without it).
The only data I need to get from AD is the user's login id, so in theory I don't think not having access to AD will be a problem...?
(Username should be the same as .NET's:
`Environment.UserName; ')
My task is to basically create a SAML token and send it to our RP (on another domain), who should take care of the rest.
Where can I start? I've not done something like this, so I'm sort of confused. I believe I just need to build a token and then post it, but I'm not sure how to begin. I've looked at some tutorials but they don't seem to fit my situation. If anyone has any tutorials on my specific case it would be much appreciated.
Thank you!
You've tagged this C# and .NET so looks like you live in the Microsoft world.
The normal way to do this is via ADFS and then configure your RP.
But you want to do IDP Initiated which is a SAML feature. What protocol does your RP support? There is no client-side Microsoft SAML support - although there are 3rd party tools.
Update
Suggest using ADFS - good example of how to configure here.
Years ago I wrote a 6 part tutorial on integrating a custom STS with the ADFS. Part 2 of that tutorial is on creating a custom STS.
http://www.wiktorzychla.com/2011/08/quest-for-customizing-adfs-sign-in-web.html
Note that the tutorial aims at WIF 4 that was a separate download at that time. Nowadays, WIF is integrated with .NET 4.5 so that some subtle details (namespaces etc) can vary.
Also note that WIF supports SAML 1.1.
I am building a set of services based on MVC 4. They should all be a part of the same authentication system. Currently I have got a separate project for all the model handling, including the Forms Authentication you get by default when making a new MVC 4 app.
Now, I would like to make a toolbar for logging in to our cloud services, and this toolbar must be made in such a way that it can be imported into our other services. Logging in with this toolbar should log you in to all our services, that are separated into different MVC apps. Thus logging in when browsing "service1" and then going to "service2", you should still be logged in with the same user.
Can anyone point me in the right direction here? Should I make a separate MVC app for this toolbar, and somehow reference it in all of my other projects? Should I export my controllers into a separate project and use them? I am not sure what the best practice is here, nor where to find the info I need on the matter.
Since you will be hosting your applications on different domains, you could implement some Single Sign On mechanism the way SO does it over the Stack Exchange network: https://meta.stackexchange.com/questions/64260/how-does-sos-new-auto-login-feature-work/64274#64274
Different domains means that you won't be able to share the Forms cookie. You should rather learn how to use one of the enterprise Single Sign-on protocols - using a recognized protocol means that you can easily integrate other applications, even if they are developed in different technologies (standarized protocols are supported by most development environments).
Possible candidates are:
the OAuth2 protocol. It is a respected protocol as Google, LiveID, Facebook, Twitter and others support it. To build an OAuth2 server you will need a framework like the DotNetOpenAuth.
WS-Federation. Got a lot of attention in .NET world as we got the Windows Identity Foundation framework which lets you create WS-Federation servers and clients.
Anyway, my advice is to invest your time now as this will pay off well in future.
I know I have seen apps that log me in using Facebook but never present me with an authorization screen. I can not, for the life of me, figure out how to do this with Windows Phone 7. The best I have been able to get is using the Facebook for C# SDK to get the authorization screen in a WebView. This looks hideous and the page does not even appear to be mobile ready.
I have searched high and low for an answer and have found nothing. Wondering if anyone can point me in the right direction to getting this to work?
Yes, I also saw this kind of apps (e.g. Spotify prompts you to enter your Facebook account credentials rather than using the normal authorization flow). My best guess is that they either some kind of premium partners and have access to some private APIs or they use custom authorization flows (e.g. when you authorize an app on a website, the system saves authorization key in the database. The same app id/secret is then used in Windows Phone app and all you need to do is to type in your email/username in order for the system to locate authorization key that was saved earlier).
I also don't like the approach of displaying Facebook login/auth using WebBrowser control (mostly because of UI inconsistency) but I'd say that this is still the way to go in most cases (because this is the official and recommended way of authorizing the app and all other approaches seem hacky for me and also have their disadvantages).
You will want to be using the "server-side authentication" approach. The following document describes how it works: Server-side authentication (read also OAuth Dialog documentation for how to configure the authentication dialog). You can change the way the UI looks by passing a display parameter (either to touch or wap).
Please note that display=touch is currently broken in Windows Phone - Facebook always falls back to wap which is deprecated and will be removed as per July 2012 update (corresponding case: Facebook API can't be used with Windows Phone apps). It's also among known issues on Facebook C# SDK project page: Facebook C# SDK - Known issues.
Hope this clarifies things a bit.
Ultimately I want to create a desktop app that allows users to update their own status, view status' of their friends, update pics etc. - basically a lot of the functionality the facebook website provides. Through looking through some tutorials and sample projects it seems that an app must be created for the facebook account. Now is this the facebook account of the developer (i.e. mine) - which will provide an API key that will allow any other user to log in?? Does every desktop project need to authenticate the user through a facebook dialog window to take the users' credentials?? Where does OAuth fit into this?? If anyone can shed any light as to the structure of the facebook api and the ways in which I can grant this functionality from say a WPF C# app for example I would really appreciate it.
EDIT: Before complaints of a potentially huge question or too 'vague', my question is specific to the integration/use of the facebook API in desktop applications - not how to then retrieve status feeds etc. I'll work that out myself.
Per Facebook documentation, all desktop apps will need to implement some form of web browser integration, whether embedded within the desktop app or controlled.
See: http://developers.facebook.com/docs/authentication/
Desktop Apps
Our OAuth 2.0 implementation does not include explicit desktop app
support. However, if your desktop app can embed a web browser (most
desktop frameworks such as .NET, AIR and Cocoa support embedding
browsers), you can use the client-side flow with one modification: a
specific redirect_uri. Rather than requiring desktop apps to host a
web server and populate the Site URL in the Developer App, we provide
a specific URL you can use with desktop apps:
https://www.facebook.com/connect/login_success.html.
Don't worry it took me two solid days of trial and error and re-re-reading of the documentation on authentication to finally "get" it.