I'm struggling about the best way to go about this.
We have a mobile app where the user can login using various 3rd party providers (Facebook / Google etc).
The app then sends the token to the c# web api for registration of the user (or login if they exist).
The only way I can see to implement OAuthAuthorizationServerProvider is with options i do not have access to (Username & password etc). I want this to verify that the facebook token sent from the application is valid (by using the facebook api - this is not a problem). Then if correct generate a barer token from my api so i know they are authenticated and can map that authentication to a user in the DB.
Everything online seems to only cater for the web api end either accepting a username and password or getting the server to get the facebook (google etc) token to begin with.
I want the API authentication to be based on the user so I can use the standard [Authorize] and Identity system in .net.
Thanks all and I hope that makes sense.
Related
I am new to .NET core and while I have .NET experience, I have never built authentication, in the past I've always worked on project not started by me. I am just trying to learn and find good resources and I would greatly appreciate if anyone knows tutorial or if it can explain how to solve this.
When using external logins, I followed those instructions here. This all works well if I create simple web api project and run, I get a web page where I can login, authenticate, works perfect. But this is not my end goal, I am building Web APIs not a Web Application. In my case let's say I have iOS and Android apps and my external login is done on the app itself, how would I pass token to Web APIs? I want to use [Authorize] method in Web APIs to make sure that no un-authorized access is made agains APIs and in addition to that I would like to use roles.
I am assuming token information is passed in header. But what is the header name for token? Can external authentication be used with roles or that is only possible if I store username/password? Can you point me to some good tutorial or anywhere I can learn more because all google search returns back to same like I have mentioned above and it is not very descriptive.
In general , your web api will work like a identity provider , it will issue and validate the JWT tokens :
http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
You can also implement authorization with the help of your external login provider .If you have SDK or own code in your client app to help do authentication , for authorization part , you can also register your web api in the same identity provider . For example , you are using the google authentication external login in your client app , you will should register your client app and web api on google's application registration page , then you could use OpenID Connect hybrid Flow to authentication user and get access token for accessing web api . Each identity provider provides how to implement authentication/authorization with lots of documents.
You can have an endpoint that allows anonymous access and takes the token and verifies it. Then it can send back a JWT that contains claims/roles that you want to enforce on the specific user. Every time the client accesses a secure endpoint, it can send your JWT in the header which gets verified before the specific method in your API controller is called. You can look into OAuth flows if you want to integrate social logins.
For example, Google has this documentation for OAuth-
https://developers.google.com/identity/sign-in/web/backend-auth
I have created a web API application with OAuth2 (token bearer). The application is working fine. But now I want to implement google/facebook sign in with it so that both web and mobile users can use it.
After a bit of search, I found that firebase is a good option for this. But I am not able to find a way to authenticate the external token to the access token of the API. Pardon my understanding with firebase, I am completely new to it (just started a couple of hours ago). I have a few questions regarding this.
Do I have to change my current authentication method and use firebase authentication for internal login as well or is there some other way?
I am storing the data in an external DB. Do I will have to use the firebase db for the user to validate.
How do I validate the access token with external login token?
Kindly suggest. If there's any alternative approach, that too will be appreciated.
PS: I am using Owin for Authentication right now
For use external login with firebase you need a token thats all.
https://firebase.google.com/docs/auth/admin/create-custom-tokens
Not, you can use your un service for validate your user.
Please Read the link that i posted
I am a student working on a NLP app for the Google Home for my senior design project. I am wondering specifically:
What is the correct way to implement Google Account Linking and what does Google Account linking provide for registering/authenticating users via Dialogflow (i.e. what the dataflow looks like from initial query to Google logging in, back to Dialogflow, then to my ASP.NET Core API handler).
Does Account Linking return a bearer token in the header back to Dialogflow and thus, back to my handler? Or do I have to parse the originalRequest JSON object to get the user information then validate it against the identity provider?
How can I get the user’s information from the Dialogflow request in my webhook (ASP.NET Core API)? Do I have to parse the originalRequest JSON object to get the user info? From my understanding, and from this awesome tutorial, the HttpContext should be populated after verifying the JWT token. What is still unclear, is how to get the token from Dialogflow and Google Account linking.
I appreciate any help or guidance you can provide for implementing user authentication/authorization from Dialogflow to my .NET webhook.
Lots of questions. Let's take them one by one and try to clear up some things.
What is the correct way to implement Google Account Linking [between the Google Assistant and my system]?
First - you need to understand what Account Linking is.
It lets you provide a way for you to authorize a user access to your services. Google uses this to connect a Google Assistant account to an account on your system.
Since this is against your system, the "correct way" depends on your infrastructure. But in general - it means that you'll be issuing OAuth tokens for Google to use and hand back to your webhook. Details for what is expected are in the Actions on Google documentation.
To be clear - you need to be an OAuth server.
What does Google Account linking provide for registering/authenticating users via Dialogflow?
Nothing.
Well, mostly nothing.
All it will do is hand the user off to your OAuth authorization endpoint if it does not already have authorization for that user. It expects you to hand back tokens that it will use.
Does Account Linking return a bearer token in the header back to Dialogflow and thus, back to my handler? Or do I have to parse the originalRequest JSON object...
The auth token (which you have issued, because you're the OAuth server) will be sent in the JSON object at originalRequest.data.user.accessToken.
...to get the user information then validate it against the identity provider?
You are responsible for validating that the access token is one that you issued and is still valid and then... doing whatever you want with it. One assumes that you'll use it to figure out who the user is, however. How you do that (looking it up in a table, passing it to another service, getting the info out of a JWT, etc) is entirely up to you and how you've implemented the OAuth service and what the format of the token is.
How can I get the user's information from the Dialogflow request?
It depends what "user information" you're expecting. By default, Actions on Google and Dialogflow won't give you any information unless you ask for it - and you don't ask for it via Account Linking. You ask for it via using the Actions on Google permission system. But even the permission system won't give you information you may want (most people want email address - which you can't request).
If you want to do it via account linking - you need to request that information when you setup their account.
Do I have to parse the originalRequest JSON object to get the user info?
If you are using permissions, then yes.
If you're not, then while you can parse the JSON to get whatever is sent (the anonymous user ID), it won't just give you information from their Google Assistant account.
Account linking isn't about getting access to their Actions on Google account - it is about getting access to the account in your system when they access your service via the Google Assistant.
HttpContext should be populated after verifying the JWT token
That article talks about using Firebase Authentication as the OAuth server and how to handle it as a client.
Actions on Google turns this around. You need to be the server. It is the client.
It is certainly possible to build a server that uses Firebase Authentication to authenticate users if that is what you wish to do, and to issue JWT tokens as your bearer tokens, but neither of those are requirements.
I am building a reactjs website that will communicate with asp.net web api 2 to save and retreive data.
but I am not sure how to do this.
I know to accomplish this on a high level it would be something like
User comes to my site and hits signup/log
Chooses which provider then want to use(google, facebook and etc). I am only want to support external providers(ie I don't want to have to deal with usernames/pwds)
User it sent to authenticated part of site
User clicks "add course" that data send via ajax to webapi with some sort of token to prove they have access to these methods.
I am not sure how to implement this problems I see is
Reactjs I guess is handling the authentication part? then once they been authenticated it would have to be saved in my db via webapi so it knows about this new user?
Reactjs would have to block users from going to secure pages till they are authenticated
Web api would have to generate a token for the user for that session so they can access the web api(I want to stop people from consuming my api).
Is there some simple example out there how to achieve this?
Reactjs I guess is handling the authentication part? then once they been authenticated it would have to be saved in my db via webapi so it knows about this new user
Better use some third party auth library here like PassportJS that does the auth for you using strategies like Passport-Facebook. This will give you an Oauth access token from Facebook upon authentication. You can now save this token in your cookies (or localStorage), take a look at the security considerations.
Should you store it in a DB? Here are some arguments about it.
Reactjs would have to block users from going to secure pages till they are authenticated
This can be done by checking if they have a valid token.
Web api would have to generate a token for the user for that session so they can access the web api(I want to stop people from consuming my api).
This can be easily achieved by using JSON Web Tokens. Note that you will have to store the JWT in your client side locally, along side your FB-Google oauth tokens (or you can relegate that to a single API by storing them in DB?. Its a design choice, I would prefer to store them separately and save a lot of hassle).
Authenticate to Webapi, using oauth provider (FB etc) client side only (HTML5 /JS phone app).
This is a tricky one,
So I can authenticate to our webapi using a username and password, using js from a HTML client, passing username & password as parameters over HTTPS we can set the user to authorised so they can access additional controller(s) for DB updates etc, so far so good bear with me.
I can authenticate to FB, using MVC and set the user to authorised.
I can do the same with HTML & JS client side (hooray), now how would I then authorise the controller, OK I get the users email from FB, so what, anyone could pass that. Suppose I could redirect to a MVC page (from the client) and then set auth on the controller(s) that way, but that's just not good (sending the user out the app, or a pop window).
What's the best method to authenticate the user from the client and authorise webapi controllers at the same time securely, do I have to re-direct the user to a mvc page and do it that way, how are other's handling this for phone apps / phone gap / intel xdk ?
The method apparently is, example facebook, but process is the same for any oauth provider ,
obtain access token by getting user to sign in/on.
Verify Token is genuine using server API (in FB's case graph API)
Client is happily logged in, until access token expires.
On expire(2 hours is the default), redirect user to login again, app is known it should authenticate without signing in again, unless user has revoked authorisation on your app.
here's a link on how to handle expire access token (examples are PHP)
Not exactly elegant, but it is what it is, and I thought It was only for super geeks!
Sorry to answer my own question