I am building an ASP.NET Core web app and Angular and I want to secure it using token-based authentication. I am relatively new to the authentication mechanism, so have few clarifications.
I have decided to go about using jwt token based authentication using this tutorial link
https://medium.com/c-sharp-progarmming/asp-net-core-5-jwt-authentication-tutorial-with-example-api-aa59e80d02da
I also came across another tutorial which explains token based using authentication using owin
https://www.c-sharpcorner.com/UploadFile/ff2f08/token-based-authentication-using-Asp-Net-web-api-owin-and-i/
Now my question is which protocol does the link1 implement? Is it OWIN? Do we need a separate server for maintaining something called OAuth Authorization framework as explained in link2.
What's the difference between OWIN, OAuth and Identity and are all these concepts internally used if I follow link1 and secure the application using jwt token based authentication?
OWIN Is a Middleware and OAuth is the protocol. if you are using .NET core or .NET 5, try to use .NET core middleware for authentication/authorization. Follow First Link (Medium)
If you need a fully fledge Identity Server then you have to create a separate Identity server if you want only token things you can just implement them on your project, but recommended approach is to create a server for identity management.
Related
I have three application Web API, MVC Application(Web App), Java Native App(Mobile App). I need to authenticate my web app and mobile app from web api. So which authentication is best for this scenario?
Please help me, I have experience of developing on MVC Application but with Web API it is new for me and for same android which is also new to me?
I would suggest the following read: https://learn.microsoft.com/en-us/dotnet/architecture/microservices/secure-net-microservices-web-applications/
It will provide you with different authentication and authorization options. You might opt to use social identity server like Google or Facebook, or go with your own identity provider. In both cases the protocols you need to know about are:
Check out what openid connect is: https://openid.net/connect/
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
Check out what oauth 2.0 is: https://oauth.net/2/
OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.
For web app SPA use the implicit grant
For native apps, great read here: https://www.oauth.com/oauth2-servers/oauth-native-apps/
The current industry best practice is to use the Authorization Flow while omitting the client secret, and to use an external user agent to complete the flow.
Last but not least, if you want to create your own identity provider you can use the open source identity server for both openid connect and oauth2: https://learn.microsoft.com/en-us/dotnet/architecture/cloud-native/identity-server
I suggest for you to use web tokens and to implement it in your Web API project, i encourage you to see these series of videos to do that, It's describe how to implement JWT in Asp.net Core Web API project:
ASP.NET Core Authentication with JWT (JSON Web Token)
ASP.NET Core Authentication with Custom Handler
Role-based Authorization in ASP.Net Core (With Custom Authentication Handler)
Policy-based Authorization in ASP.Net Core (with Custom Authorization Handler)
JWT Refresh Token in ASP.Net Core (a deep dive)
That series will help you to build JWT in your Web API, And if you want to implement OAuth 2.0 and OpenID you can read the guideline for the protocol and you'll implement by your own, It's not default to implement.
[EDIT]
you can use Microsoft.AspNetCore.Authentication.OpenIdConnect for OpenID after seeing that series, and this Article will be helpful .NET Core 2.x native OpenID Connect example
I recently took over a .NET core MVC project and have to extend it with an API. For authentication .NET core Identity is used. Coming from swift iOS/Mac development i started a demo project getting into it and doing some basic authentication.
When reading up on the identity on Microsofts Docs they foucs on WebApps. So my questions are:
Should i use identity for API authentication or is it just for internal identity Management and WebApp stuff?
Does identity/.NET core already offer me jwt and e.g. basic auth to initially obtain the jwt or do i have to create a lot myself?
My Goal rn is to just create jwt-auth protected routes and to be able to get a jwt with a username and a password.
ASP.NET Core Identity isn't suitable for guarding APIs, usage of other identity providers is directed by the Docs:
ASP.NET Core Identity adds user interface (UI) login functionality to
ASP.NET Core web apps. To secure web APIs and SPAs, use one of the
following:
Azure Active Directory
Azure Active Directory B2C (Azure AD B2C)
IdentityServer4
and as per the previous link:
IdentityServer4 is an OpenID Connect and OAuth 2.0 framework for
ASP.NET Core. IdentityServer4 enables the following security features:
Authentication as a Service (AaaS)
Single sign-on/off (SSO) over multiple application types
Access control for APIs
Federation Gateway
So you will need to go with IdentityServer4
You should use identity server4 for this.
Refer a simple example of identity server 4 to protect client with token.
identity-server4 simple example
There are a lot more things you will have to understand refer identity server 4 official doc.
Moreover you can also follow step by step identity server setup video tutorial.
I need to validate jwt token on several actions. The application uses .NET Framework 4.5.1. The token is generated in an application on NestJs. .Net application uses UseCookieAuthentication with custom CookieAuthenticationOptions. I'm new to .net, can you tell me where to start and what is better to use?
To know more authentication please read the below links
JWT
JWT Authentication Tutorial with Example API
I have an ASP.NET MVC project and a Web Api project (separate projects). Access to the database is fully realized through Web Api (including authorization and authentication). ASP.NET MVC is a client, Web Api is a server.
So, how to correctly implement authorization and authentication in the ASP.NET MVC project (on the client side)? I read a lot how this is implemented in Web Api (through a token), but I can not understand how to correctly use this token in ASP.NET MVC.
Realize wrap for each request? I also do not know how to define the user role in ASP.NET MVC. Maybe there is some way to rewrite standard methods of ASP.NET MVC authorization to work with the Web Api token? Will the Authorize attributes on the ASP.NET MVC client side work? Suggest please in an example of such an implementation if possible, or tell me how best to implement it.
First of all if you are not in production yet, it might be time to jump to .Net Core 2.x. It does not separate Web API and MVC underground and it's up to date technology.If, for some reason, you can't upgrade the framework, then yes, employ Microsoft.Owin, Microsoft.Owin.Security.OpenIdConnect and all the dependencies.OIdC defines two types of tokens: Identity token, describing a user and Authorization token, giving access to API. There should be some Identity Provider in the system, authenticating users and authorizing clients (such as your MVC APP). Such provider could be external (Google, Office 365 etc), or internal -- you can use free Identity Server 4.x implementation and adjust it to feet your needs. You could even build the IdP into your app.The flow for both .Net Core and Owin OIdC implementations should be identical:
You register all your apps (API and MVC in Identity provider)
User requests an MVC resource, OIdC middleware redirects him to IdP.
IdP authenticates the user issuing identity and access tokens.
MVC validates the Identity token and uses it to create a local Authentication cookie, so the user becomes authenticated in the app.
MVC controller calls some API and put into the request access token, requested from IdP.
API validates the token and responds with requested data.
I would recommend you to use OWIN interface to implement token based authentication for web api and MVC. You should provide authentication token in your web api and give ability to deserialize the token in MVC and Web Api. So, you can find an example open source project here which I developed it about how can you implement token based authentication with OWIN for Web api.
For MVC project, you should follow the same practice by using OWIN.
The best way is to use Azure active directory authentication if active directory is configured for using your application. You can get more info here
I am learning to develop asp.net Web API with AngularJS frontend framework. I have been doing a lot of research on this for about a week now.I have read about oauth 2, owin and other. But now confused which is better.
I have a couple of Question and hope you guys can help me with it.
1) In my application - Only Registered User will be able to have access in to application through log-in with email and password. Can someone please point me to a good resource or article on how to create a good registration and log-in authentication with API.Which is secure enough as i will be gathering user data and storing them.
2) What type of security i need to protect my API, at first the API would be behind the firewall and then ones project is finished it will be open to the world? and also please point me to right direction if possible.
Please note this is not a duplicate question i have been through most of the post on stackoverflow and asking this after i could not find answer.
Any suggestion or help on this is appreciated.
Thanks for all your effort on this topic
You can use token based authentication using Asp.Net Web API 2, OWIN, Asp.Net Identity and AngularJS.
Asp.Net Web API now fully supports OWIN. Katana is microsofts OWIN implementation.
Asp.Net Web API now supports authorization using OAuth 2.0. OAuth is made possible with Microsoft OWIN components.
Are yo confused with the terms Identity,OWIN,OAuth ... here is brief overview of them.
Asp.Net Identity is developed to overcome problems by asp.net membership system. Asp.Net Identity allows us to use different storages(Table storage,No SQL) and allows us to use external identity providers as it uses OWIN.
OWIN is to break tight coupling b/w Asp.Net and IIS. OWIN is just a specification. Katana is Microsoft's OWIN implementation. OWIN sits in http request pipeline. OWIN pipeline has middleware components, where we can mention external login mechanisms.
OAuth was created to remove the need for users to share their passwords with third-party applications.
Note:
Here Asp.Net Identity has nothing to do with OWIN, OAuth and vice versa. They are three separate concepts. Asp.Net Identity is Microsoft's implementation. OWIN, OAuth are open
standard concepts. Because Microsoft has implemented OWIN, OAuth is made possible.
So, Web API 2 uses OAuth bearer token instead of forms authentication cookie, which is more correct in Web API world. Because it allows to use variety of end user devices like mobile devices.
In your case, you can use the default templates provided in visual studio 2013.
1. Create New Project and select Asp.Net web application.
2. Select Web API or SPA template.
3. Change authentication and Select individual user accounts.
4. Click Ok.
Now, everything is configured by default in order to use OWIN, Asp.Net Identity, OAuth. Be cause we use token based authentication, you can find there is no login method available in Account Controller.
To register users, use Register method available in AccountController
To login, you need to post data in following format to
http://example.com/token (Which can be configured in StartUp.Auth.cs)
grant_type=password&username=Alice&password=password123
After login, we recieve bearer token, which we need to send with authorization header with every request to access protected resource.
As you are using awesome frontend framework AngularJs, you can save bearer token in local storage, and you can write a http interceptor service, which takes care of sending bearer token with each request.
Here registering the user is taken care by Asp.Net identity, where as authenticating user is taken care by OAuthAuthorizationServer which is present in Providers folder by default.
Bearer tokens, that we recieve are not towards a specific client,so any one can intercept them. So use them only over SSL.
Please go through this links
http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api
http://bitoftech.net/2014/06/09/angularjs-token-authentication-using-asp-net-web-api-2-owin-asp-net-identity/
Vs2013 webapplication project template comes with a good owin setup. I suggest to look into that