I am using web api with angualrjs and asp.net identity for authentication .
When using asp.net mvc, We will use session to hold some data for the subsequent request. Say for example, user account id.
In web api, how so I implement this? I don't want to implement session in web api. I need and alternate solution for this one.
Need to consider security aspect too.
You should use claims-based authorization. For example, you can integrate OAuth2 using OWIN-based packages in your solution.
Related
I am trying to make use to IdentityServer4 for authentication and authorization. We have set of new and existing applications.
At this moment in time we have:
- 1 ReactJs application - (there is no authentication as it's a new application) but it will use Implicit Flow using oidc-client
- 1 quite old Web Form application - which will possibly use Hybrid flow (I still need to figure it out)
- 2 .NetCore MVC web applications - they both will use Hybrid Flow
There are Few apis project that we want to protect using IDS4.
WebForm and MVC Applications both uses their own Web Services to talk to the some database to verify user credentials and let the user login to the application.
Eventually we want to migrate users from that existing database to a seperate User database. IdentityServer will also make use of this new User Database for SSO + Api Authrization.
I am thinking of creating a seperate api just for User Authentication (possibly AspNetIdentity as a webapi) and IdentityServer4 to communicate with this api to validate username/password? Does that seems right?
Also How do I configure IDServer4 to use Api for authentication rather than using services.AddIdentityServer().AddAspNetIdentity() which will directly talk to my AspNewIdentity database? and How to sure this api? Any samples I can find?
I had to do something like this, I found these useful
http://docs.identityserver.io/en/release/quickstarts/1_client_credentials.html
http://docs.identityserver.io/en/release/quickstarts/2_resource_owner_passwords.html
I used it to protect an api via users that came from Asp Identity.
Hope that helps.
IdentityServer4 doesn't really do users out of the box. The ASP.Net Identity integration just exists to get you up and running quickly. If you want to implement your own user store and sign in/out/up flows then you're totally free to do that however you want.
That said, I'm a fan of having the IDP own its own data - i.e. the users and their credentials. This helps keep you on the straight and narrow when it comes to not mixing authentication and authorization. The Auth in OAuth is client authorization don't forget.
I have an MVC application and an API project that talks to my database. Right now how login works is that my MVC application sends a username and password to my API. API then validates it and if it is valid, it uses Owin server to create a claim and generate a Bearer Token. In all subsequent requests, this token is passed and that's how my API identifies if the request is valid or not and based on that it fetches data from the database.
I now want to use Microsoft Owin's out of the box feature to support two-factor authentication. I read many articles on the same and most of them talk about using there Role management stuff i.e. their users, roles table etc.
Some of the articles I see are below:
https://learn.microsoft.com/en-us/aspnet/identity/overview/extensibility/overview-of-custom-storage-providers-for-aspnet-identity
How to implement two factor auth in Web API 2 using ASP.NET identity?
Even after reading this article I do not have a clear direction on how to implement it and If I go down the route of implementing with custom storage i.e. as per my database structure I will have to implement their core components and that will too lengthy implementation.
Could someone please suggest me in the direction I should take? A working example would be a great help.
I have an Owin-based MVC application which uses my web api to provide many functionalities. At the moment the user should login to both of them separately (using ajax calls, at the login page I do the login for web api and receive the token as well), but both use the same table, so there is only one place to store the user information.
Unfortunately other MVC applications are using separate username and passwords and are not using the mentioned api. As now I should create a new MVC app which is again the same domain I am looking for a way to use a single username and password (managed by one main MVC app) for whatever reason it's needed, i.e., all the MVC apps and the web APIs use the same username and password, and therefore for example I can use the [Authorize] attribute or roles, ... in all of them.
Is there any known solution for this? Does Creating an OAuth authorization server suit this problem?
Implementing Single-Sign on using OpenID Connect on top of OAuth2 fits your requirement. checkout identityServer3 or identityServer4 if you are using .net core.
basically, you will need to setup a shared STS authority, and all your applications will use this authority to validate a requests using a OWIN middleware to check for token validity.
On first login, The STS authority will issue a token for the user, and you will need to manage through your front-end/back-end code, re-using the token when navigating across multiple applications/domains.
C# ASP.NET Single Sign-On Implementation
I'd like to create an application using Angular2 as frontend and the new ASPNET 5 WebApi as backend, but when it comes to authentication/authorisation I feel I'm totally missing the point despite all the reading...
Ideally I'd like to authenticate users using an identity provider such as Google or Facebook using Hello.js, I don't really want to have any sort of local registration for users. And then I'd also like to use an ASPNET 5 WebApi backend to access my database.
This article describes exactly what I want, but not with an ASPNET 5 WebApi backend: https://ole.michelsen.dk/blog/social-signin-spa-jwt-server.html
I'm not sure I understand the process right:
After receiving an access token from the identity provider, the SPA should send/forward it to the backend for verification. The WebApi backend should validate it against the provider (at least the first time), and create its own token (JWT) to be sent to the SPA. The SPA simply stores it (local store or session store) and the result is that the user is logged into my application.
Is this correct? Is what I want to achieve possible?
I've looked into other options such as OpenIddict, IdentityServer3/4 but as I understand it, I'd be creating my own identity provider using those, and it's not really what I need. Am I misunderstanding?
Thanks.
As far as i understand, you want:
Authentication with google(you don’t want to use google access token for using google resources)
Authorization with jwt token for web api backend.
So, you need Identity Server3/4, OpenIddict or writing own implementation for creating jwt token. There is similar question with good answers(especially #Tseng’s answer).
For managing jwt token in client side(angular2), see below links:
https://auth0.com/blog/2015/11/10/introducing-angular2-jwt-a-library-for-angular2-authentication/
https://damienbod.com/2016/03/02/angular2-openid-connect-implicit-flow-with-identityserver4/
There is an easy answer here. Use https://auth0.com/ It's free on a small scale and all the details are handled for you. Good samples and good open source participant. No affiliation, just a fan.
I currently have two web applications, one of which is a web api, which both have it's own implementation of ASP.NET Identity for authenticating users (first one is cookie and second one is bearer tokens).
I need, in the near future, to add a third web site to the family and was thinking to move the authentication logic in a standalone web application which could serve all the orhers.
For example: instead of authenticating to www.mysite.com and/or api.mysite.com, I would like that both the applications could authenticate against a new website, like e.g. login.mysite.com, as microsoft does.
How can I achieve something like this? Does somebody has any direction to start with?
What you need is an Identity Server which will authenticate the requests and give you back an access token. You can then use the access token to make subsequent requests to APIs and websites etc. As long as the access token is valid you will be able to make requests. There is great .net based open source solution available for Identity Server. Have a look at Thinktecture. You can download the source and demo projects to try yourself.