I'm writing a tutorial of using IMAP XOAUTH2 authentication in .NET (the standard MVC5 web app which is created by the MVC5 wizard).
I now have all parts except access_token from which I'll create XOAUTH2 IMAP key (the app authenticates, token seems to get refreshed if required, and I know how to build XOAUTH2 IMAP key and do IMAP login when access_token is available). I just need that token.
Although I have some ideas how this can be done I need to make sure I'm not doing anything stupid. For instance, I think I can use something like context.Identity.AddClaim in ConfigureAuth to put the access_token to our identity and then get it from there when doing IMAP login (on another page) but not sure if this info isn't already available.
Maybe, I can have access to that access_token in any place in the code without the need to manually put it in some object (which would be redundant and look silly for a reader experienced in OWIN and MVC5)? I develop .net components for SMTP/IMAP, I'm not a MVC5 expert, just need to write a simple example for using my IMAP lib with it.
Well, looks like saving access/refresh token details in ASP.NET Identity database makes sense anyway (despite the fact is's stored in encrypted cookies). This lets the access token data be accessible even when the browser is not available. For instance, if someone registers in a web app with their Google and Microsoft account and then another app (e.g. Windows service) consumes the access token initially retrieved by the web app to access the user's account (to check for new e-mails or whatever).
Also, it's possible to make sure both versions of access token details (in ASP.NET Identity database and cookies) stay in sync. This is useful if the access token gets updated with a refresh token (as access tokens need to be updated every hour). The standard ASP.NET MVC5 app cannot refresh access access tokens so you need to refresh them by your own code. I extended ASP.NET MVC5 template with refresh tokens, saving access/refresh tokens in ASP.NET Identity database and updating access tokens in cookies to make sure that access tokens in both locations match.
If anyone interested, you can grab some code and explanations at:
http://www.afterlogic.com/mailbee-net/docs/OAuth2RegularAccountsWebApps.html#SyncingTokens
Related
We have built some Asp.Net Core web API, with the authentication/authorization built on top of Asp.Net Core identy, with some JWT token exchange for our angular frontend. Basically, the users can login with username+password, this provide them a JWT with a short validity that the frontend regularly refresh. If the token is not valid anymore, the user will have to login again.
This part works great.
Now, we have to add another concept, a bit like on Azure Devop, we need to add "agent", those are not users, they will just need to be authenticated, in a slightly different way:
They will run on unnattended(locked) computers
They will be configured once and then run forever
Each agent should NOT be considered as a user. They should not be stored as such(or at least provide a way to distinguish them)
Those agent should only have some kind of token/private key to authenticate themself, that doesn't expire. This method of authentication should not be allowed to other users
So based on this:
Is this something that already exists, or have this pattern a name?
Is there a way to achieve this through Asp.Net Core identity or am I better off ?
Any link or lead on how to implement in parallel of an existing auth would be highly appreciated.
I am trying to create a full stack app (with React.js on frontend and ASP .NET Core Web API on the backend). The login process needs to be done using Active directory, as users are employees within a single organization. Frontend must get a token (using a MSAL library) and then send it to backend, where it has to decode it and, basing on it recognize user and register every session in the database, and let users perform actions set with their roles. Those roles, need to be assigned in database.
Does anyone know how to do that? Even an example project like that would help me immensely, because everything I have found so far is very basic.
For implementing the authentication in Asp.net core follow this doc here.
Authorization in Azure AD can also be done with Application Roles. Application Roles in Azure AD are by no means mutually exclusive. They can be used in tandem to provide even finer grained access control.
In your react-app (client) you can get the token, then access webAPI with the token. You can then take a look to this source code.The only different will be that you will call your own webAPI instead of Microsoft graph.
For controlling the authentication session read more here link.
I'm using the Dropbox SDK for DotNet, and it is time to support short-lived Access tokens.
My use case is uncommon (web site, 'backend side'). Once the link to DropBox is made, everything should keep working unattended.
In fact, it is OK to never publish the app. Each user creates its own app in their own Dropbox account and stays on Development mode forever.
Until now, the user created the dropbox app, takes note of the App key, App secret and generates an access token directly at https://www.dropbox.com/developers/apps/info/....
With this data, the application was working fine, but Access tokens will soon be short-lived only. I already verified the like to dropbox gets broken after the generated (from www.dropbox.com/developers/apps) Access Token expires.
How can I, using the SDK and having a valid Access token, get a refresh token to be saved and utilized to get a renewed access token?
I couldn't find any way in DropboxClient.cs, DropboxOauth2Helper.cs, not the examples at https://github.com/dropbox/dropbox-sdk-dotnet/tree/main/dropbox-sdk-dotnet/Examples
It is not possible to use an access token to retrieve a refresh token. A refresh token can only be retrieved via the OAuth flow. I recommend reading the OAuth Guide for more information.
The "Generate" button on the app info page on the App Console does not currently offer the ability to generate a refresh token, but I'll pass this along as a feature request. I can't promise if or when that might be implemented though.
I have access to a Web API which for a username and password returns a token that is valid for a certain period of time.
I could save the token in a session or in a cookie and continue to use it to get data but is there a way to connect it to Identity so I can use some built in stuff, maybe define some ClameTypes based on token, role and some other info. Does it make any sense?
If its a valid approach, is there a tutorial on how can it be done or at least some reference points? I made some MVC5-Identity apps but did not go beyond default stuff.
I'm in the process of converting a website from using a third-party identity provider to use ASP.NET Identity 2 instead. The site currently does not use any OWIN middleware but simply passes user-provided credentials to the identity provider. We then create a session token if the credentials are correct, and we use the session token on subsequent requests to reconstruct the user's session.
My goal is to get away from using the third-party provider with the minimum of code changes, so my idea is to use the UserManager class in ASP.NET Identity as a drop-in replacement for our third-party provider. In other words, we wouldn't use any Startup.Auth.cs magic to configure automatic challenge-response or cookie setting/validation middleware. We would simply take the user-provided credentials, test them using UserManager.FindAsync, and then continue using our existing flow.
My problem comes with dealing with Facebook logins. Currently, we show a login dialog that, upon successful login, sends us a Facebook token. We then send this token to the third-party provider, who validates it and magically turns it into an email address, first name, and last name. I can't figure out how to do this myself.
I see that if I use the out-of-the-box sample application for ASP.NET Identity, it will do the same thing via OWIN middleware. What I don't see is any way for me to take the token and use some classes somewhere in ASP.NET Identity to convert the token into usable data myself, manually.
(Note: I do see that I can use the Facebook Graph API along with my app ID, app secret, and user token, to recover the name of the user, but I don't get the email address, so something about this approach must be different from what the OWIN middleware is doing.)
Therefore, my questions are:
How do I do manually validate and decode the Facebook token in the same way that ASP.NET Identity OWIN middleware is doing it?
Is this a really dumb idea?
Thanks in advance for any help.