I have created a Web API with a login method that authenticates against AzureAD returns a JWT string.
Now I have a presentation MVC app where I want to use this login method against. I'm trying to figure out how to use the built in Authentication in ASP.NET to authenticate users using this jwt string. All examples I find is using Identity for example, or external login methods like Facebook/Twitter.
I know I can use the jwt as a cookie in the frontend, but preferably I'd like to use it with the built-in functionality in ASP.NET to use [Authentication]-tags across my MVC-controllers.
I searched a lot, no one in the world knows, I think everyone is using vue or angular. I don't think anyone is using mvc.
Related
I have completed working on an Api using C# in a Asp.Net MVC4 application project. Now there is a need to add an authentication process in the completed Api. I need guidance to make the authentication using username and password and then use httpheader, httpwebrequest or httpclient for adding header authorization system. I am not that experienced in this, so I am thinking of any easy/simplest way to add the authentication system to the Api via username and password.
Thanks.
I have an ASP.NET MVC project and a Web Api project (separate projects). Access to the database is fully realized through Web Api (including authorization and authentication). ASP.NET MVC is a client, Web Api is a server.
So, how to correctly implement authorization and authentication in the ASP.NET MVC project (on the client side)? I read a lot how this is implemented in Web Api (through a token), but I can not understand how to correctly use this token in ASP.NET MVC.
Realize wrap for each request? I also do not know how to define the user role in ASP.NET MVC. Maybe there is some way to rewrite standard methods of ASP.NET MVC authorization to work with the Web Api token? Will the Authorize attributes on the ASP.NET MVC client side work? Suggest please in an example of such an implementation if possible, or tell me how best to implement it.
First of all if you are not in production yet, it might be time to jump to .Net Core 2.x. It does not separate Web API and MVC underground and it's up to date technology.If, for some reason, you can't upgrade the framework, then yes, employ Microsoft.Owin, Microsoft.Owin.Security.OpenIdConnect and all the dependencies.OIdC defines two types of tokens: Identity token, describing a user and Authorization token, giving access to API. There should be some Identity Provider in the system, authenticating users and authorizing clients (such as your MVC APP). Such provider could be external (Google, Office 365 etc), or internal -- you can use free Identity Server 4.x implementation and adjust it to feet your needs. You could even build the IdP into your app.The flow for both .Net Core and Owin OIdC implementations should be identical:
You register all your apps (API and MVC in Identity provider)
User requests an MVC resource, OIdC middleware redirects him to IdP.
IdP authenticates the user issuing identity and access tokens.
MVC validates the Identity token and uses it to create a local Authentication cookie, so the user becomes authenticated in the app.
MVC controller calls some API and put into the request access token, requested from IdP.
API validates the token and responds with requested data.
I would recommend you to use OWIN interface to implement token based authentication for web api and MVC. You should provide authentication token in your web api and give ability to deserialize the token in MVC and Web Api. So, you can find an example open source project here which I developed it about how can you implement token based authentication with OWIN for Web api.
For MVC project, you should follow the same practice by using OWIN.
The best way is to use Azure active directory authentication if active directory is configured for using your application. You can get more info here
I have a ASP.NET Core MVC application that register/login users using ASP.NET Identity by providing a registration/login form or using Google OAuth. Now we want to build a mobile application to use our API server (build with ASP.NET Core Web API hosted in a sub-domain of the website) but we want to have the same register/login flow in that too.
I dig around and find out that IdentityServer4 has the necessary features to support our needs and read its documentation but unfortunately I couldn't make it to work as I wanted to.
The scenario is that we have a Web Application, Web API and a Mobile application which all of them should use same register login flow which is to register and login in the application or use Google OAuth.
I appreciate if anyone can point me to a good documentation or sample code for both MVC client application and Identity Server (for authentication) with the same requirements.
If you take a look at the quickstart samples, it will give you a good place to start. That sample has MVC client using implicit flow for authentication against the identity provider. You can easily extend the controllers (like this one for example) with routes and code to do registration logic. This sample does external login using google for your convenience. For mobile you would probably want to use Hybrid grant/flow and depending on your platform/device google can help you find libraries to do this.
HTH
I have a website written in ASP NET MVC. It's using ASP.NET Identity to authorize users to particular Controller actions. It's using different claims on users(like roles).
Now I need to write a Mobile App which is suppose to do the same what my website does, so to avoid duplicating code I decided to move all the data access layer to separated Web Api(MVC 6) Project so I can reuse the logic between applications. The question is - is there a way to somehow "Reuse" the authorization I have in my MVC project, like generating and passing some token to Web Api or something ? Re-writting it from scratch would take too much time, which I don't have too much. Any answers/tips/articles would be appreciated.
Yes, but API's do not generally use cookies so you can configure Bearer Token authentication which your API can use. OWIN middleware will look after authenticating the token and populating the User principal in the same way that cookies are handled in MVC.
After that, you'll be able to handle authorization in the same way as your MVC controllers.
I am learning to develop asp.net Web API with AngularJS frontend framework. I have been doing a lot of research on this for about a week now.I have read about oauth 2, owin and other. But now confused which is better.
I have a couple of Question and hope you guys can help me with it.
1) In my application - Only Registered User will be able to have access in to application through log-in with email and password. Can someone please point me to a good resource or article on how to create a good registration and log-in authentication with API.Which is secure enough as i will be gathering user data and storing them.
2) What type of security i need to protect my API, at first the API would be behind the firewall and then ones project is finished it will be open to the world? and also please point me to right direction if possible.
Please note this is not a duplicate question i have been through most of the post on stackoverflow and asking this after i could not find answer.
Any suggestion or help on this is appreciated.
Thanks for all your effort on this topic
You can use token based authentication using Asp.Net Web API 2, OWIN, Asp.Net Identity and AngularJS.
Asp.Net Web API now fully supports OWIN. Katana is microsofts OWIN implementation.
Asp.Net Web API now supports authorization using OAuth 2.0. OAuth is made possible with Microsoft OWIN components.
Are yo confused with the terms Identity,OWIN,OAuth ... here is brief overview of them.
Asp.Net Identity is developed to overcome problems by asp.net membership system. Asp.Net Identity allows us to use different storages(Table storage,No SQL) and allows us to use external identity providers as it uses OWIN.
OWIN is to break tight coupling b/w Asp.Net and IIS. OWIN is just a specification. Katana is Microsoft's OWIN implementation. OWIN sits in http request pipeline. OWIN pipeline has middleware components, where we can mention external login mechanisms.
OAuth was created to remove the need for users to share their passwords with third-party applications.
Note:
Here Asp.Net Identity has nothing to do with OWIN, OAuth and vice versa. They are three separate concepts. Asp.Net Identity is Microsoft's implementation. OWIN, OAuth are open
standard concepts. Because Microsoft has implemented OWIN, OAuth is made possible.
So, Web API 2 uses OAuth bearer token instead of forms authentication cookie, which is more correct in Web API world. Because it allows to use variety of end user devices like mobile devices.
In your case, you can use the default templates provided in visual studio 2013.
1. Create New Project and select Asp.Net web application.
2. Select Web API or SPA template.
3. Change authentication and Select individual user accounts.
4. Click Ok.
Now, everything is configured by default in order to use OWIN, Asp.Net Identity, OAuth. Be cause we use token based authentication, you can find there is no login method available in Account Controller.
To register users, use Register method available in AccountController
To login, you need to post data in following format to
http://example.com/token (Which can be configured in StartUp.Auth.cs)
grant_type=password&username=Alice&password=password123
After login, we recieve bearer token, which we need to send with authorization header with every request to access protected resource.
As you are using awesome frontend framework AngularJs, you can save bearer token in local storage, and you can write a http interceptor service, which takes care of sending bearer token with each request.
Here registering the user is taken care by Asp.Net identity, where as authenticating user is taken care by OAuthAuthorizationServer which is present in Providers folder by default.
Bearer tokens, that we recieve are not towards a specific client,so any one can intercept them. So use them only over SSL.
Please go through this links
http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api
http://bitoftech.net/2014/06/09/angularjs-token-authentication-using-asp-net-web-api-2-owin-asp-net-identity/
Vs2013 webapplication project template comes with a good owin setup. I suggest to look into that