I currently have two web applications, one of which is a web api, which both have it's own implementation of ASP.NET Identity for authenticating users (first one is cookie and second one is bearer tokens).
I need, in the near future, to add a third web site to the family and was thinking to move the authentication logic in a standalone web application which could serve all the orhers.
For example: instead of authenticating to www.mysite.com and/or api.mysite.com, I would like that both the applications could authenticate against a new website, like e.g. login.mysite.com, as microsoft does.
How can I achieve something like this? Does somebody has any direction to start with?
What you need is an Identity Server which will authenticate the requests and give you back an access token. You can then use the access token to make subsequent requests to APIs and websites etc. As long as the access token is valid you will be able to make requests. There is great .net based open source solution available for Identity Server. Have a look at Thinktecture. You can download the source and demo projects to try yourself.
Related
I am looking for a way how to implement authentication and authorization fo several applications.
I have one main application and several child application.
I have only one domain so I access my child applications like a mydomain.com/app1.
My goal:
Use one account for all web applications
Have specific permission for each user, for each application
Implement register, login views only once.
My thoughts are:
- Create one WebApp/API which will maintain user accounts
- Call this webapp from other apps
I was googling a lot and I found some technologies which could be useful:
Jwt bearer token - generate token with claims and in each app
implement logic which claims are necessary for specific policy
Identity server 4
I am so confused from identity server so I don't undestand how to use it (but according to description I thnik it could help to solve my problem)
Something like this scenario:
Request web page
WebApp checks authentication (proprably Jwt token?) if user is not authenticated call auth server --> some login page
After authentication Jwt is generated, Jwt & webpage from web app is returned to user
I saw lot of samples, but most of them are for fronted backend solutions, mobile applications etc..
I would like to use simple MVC, Razor pages apps..
Are my thoughts right or it should be done in other way?
Could you recommend me some technologies, tutorials how to achieve this?
Thank you very much!
I am new to .NET core and while I have .NET experience, I have never built authentication, in the past I've always worked on project not started by me. I am just trying to learn and find good resources and I would greatly appreciate if anyone knows tutorial or if it can explain how to solve this.
When using external logins, I followed those instructions here. This all works well if I create simple web api project and run, I get a web page where I can login, authenticate, works perfect. But this is not my end goal, I am building Web APIs not a Web Application. In my case let's say I have iOS and Android apps and my external login is done on the app itself, how would I pass token to Web APIs? I want to use [Authorize] method in Web APIs to make sure that no un-authorized access is made agains APIs and in addition to that I would like to use roles.
I am assuming token information is passed in header. But what is the header name for token? Can external authentication be used with roles or that is only possible if I store username/password? Can you point me to some good tutorial or anywhere I can learn more because all google search returns back to same like I have mentioned above and it is not very descriptive.
In general , your web api will work like a identity provider , it will issue and validate the JWT tokens :
http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
You can also implement authorization with the help of your external login provider .If you have SDK or own code in your client app to help do authentication , for authorization part , you can also register your web api in the same identity provider . For example , you are using the google authentication external login in your client app , you will should register your client app and web api on google's application registration page , then you could use OpenID Connect hybrid Flow to authentication user and get access token for accessing web api . Each identity provider provides how to implement authentication/authorization with lots of documents.
You can have an endpoint that allows anonymous access and takes the token and verifies it. Then it can send back a JWT that contains claims/roles that you want to enforce on the specific user. Every time the client accesses a secure endpoint, it can send your JWT in the header which gets verified before the specific method in your API controller is called. You can look into OAuth flows if you want to integrate social logins.
For example, Google has this documentation for OAuth-
https://developers.google.com/identity/sign-in/web/backend-auth
I am trying to make use to IdentityServer4 for authentication and authorization. We have set of new and existing applications.
At this moment in time we have:
- 1 ReactJs application - (there is no authentication as it's a new application) but it will use Implicit Flow using oidc-client
- 1 quite old Web Form application - which will possibly use Hybrid flow (I still need to figure it out)
- 2 .NetCore MVC web applications - they both will use Hybrid Flow
There are Few apis project that we want to protect using IDS4.
WebForm and MVC Applications both uses their own Web Services to talk to the some database to verify user credentials and let the user login to the application.
Eventually we want to migrate users from that existing database to a seperate User database. IdentityServer will also make use of this new User Database for SSO + Api Authrization.
I am thinking of creating a seperate api just for User Authentication (possibly AspNetIdentity as a webapi) and IdentityServer4 to communicate with this api to validate username/password? Does that seems right?
Also How do I configure IDServer4 to use Api for authentication rather than using services.AddIdentityServer().AddAspNetIdentity() which will directly talk to my AspNewIdentity database? and How to sure this api? Any samples I can find?
I had to do something like this, I found these useful
http://docs.identityserver.io/en/release/quickstarts/1_client_credentials.html
http://docs.identityserver.io/en/release/quickstarts/2_resource_owner_passwords.html
I used it to protect an api via users that came from Asp Identity.
Hope that helps.
IdentityServer4 doesn't really do users out of the box. The ASP.Net Identity integration just exists to get you up and running quickly. If you want to implement your own user store and sign in/out/up flows then you're totally free to do that however you want.
That said, I'm a fan of having the IDP own its own data - i.e. the users and their credentials. This helps keep you on the straight and narrow when it comes to not mixing authentication and authorization. The Auth in OAuth is client authorization don't forget.
I looked everywhere for an answer about securing my webApi but always i'm pointed to OAuth or openID, but i don't want the user to login or authenticate. This is my problem:
I have a webapi which is called via Javascript to get the data in Json. This data is used in the Html of that page. (deployed on Azure)
Now i don't want someone else to get that data via Javascript or with a simple GET request. Only my html page is allowed to do so.
I'm looking for something to secure my Webapi to be only consumed by the applications i want. If i look to the OAuth and Azure stuff, people always have to login, but i want this page to be public, but only the webapi needs to be secure.
I can't check on IP, because the call is done at client side in the browser.
It is not possible to authenticate and thus secure the API to be used by a specific client (run entirely in the browser - like SPAs) app. You cannot protect the data the app sends to the API. (see for more details Protecting REST API behind SPA against data thiefs)
You could build some modules server side and then use some token based server to server communication if you do not want to introduce users and end user authentication.
Of course it is also a question of how you interpret security.
If it is just that you do not want other web apps to use the data -
CORS policies will do the job. It is unlikely that there will be more
than some isolated cases of users using a browser other than the
popular once which respect CORS.
If it is you do not want data to be mass downloaded you could
implement some client filtering based on IP. This could even be done
on the networking layer so the API do not need to be modified in any
way.
As a suggestion, you can have it secured making sure the request has some headers defined by you. For example, you can set an Authorization header with a token that only you know. You can for example, create a token based on a key that you and the webapi share, encrypt it with the time you are calling the api. The web api receives the request and:
1 - Check if the request has the token it requires;
2 - if it does, it creates a token the same way your page did;
3 - matches its token with the requests token;
If you are calling the webapi via javascript, the method may be exposed. However, it's one idea
Take a look to CORS (Cross Origin Resource Sharing), it may be your solution.
In synthesis you can allow requests to the Api only from some specific websites. Most, nearly all browsers, support it.
This is how you enable and configure it in Web Api 2.
I have a claims aware MVC website setup using the Thinktecture Identity Server. I now have a requirement to allow a 3rd party to access certain parts of the website.
Is it possible to programmatically authenticate with the Identity Server and post this to the website so that the user at the 3rd party is not required to manually go through the normal login process?
I have previously used the identity server to obtain a SAML token for the purpose of making WCF calls, I was wondering if it would be possible to re-use some of this approach?
The complications arise from the fact that the 3rd party are using a desktop based Java app with some browser component built in for accessing the MVC website. Users are already authenticated with the desktop app so we don't want them entering credentials again to view these web pages.
Hmm, tough one to solve in a secure fashion. Basically I don't trust desktop apps ;-)
You might be looking for some sort of federation. Basically it is about letting your Identity Server trust the 3rd party (by means of signature). Your Identity Server would then use a SAML token from 3rd party as login information and generate a new SAML token (signed by you) to forward to the the MVC web application. I think Dominick has a video or two about it, but not sure it meets your requirements. Take a look at https://github.com/thinktecture/Thinktecture.IdentityServer.v2/wiki
The Java desktop app probably cannot create a signed SAML token, so you could consider using "something else". Preferably something signed from where they logged in the first time.
You should avoid having your web app trust anyone but your own Identity Server / Identity Provider.
Hope this helps? Happy to help where I can :-)