I'm integrating my C# project with an IDP via SAML 2. I have some examples of how to create the login assertion using Saml2PostBinding, but I was not able to find any example about how to do it with Saml2ArtifactBinding.
What is happening now:
User requests my C# application login route
User is redirected to IDP Login page
User logs in
IDP redirects the user to my C# application with a query parameter SAMLart
I don't know what to do with this parameter to obtain the user claims.
These are the specifications of my project:
.NET 7
ITfoxtec.Identity.Saml2 v4.8.3.6
First, please use the new version 4.8.3-beta8 (4.8.3.8), it will be released soon.
I think you can find what you need in the artifact relying party (RP) sample and identity provider (IdP) sample.
Related
What am I trying to achieve?
I want to redirect the user to a page when he/she's signing up with e.g. Google or Facebook when any of the information is missing. I would also like to ask user for the acceptance of the GDPR related stuff.
Background
I am using a quick start from the IdentityServer4 which is incorporating Net Core Identity with a nice quick start UI and it is handling user registration, when user is not found after hitting callback from external provider.
When a user is registering locally, there is no issue - all data is validated as expected, so I do not have any issues, but I cannot find the way to somehow get in the middle of the signup when user is registering through the external provider.
Not sure if it matters in this context, but I need it in the auth service which is using IdentityServer4.
Depending on the quick start project template, you should be able to hook into the external login callback before the user is created.
See the docs and an example.
I am having some issues of finding forums/tutorials/examples on how to fully authenticate an angular app with Azure Active Directory. So in short, I need to log in to the user via angular 8 and I am using the https://www.npmjs.com/package/#azure/msal-angular library which I found really good and easy. I am retrieving the token id and the user after login. The issue is, that I need to add that user to the Database because I have like a role management system which I need to add the user in the aspnet users db. I need to call an api which needs to authenticate that the user is real from .net side and then add the user to the aspnet users db. If he's already existing there so it just need to authenticate him and create a token. I need to know example of .net on how to populate the User.Identy with the user. I am sending the api 2 headers, Authorization which is the bearer token id and access token. Can someone please help?
assuming you're using aspnet core, you just need a middleware which will validate your JWT token acquired from the front end, and check if the user / token are valid (and also populate the User.Identity for you).
More info: https://github.com/aspnet/AspNetCore/tree/master/src/Azure/AzureAD/samples/AzureADSample
EDIT:
for asp.net mvc (non core), you'll do the same approach:
https://www.c-sharpcorner.com/article/azure-ad-authentication-for-mvc-web-application/
I've been looking at examples and documentation for using token/claims based authentication in .net applications using wif or thinktecture identitymodel.
One example was: Token based authentication
But I cant seem to find information regarding how tokens 'should' be used.
Given the .net console app scenario:
How are or how do you persist the tokens?
Where should they be stored?
Should they be stored?
Or are you sposed to request a new token everytime the user loads the console app?
Naively I assumed, the user would load the app, request a token, STS would issue token (if their username maps against a username in the provider etc.), token would be sent to user, app would deserialize token, extract claims and use claims accordingly.
I'd like to understand how tokens should be persisted, then I assumed you should check for a token upon app loading, check if token hasnt expired etc.
View from anyone with token/claims based authentication in .net/windows apps (winforms, console) would be great hear.
I'm implementing some WebApi to upload/convert/return videos.
Another developer will implement a PhoneGap application that will call my WebApi to upload/convert/show videos to users.
The PhoneGap application uses OpenId to allow users to login using google and facebook.
My problem is that I want to make sure the client that is calling my WebApi has been logged in on the PhoneGap app using google or facebook.
I know that all I need is the client to send me a token in the request header that I can "extract" on the web api to validate the user. My question is how can my WebApi know what is the token that has been generated by openId (google/fb) on the PhoneGap app?
Well I am also searching into this and what I have got so far i will share with you in following steps:-
1) Whenever user call my login page I will create the token in response header to make sure that request is coming from legitimate user. just like antiforgery token in mvc.
2) Then upon successful login i will create the authentication cookie and set the current user context value this will Authorize the user and generate another token as mentioned above.
3)Then after this i will use normal Authorise, Roles attribute provided by WEBApi.
Let me know what you think? I am more than happy to contribute.
Another approach is when user login create a hashed token and add it to response header and create custom attribute which grab that token and check it against the database. The problem with this approach is that you will be hammering ur database all the time.
I am totally lost finding the right API to create a sign up process like Foursquare. I am attaching a document of what I am trying to do. I have already tried OAuth, JavascriptSDK, Facebook.NET API from Codeplex and FacebookToolkit.NET from Microsoft. Nothing looks what I actually need. I think some one experienced can lean me towards where I should go straight.
https://docs.google.com/fileview?id=0B6mlBkccI34zNDNmMGMyNTYtMDY2NS00NmEwLTlkMjQtZjA5NmVmZDMzYzlj&hl=en&authkey=CNPH9LEL
Note: I am trying to achieve this via ASP.NET with C#.
Facebook Graph Api is the best.The url is http://developers.facebook.com/docs/api
The Graph API uses OAuth 2.0 for authorization. Check out the authentication guide for the details of Facebook's OAuth 2.0 implementation.
OAuth 2.0 is a simpler version of OAuth that leverages SSL for API communication instead of relying on complex URL signature schemes and token exchanges. At a high level, using OAuth 2.0 entails getting an access token for a Facebook user via a redirect to Facebook. After you obtain the access token for a user, you can perform authorized requests on behalf of that user by including the access token in your Graph API requests:
https://graph.facebook.com/220439?access_token=...
Check out the PHP example code or the Python example code on GitHub to see a complete example of obtaining an access token for the current user. The steps to obtain an access token are:
Register your application to get an app ID and secret. Your Facebook app ID is your client_id and your Facebook application secret is your client_secret.
Redirect the user to https://graph.facebook.com/oauth/authorize with your client_id and the redirect_uri. The redirect_uri parameter needs to begin with your app's URL. For instance, if your URL is http://www.example.com then your redirect URI could be http://www.example.com/oauth_redirect.
https://graph.facebook.com/oauth/authorize?
client_id=...&
redirect_uri=http://www.example.com/oauth_redirect
After the user authorizes your application, we redirect the user back to the redirect URI you specified with a verification string in the argument code, which can be exchanged for an oauth access token. Exchange it for an access token by fetching https://graph.facebook.com/oauth/access_token. Pass the exact same redirect_uri as in the previous step:
https://graph.facebook.com/oauth/access_token?
client_id=...&
redirect_uri=http://www.example.com/oauth_redirect&
client_secret=...&
code=...
Use the access token returned by the request above to make requests on behalf of the user:
https://graph.facebook.com/me?access_token=...
You are looking for the Facebook Connect API.
More info for the single login process can be found here
You could also leverage OpenID
Your document notes the Yelp signup process, which is very low friction and allows the user's information to be available to the website without having to go through Facebook's authentication process.
Yelp, Microsoft Docs, and Pandora are using a feature of Facebook called Instant Personalization. Instant Personalization is not available to developers as of yet and is only available to those three partners.
That being said, you likely would need to use the Facebook Login Button to allow the user to grant you access to their information (including their friends list).
As far as the process of getting a list of friends, use the graph call "me/friends"
I manage FaceSharp, a .NET open source project to help people get started with Facebook Development and will be adding functionality similar to what you are looking to do in the future, perhaps some of that code will help you in your efforts. It's under the MIT license, so take whatever you want.