I am trying to work out how to send reset password links from a windows forms application which then work within an ASP.NET MVC 5 website. I am currently using Microsoft.OWIN Identity as the authentication provider. I am able to create users, but whenever I try to send a token, the website always states that it is invalid, does any one have any idea how I need to do this?
Thanks in advance,
Chris
The only way to use the DpapiDataProtectionProvider is for both parties, the web and win forms processes, to share the same machine key, and the web site to share the same process model. Not likely to pull that off!
Instead, could you use a webapi request so the web site can produce the token, with all proper authentication for the win forms app, and then the win forms app just sends it in it's way?
Related
I have created a Web API application, an MVC application, and a mobile application.
The Web API should be decoupled from the other two applications as much as possible. I'm using the Password Grant flow here: clients using the Web API needs to send a POST to /Token with username and password. The returned access token is then used for further calls to the API using standard Authorization: Bearer <access_token>.
The MVC application is only accessible for a select few users, and it has its own database which contains the information and roles of these users. Some parts of the MVC application should be restricted to only one or two users (for example), while other parts should be accessible for all registered users. This can be done by using Authorize attributes on the specific controllers within the MVC application - all good. Furthermore, the MVC application should be able to interact with the Web API.
Secondly, I want to have a mobile application to be able to interact with the Web API. A key point here is that I won't require users to register in the app. So essentially, (how it's in my head right now) the only thing the API would see is "this token belongs to the "AndroidApp" user and has password X - sure thing, you're known to me, I'll grant you access". This seems to me a bit 'insecure', meaning that all users of the mobile app will share the same auth credentials.
Questions:
User A is one of the users who are allowed to access the MVC application - I want him to be recognized by both the MVC app, and thereafter the Web API. Is there an easy way to synchronize data between two databases, or should I just register him in both databases (one for MVC, one for API)? There is probably a better third option I haven't thought about.
User B is a user of the mobile application, and he should not be able to access the MVC application. How can this be ensured? Obviously, the MVC user database won't have any info about mobile app users. I'm just wondering about the security aspect of just having one single pair of auth credentials embedded in the app - doesn't sound good to me.
I stumbled upon this question, which basically is the same as mine. But I don't really see the need for Authorization Code Grant flow for the web app (MVC application in my case) as the accepted answer suggests.
I hope my questions make sense, otherwise please let me know :)
My answer doesn't directly answer your question but rather offers an alternative.
In the past when developing similar solutions I've used a specialist third party identity service Auth0.
With Auth0 you can have different application keys, profiles and also create rules (webhooks) which are executed as part of the authentication pipeline. They offer a range of social login as well as AD integration. They offer free and paid pricing.
I am not affiliated with Auth0 in any way, but will use their service as the starting point for any projects going forward - Yes it's a really impressive service!
I am working on a desktop application that gives a desktop tray icon notification when a new pull request is created that requires your attention.
I have developed the application entirely using a public access token for my account. Now I have got to the point where other users need to be able to use the application, I am required to implement OAuth 2.0 authentication.
However, VSO's application authentication assumes my application is a web app and asks me for details that I cannot provide (and aren't even relevant).
How can I get an app id so other users can use my application?
I'm not sure if I'm misunderstanding the whole concept. This is the link I am using: https://www.visualstudio.com/en-us/docs/integrate/get-started/auth/oauth
There is no way to do this for now:
Right now, Visual Studio Team Services only support the web server
flow, so there's no supported way to implement OAuth for Visual Studio
Team Services from an app like a phone app, since there's no way to
securely store the app secret.
As an alternative way, you can use Basic Authentication and ask your users enable "Alternate authentication credentials" and then use the alternative credential to authenticate to VSTS API.
I have done some work in Asp.NET, and i am quite used with user authentication using FormAuthentication
Now I am working on a desktop application and i want to have something like above in windows form application, I want to create and authenticate users by using the application database or xml whatever it is like i have done it in Asp.NET. So far did not any way to achieve this like i want to.
Any help would be great!
A Windows desktop application is nothing like an ASP.NET web application.
You cannot call the different forms separately.
(well you can hack the application, but if you do that, you can just as well remove any password protection)
Hence forms authentication does not make any sense.
You can create a login window as startup window, and check username and password against the database.
And that's about it.
It's a Windows application, you don't need membership provider, forms cookie ticket, etc. because unlike HTTP, Windows desktop applications are not stateless.
PS: If you do a WinForms application, make the login via ActiveDirectory authentication.
There is no point in using FormsAuthentication with Windows applications. What you can do is to use Membership, MembershipUser and Roles classes. All you need to do is to configure Membership and Roles providers in app.config.
FormsAuthentication does not actually authenticate your users. If you call Authenticate on FormsAuthentication you will see that it is obsolete method and that Membership.ValidateUser is used instead.
One drawback of these functionalities is that they are part of System.Web namespace which means that you have to use Web functionality inside of your Windows application. But if it can get the job done and fulfills the requirements, then go with it.
I am trying to add Windows authentication to an existing website that I have created. All information that I have read regarding using Windows authentication in silverlight requires that you start with the Silverlight Business Applicaion template instead of the Silverliight application template. I already have a website that I started writing using the Silverlight Application template. How can I add windows authentication to this existing website?
If your application is hosted in IIS and this is a intranet site, you just need to set the application in IIS authentication method to Windows Authentication, then when the client tries to load the SL App a 401 challenge will trigger asking the user to enter in his/hers credentials. You can also set IE to pass with windows credentials to the server when the site is loaded.
I have had spent quite a bit of time tweaking various properties to get the right functionality that i am looking for (especially with machine names being fully qualifies or not) but basically that's one thing to keep in mind when debugging this is that machines names play a role in how the server interprets a client trying to access the server.
I want to log in for 1 application and use the same login token to authenticate the second application. I have used the same application name so both applications use the same membership provider.....
I have 2 web applications, using asp.net 3.5, c#, hosted in IIS 7.0. I use the aspnet_membership provider for authentication/authorization
They are hosted side by side as 2 seperate applications . The question is can I log in for 1 application and be authenticated for the other by using the same log in....
Thanks in advance
Stuart
The technology behind Single Sign-On solutions cannot be explained in a few lines of code, it requires some reading/studying to look at the alternatives and how to implement them.
For instance you could take a look at this article about Single Sign-On using Active Directory Federation Services.
UPDATE:
Here is a blogpost about Single sign-on with Forms Authentication.
Its called Single Sign On - SSO and its fairly simple to do if your applications are hosted on the same domain (app1.domain.com and app2.domain.com - or - domain.com/app1 and domain.com/app2), its fairly straightforward to do so.
When you create a cookie using the Forms Authentication, set the domain as ".domain.com".
Also, both the Applications would have to use the same Machine Key within web.config.
Check out http://www.codeproject.com/KB/web-security/aspnetsinglesignon.aspx and http://weblogs.asp.net/hernandl/archive/2004/06/09/ssoformsauth.aspx