I have been looking at using Open ID Connect as a third party authentication provider for a Web API application. The flow is as follows:
Users log in through UIWebView with iPhone application to the provider URL from https://daehwa.azurewebsites.net/api/Account/ExternalLogins?returnUrl=%2F&generateState=true
This redirects to my third party site which supports Open ID Connect authentication.
User logs in through this site and redirects back to my site with a token in the fragment of the URL in the form of #id_token=xxxxx
Looking at the following SO article: asp.net web api 2: how to login with external authentication services?
I then should be able to call /api/Account/UserInfo however this always returns 401 Unauthorized. Setting the Authorization: Bearer token doesn't seem to help either and always return unauthorized even when trying to call /api/Account/RegisterExternal.
Just to give you some more information about what I am trying to do I would like to either create an account or at least make subsequent OAuth calls to retrieve their email address and their display name ideally avoiding requesting this information from the user again. However for now I just want the authentication to actually work!
I would really appreciate any help anyone can provide. I'm new to third party auth and I feel as though I am missing something key. I think that my return url is the issue and my server needs to process this token and issue me with another one but not too sure.
Thanks,
Gerard
Related
I have a web app wrapper for my PowerApps app (I have embedded it as an iframe on the home page of my ASP.NET Core app).
I also have the credentials of the Azure organization that developed this application and has access to it.
So, for the first time, my built-in app asks for an email and password to sign in to a Microsoft account. And only after a successful login, I can work with it directly.
But that's not what I want.
I expect to be able to work with the application when I load this page.
So, is there a way to use the app directly without signing in to a Microsoft account?
I got the idea to make a request to the Azure AD API and get a bearer token or cookie from there, and then save it to the client, supposedly filling out a login form and clicking the login button, but "quietly".
To be honest, I don't know how I can do this. I've spent hours researching this problem, but haven't found a suitable solution.
Could you help me?
Thank you in advance!
Use ROPC flow, you just need to send a http request, then get the response.
There will be no pop-ups requiring you to log in.
Tips:
Http Request
Http Response
Related Posts:
Is there a way to improve the performance of MSAL-browser js login?
I am new to .NET core and while I have .NET experience, I have never built authentication, in the past I've always worked on project not started by me. I am just trying to learn and find good resources and I would greatly appreciate if anyone knows tutorial or if it can explain how to solve this.
When using external logins, I followed those instructions here. This all works well if I create simple web api project and run, I get a web page where I can login, authenticate, works perfect. But this is not my end goal, I am building Web APIs not a Web Application. In my case let's say I have iOS and Android apps and my external login is done on the app itself, how would I pass token to Web APIs? I want to use [Authorize] method in Web APIs to make sure that no un-authorized access is made agains APIs and in addition to that I would like to use roles.
I am assuming token information is passed in header. But what is the header name for token? Can external authentication be used with roles or that is only possible if I store username/password? Can you point me to some good tutorial or anywhere I can learn more because all google search returns back to same like I have mentioned above and it is not very descriptive.
In general , your web api will work like a identity provider , it will issue and validate the JWT tokens :
http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
You can also implement authorization with the help of your external login provider .If you have SDK or own code in your client app to help do authentication , for authorization part , you can also register your web api in the same identity provider . For example , you are using the google authentication external login in your client app , you will should register your client app and web api on google's application registration page , then you could use OpenID Connect hybrid Flow to authentication user and get access token for accessing web api . Each identity provider provides how to implement authentication/authorization with lots of documents.
You can have an endpoint that allows anonymous access and takes the token and verifies it. Then it can send back a JWT that contains claims/roles that you want to enforce on the specific user. Every time the client accesses a secure endpoint, it can send your JWT in the header which gets verified before the specific method in your API controller is called. You can look into OAuth flows if you want to integrate social logins.
For example, Google has this documentation for OAuth-
https://developers.google.com/identity/sign-in/web/backend-auth
I have an on-premise hosted WCF service with REST endpoint which is configured for Anonymous authentication only in IIS. I installed and configured Azure App proxy connector on the server. I am able to contact the service fine with Pass-through authentication, but struggling to authenticate from a console app when Azure AD is chosen as security mechanism. I know I could have pass-through in Azure and turn on for example windows authentication in IIS, but this is unfortunately not an option in this case.
Using a browser, I am able to access the application fine, don't even need to enter credentials, our on-premise AD is connected and synchronized with Azure AD.
I followed this walk-through despite it is not regarding application proxy, and reusing parts of code I am able to get the Access Token for my application, but when I run the http request with Authorization header I don't get the result of service operation.
Using Fiddler I can note the following:
I get http 302 (Found). I can see my Authorization header in request, and in response I get a cookie AzureAppProxyAnalyticCookie
That is followed with http 200 to login.microsoftonline.com
Example I provided link for above works fine so it is clear that I am doing something wrong. Why is Authorization header not accepted and why am I being redirected to logon page?
Thanks in advance
This is working for another service, have no idea what was wrong with the first one, but suspecting something with DNS on local server. Won't be spending more time on this, point is that I shouldn't have experienced the redirect at all, although browser handled it and managed to get me authenticated.
I have searched the web over almost one week and I couldn't find a solution for the question.
I set everything on the azure portal for the authentication the claims and the principals are set that for sure after I checks it during the debug session. The only thing is missing! I cannot retrieve/get the jwt token from the below url.
The authentication is obviously successfully. I would be glad if someone can lighten me up on this.
https://dev.azurewebsites.net/.auth/login/done#token=%7B%22authenticationToken%22%3A%22eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdGFibGVfc2lkIjoic2lkOjJmMDg1ZWY1NDM0MzNlZDM1MzNkYTRkMDgyNGFlY2QyIiwic3ViIjoic2lkOmZjMzhmNGExZjI2ZDI5MTdhMTQzZWMyZDMyZjAwOWIyIiwiaWRwIjoiZmFjZWJvb2siLCJ2ZXIiOiIzIiwiaXNzIjoiaHR0cHM6Ly9kZXYtZjFhZGQwNGUtZjNjZC0xMWU3LWI0ZTktOWEyMTRjZjA5M2FlLmF6dXJld2Vic2l0ZXMubmV0LyIsImF1ZCI6Imh0dHBzOi8vZGV2LWYxYWRkMDRlLWYzY2QtMTFlNy1iNGU5LTlhMjE0Y2YwOTNhZS5henVyZXdlYnNpdGVzLm5ldC8iLCJleHAiOjE1MjA1Mzc1NTUsIm5iZiI6MTUxNTM1NzQ5MH0.z0Ys8dwKO_napvy4Ihfu39mHc6zyBpJIUjSzZWj8abI%22%2C%22user%22%3A%7B%22userId%22%3A%22sid%3Afc38f4a1f26d2917a143ec2d32f009b2%22%7D%7
If I create a new token from the principal it's working but I cannot get the data from the .auth/me service. I'm not using AD at all just google and facebook to authenticate.
The only thing is missing! I cannot retrieve/get the jwt token from the below url.
You could url decode your url and retrieve the authenticationToken property generated by your azure mobile app backend as the authentication token for your subsequent requests against your mobile app backend.
When decoding your authenticationToken jwt token, I found that the iss and aud do not equal your domain dev.azurewebsites.net.
If I create a new token from the principal it's working but I cannot get the data from the .auth/me service.
If you login via the browser (e.g. https://{your-app-name}.azurewebsites.net/.auth/login/{provider-name} e.g. facebook,google,etc.), after logged you could directly access https://{your-app-name}.azurewebsites.net/.auth/me via the browser. Or you could send the token along with your request as follows:
GET https://{your-app-name}.azurewebsites.net/.auth/me
Header x-zumo-auth:{authenticationToken}
And for non web browser based client, such as mobile, a JSON web token (JWT) would be presented in the X-ZUMO-AUTH header, and the Mobile Apps client SDKs would handle it for you. Details you could follow How authentication works in App Service.
Moreover, for generating the token by yourself, you need to correctly set the audience,issuer,signingKey,claim. Details you could follow adrian hall's book Custom authentication about the Post method under the CustomAuthController controller.
Meanwhile I realized that I tried to solve the problem from wrong direction.
I tried to get the token from the server Api App service I wrote. Instead of using one of the client library as Bruce told me. I missed the Javascript/HTML documentation part which was not in the main tree but under Cordova. I have only seen the Cordova, Android and IOS which was not good for me.
With the following link now I can get the token from the website with the Javascript client SDK!
https://learn.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-html-how-to-use-client-library
I've been trying to find out a solution to my problem for a couple of days.
Searching out gave me many options, none of them I could adapt to my scenario.
I have a web application (C# ASP.NET) which have to post some data to another application, in another domain, working as a SSO. (HTTP POST to another domain with SSL with redirection)
The application on the other domain is expecting a post with some data in plain text on JSON format, to then redirect the user to another page.
I can't use form submit, because it send the form itself to the application, not only my data, so it can't read the data I'm sending.
XMLHttpRequest did work, but then, as an ajax call, it doesn't redirect the user, and I can't get back the Location header from the response.
I don't have control over the other application, and I'm allowed to use only our libraries, so JQuery is not an option.
Does anyone knows how can I achieve this? Server side or client side.
Most POST-based cross-domain SSO scenarios work like this:
fresh unauthenticated browser goes to service provider
service provider redirects to SSO url with certain query string (usually containing small request signed by service provider, to identify this service provider to SSO gate)
browser performs a GET to SSO gateway url
SSO gateway responds with some interactive logon UI
browser gets user's name/password input and posts them to SSO gateway
SSO gateway verifies and responds with an HTML page with a small Javascript in it, containing the authentication response data
Javascript in its turn instructs browser to POST authentication response data back to the service provider URL
Read here: http://en.wikipedia.org/wiki/SAML_2.0#HTTP_POST_Binding
You will also greatly benefit from reading through SAML2, OAuth and WS-Federation specs.