So looking around the web, I see tons of tutorials for integrating Live authentication into projects, but have found almost nothing useful on integrating into an MVC project. I'm pretty new to MVC, and have some limited experience with Web Forms.
The site I'm trying to make must allow authenticated Live users to submit and vote on various items, so I need to figure out the best way to keep track of users' submissions as well as votes so that they can vote only one time on a submissions, and cannot vote on their own submissions.
I'm wondering if anyone can simply point me in the right direction here. I see that similar questions have been asked, but the answers to them didn't seem to lead me to an answer.
I suggest the OAuth2 authentication, Live supports it for some time. You can use any existing approach to OAuth2, dotnetopenauth is fine.
MVC does not change anything. You just have your forms authentication login controller which initiates the redirect to the authentication provider and consumes the return response.
Some links to get you started:
General info on OAuth2 for various providers:
http://ben.onfabrik.com/posts/oauth-providers
OAuth2 on Live:
http://msdn.microsoft.com/en-us/library/live/hh243647.aspx
Integration of OAuth in an MVC application:
http://scatteredcode.wordpress.com/2011/12/01/dotnetopenauth-oauth-and-mvc-for-dummies/
Related
I have been searching for an example on how to add a security layer for all our currently running web applications which have been developed in ASP.NET MVC and Web API. The requirement has come from the top for the current new API which will be used by some of our applications but at the same time allowing a user to use one identity.
I have been scouring the internet the whole day watching videos and reading blogs, but I cannot find a solid step by step guide and that is not ASP.NET Core based, that is easy to understand, up to date, perhaps visual and with the correct technologies to use. I have come across two main ones and not sure how they are really interlinked, i.e. IdentityServer 4 and OAuth 2, but I do understand both individually.
Does anyone have a good example or tutorial I could follow that also include authorization. Our current user store is in a SQL Server database, and the end goal is to create one security token service to authenticate all the applications and carry forward claims in JWTs. Please assist?
I'm writing a C# asp.net MVC 4 app,
I want it to open a window that SSO to GoogleSuite Edu, (We have O365 set up, looking at moving to Google)
(Ie Login to our app, click link, goto Google Docs, already logged in)
can't find examples or docs.
I can find lots of stuff about setting up the Google side, or about this or that api, but nothing with any detail about creating an app to do it.
From what I've read the best approach seems to be setting up Google to use our app as a 3rd party authenticator via ADFS as an IdP service, login thru Google, then just add a link to Google docs I our app.
Is this the best approach, are they an y examples or tutorials I can look at?
I found the c# quickstart for Google+ login, but it doesn't work due to bad JS code.
just setting up google suite and replicating users and Pwds seems pretty straight forward, it's the SSO from our app that most concerns me.
I am looking for help creating a Web API with custom username/password authentication.
I have my own database to validate users against, I do not want to use windows authentication.
I am hoping to be able to decorate my web api calls with an attribute like [Authorize], so that calls made without logging in will fail.
I do not want to have to pass credentials as a parameter to every method.
This API is going to be consumed primarily by mobile devices using Xamarin PCL.
The web API must use SSL.
This seems like a simple setup yet my googling does not reveal any super useful hits.
Ideally I'd want a Login controller that authorizes a user and allows subsequent method calls through.
Can someone provide a basic example or some good reading material?
It's a big subject and you probably need to spend some time boning up on the basics, sorry.
That said...
In order for subsequent method calls to be authenticated, you need something that can be passed back with every request. If you are calling your api from a website, say because you are using Angular or similar, then a simple cookie (appropriately encrypted and MACed) will work. Exactly how to implement that depends on whether you are using OWIN or not and whether you also have MVC in your project to serve up your pages. Don't create the cookie yourself, use FormsAuthentication or the equivalent OWIN middleware.
You don't need to use Microsofts Membership or Identity, but be aware that doing your own password handling is not trivial and you really need to know what you are doing with that stuff - there is no substitute for a lot of research if you want to do that.
If you need to call the api from something other than a Web site, then a cookie is painful. Also be mindful that there are some subtle CSRF vulnerabilities when using cookies and Web api that you need to understand and protect against.
An alternative to cookies is to embed something like ThinkTecture Identityserver (it's free) and use that to issue oAuth tokens and then attach them to each API request. It has a number of advantages but is also more complex.
Resources
You did ask for pointers on where to start reading. Your task is complicated by the fact that Microsoft has been changing their "default" approach to it several times over the last few years. The current default approach is Identity which replaces the previous MembershipProvider (good riddance). If you are new to this, I'd suggest you go that route to be honest - you can extend it and it ties in with most of the rest of the stack very nicely. Yes, you lose some flexibility and you need to wrap it around your current user store. But you need to ask yourself if the security you get out of the box isn't worth that.
I would also recommend Brock Allen's blog. It's pretty hardcore but he knows his stuff and will often explain the innards of a lot of Microsoft authentication technologies.
I would recommend you try to read up on "OWIN Authentication Middleware". It's where it is all going, not least with ASP.Net vNext. Sadly, most of the documentation out there focus on how super easy it is to use (and it is - for a demo) but lack any in-depth info about how it really works, which can be very frustrating.
In order to get to grips with how tokens and the different standards work, I would recommend you watch this video here: http://www.ndcvideos.com/#/app/video/2651
Then look at Azure Mobile Services which has even got client-side libraries for handling the auth I believe or ThinkTecture Identity Server. Even if you end up not using IdSrv, by going through their tutorials on how to use it, you will learn an awful lot about how this whole thing works in general; it's all based on open standards. Docs here: http://identityserver.github.io/Documentation/docs/
Try working through their tutorials; They use a windows console app in place of an app, but the concept is the same.
I wish you luck but would like to just close by saying please don't just hack something together that seems to work. Web security is increasingly complex and it is very easy to leave vulnerabilities in your code - I talk from experience :)
Don't be a Moonpig.
Depending on which version you are using. MVC5 Web API 2 implements an approach called bearer tokens. So you basically execute a post with username and password upfront to your https://applicationhostlocation/token endpoint. This will return a bearer token in the payload. You send subsequent https requests to your authorized web api methods with the bearer token in a header. This is all out of the box with the latest version of the web api. This link outlines the approach pretty well: http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api
Custom Membership Provider my friend!
https://codeutil.wordpress.com/2013/05/14/forms-authentication-in-asp-net-mvc-4/
With custom membership provider You can set a Authorization Cookie Token (aka AuthCookie), and use the Forms Authentication technology in your application. With a Custom Membership Provider, You'll be able to create a custom Validation Method that access your DataBase to match users credentials.
With the AuthCookie, every subsequent request will be authenticated, like a traditional Authorization Cookie technology.
Also, you can use a rewrite Url approach to enforce users to be redirected to the SSL pages: Best way in asp.net to force https for an entire site?
I am trying to set up an IDP-Initiated SSO. I am helping out the IT department at the company I work at and do not have access to Active Directory right now (I am in intern doing IT in another department and they seem to think I can test without it).
The only data I need to get from AD is the user's login id, so in theory I don't think not having access to AD will be a problem...?
(Username should be the same as .NET's:
`Environment.UserName; ')
My task is to basically create a SAML token and send it to our RP (on another domain), who should take care of the rest.
Where can I start? I've not done something like this, so I'm sort of confused. I believe I just need to build a token and then post it, but I'm not sure how to begin. I've looked at some tutorials but they don't seem to fit my situation. If anyone has any tutorials on my specific case it would be much appreciated.
Thank you!
You've tagged this C# and .NET so looks like you live in the Microsoft world.
The normal way to do this is via ADFS and then configure your RP.
But you want to do IDP Initiated which is a SAML feature. What protocol does your RP support? There is no client-side Microsoft SAML support - although there are 3rd party tools.
Update
Suggest using ADFS - good example of how to configure here.
Years ago I wrote a 6 part tutorial on integrating a custom STS with the ADFS. Part 2 of that tutorial is on creating a custom STS.
http://www.wiktorzychla.com/2011/08/quest-for-customizing-adfs-sign-in-web.html
Note that the tutorial aims at WIF 4 that was a separate download at that time. Nowadays, WIF is integrated with .NET 4.5 so that some subtle details (namespaces etc) can vary.
Also note that WIF supports SAML 1.1.
I have an Idea for a simple webApp that would cross-link information from Evernote to Google Calendar. I was able to find a good Evernote Quickstart project but I am now searching for something to start with to begins accessing Calendar. Please advise if you know any good resources with code samples that would show me how to do the dirty work (i mean the authetication either via OAuth/AuthSub).
From what I have read about using OAuth with Google, it seems that you have to have a registered domain - I need to be able to access the service from my laptop's development server, so I guess I must stick with AuthSub.
When I 'googled' for this topic I found many questions similar to mine, yet none of them has been answered in satisfactory way.
Thank you in advance for your help.
UPDATE: I'm starting to think that either I am missing something or nobody is using AuthSub in ASP.NET...
I've recently created a sample how to use Google OAuth in ASP.NET and Google using the Dotnet OpenAuth library:
Using Google OAuth in asp.net
I hope this sample helps :)
Dominik
UPDATE March, 2015
By April 20th, Google will no longer support this api - Therefore I needed to migrate to OIDC. See my recent article here:
OIDC lightweight library for asp.net
In order to use OAuth, you must register your domain with Google at the following page: https://www.google.com/accounts/ManageDomains. This registration will give you the credentials you need to sign your OAuth requests. However, you could still specify a different oauth_callback url in the user authorization url. So the registered domain is not related to the oauth_callback.