I want to implement authentication and authorization in my application. I am developing my application using AngularJs and ASP.NET Web API.
I want to achieve:
Its an intranet application and want to use windows authentication.
For Authorization, we want to maintain a table in database with username and role column and using this table we will be authorizing users.
Please suggest how could I implement this within my application using AngularJs and Web API.
Set up your WebAPI libraries to use Windows Authentication. Add your [Authorization] attributes to your controllers. Your startup logic can certainly pull role names from your database and add those roles for use in the [Authorization] attributes on the controllers/methods.
I don't know that I'd do this on a per-username basis though - I'd create some roles (e.g. admin, user) and control those through AD if I was using Windows Auth. I'd then just store the AD group names as my role names.
Angualr.JS doesn't really factor into the picture much at all here - the auth will be handled by the browser. The one thing you may want or need is some way to get the user name from the User object in the API layer - in other words, creating an API method to return information about the logged in user (including that user's name, which won't be managed by the Angular.JS application as it might be if you were using some other form of authentication).
Related
I am trying to create a full stack app (with React.js on frontend and ASP .NET Core Web API on the backend). The login process needs to be done using Active directory, as users are employees within a single organization. Frontend must get a token (using a MSAL library) and then send it to backend, where it has to decode it and, basing on it recognize user and register every session in the database, and let users perform actions set with their roles. Those roles, need to be assigned in database.
Does anyone know how to do that? Even an example project like that would help me immensely, because everything I have found so far is very basic.
For implementing the authentication in Asp.net core follow this doc here.
Authorization in Azure AD can also be done with Application Roles. Application Roles in Azure AD are by no means mutually exclusive. They can be used in tandem to provide even finer grained access control.
In your react-app (client) you can get the token, then access webAPI with the token. You can then take a look to this source code.The only different will be that you will call your own webAPI instead of Microsoft graph.
For controlling the authentication session read more here link.
How can I combine an ADFS based and a user database based authentication methods into a single process or at least result in a single User object with claims and roles so I can use AuthorizeAttribute?
I have two ASP.Net MVC applications that I need to combine into a single application, we're eliminating duplicated functionality. Normally this would be a snap, but this one isn't. The problem is the user authentication App 1 uses ADFS and our AD accounts for authentication. The other application (App 2) uses a user database with salted and hashed passwords. Not all users in App 2 have, and will never have, AD accounts. That is corporate policy and not negotiable.
In another application I was able to add additional claims to the User object for dynamically named claims and a custom AuthorizeAttribute. I'm sure I'll need to perform the same action on the App 2 accounts, but I'm not sure how to integrate the two styles seamlessly.
Probably the easiest way is to use identityserver 4 to handle the DB authentication and then federate ADFS and identityserver.
Or use a SaaS Identity provider like Auth0 for the DB side. Then federate ADFS and Auth0.
I am developing a ASP.Net Core Web app with an AAD-B2C as LogIn-Provider. So users have to log in first to access the site --> Authentication.
Then, I want to evaluate what the user actually is allowed to access --> Authorization
I have a requirement that RBAC is used and the roles are handled NOT in any kind of AD, but in our own database which again is behind a REST API. So I went with my custom implementation of Microsoft.AspNetCore.Identity.IUserRoleStore<MyUser> to retrieve my users and roles from my REST API and registered that in Startup.ConfigureServices
services.AddIdentity<MyUser, MyRole>();
services.AddTransient<IUserStore<MyUser>, MyUserStore>();
services.AddTransient<IUserRoleStore<MyUser>, MyUserStore>();
But now the default Authentication does not seem to work anymore (as MyUser is totally different from the ASP.Net default User, e.g. MyUser does not have User.Identity.IsAuthenticated). Also I can't see the site ever calling MyUserStore.IsInRoleAsync when I added a Razor directive like User.IsInRole("Admin").
Am I missing something ? Is is not possible to "split" ASP.Net Core Identity to handle Authentication one way (AAD-B2C) and Authorization another way (custom Store) at the same time? Or am I just calling it in a wrong way?
If you are using Azure AD B2C you need to have custom roles defined within your Azure AD and I am fairly certain that the situation you are describing is not supported. B2C does not include group claims in the token it sends to the application but some workarounds are suggested here. Azure AD B2C - Role management
I have an Owin-based MVC application which uses my web api to provide many functionalities. At the moment the user should login to both of them separately (using ajax calls, at the login page I do the login for web api and receive the token as well), but both use the same table, so there is only one place to store the user information.
Unfortunately other MVC applications are using separate username and passwords and are not using the mentioned api. As now I should create a new MVC app which is again the same domain I am looking for a way to use a single username and password (managed by one main MVC app) for whatever reason it's needed, i.e., all the MVC apps and the web APIs use the same username and password, and therefore for example I can use the [Authorize] attribute or roles, ... in all of them.
Is there any known solution for this? Does Creating an OAuth authorization server suit this problem?
Implementing Single-Sign on using OpenID Connect on top of OAuth2 fits your requirement. checkout identityServer3 or identityServer4 if you are using .net core.
basically, you will need to setup a shared STS authority, and all your applications will use this authority to validate a requests using a OWIN middleware to check for token validity.
On first login, The STS authority will issue a token for the user, and you will need to manage through your front-end/back-end code, re-using the token when navigating across multiple applications/domains.
C# ASP.NET Single Sign-On Implementation
I am building an intranet website. And I am still unsure of how to implement the security of the website. I am using ASP.NET MVC 3.
Anyone in the company can access the website. It is a recognition system where you can nominate an employee for an award. Currently I am not using any type of authentication. I have a roles table that contains roles and an association table that specifies which user contain what roles, these roles are mainly administrator-type roles. If a user does belong in these roles then he/she can still access various parts of the website.
Would I need to use the built-in membership for this? Or would I need to create a custom membership for this? We don't use a login page. If the user does not have roles to access a view then he/she is redirected to another page.
We use IIS to do our authentication. Is this the same as Windows authentication? I have the roles table used for authorisation.
I'm just a little confused at the moment, I am hoping someone can give me some more clarity.
You can very well use ASP.Net MembershipProvider and RoleProvider for this
For tutorials on how to use them you should look at Videos at asp.net.
Here's a walk-through at MSDN
This blog post by Scott Guthrie might help:
Recipe: Enabling Windows Authentication within an Intranet ASP.NET Web application
For Intranet web applications, the most common authentication scenario to use is called Windows Authentication. Windows Authentication avoids the need to create a login form within an application, and does not require end-users to manually enter their username/password credentials to login to the application. Instead, ASP.NET and IIS can automatically retrieve and validate the Windows username of the end-user visiting the site in a secure way