I'm using a ASP.NET Identity OAuth token to log in my Xamarin forms user. I would like to have the token be provided only when a specific bool column in the AspNetUser table is true.
This bool column is essentially asking "Is this user allowed to log into the Xamarin app?: Yes/No".
Is there a way to achieve this using tokens?
Related
I'm trying to access the current logged in user's data in Xamarin.Forms but there seems to be no answer online, I'm not trying to get the device's owner data, just the data about the user currently logged in to the app and using it such as its Id etc to query the user's Favorites and related data.
My app gets the user's identity from an ASP.NET CORE / .NET 5 API using Identity and JWT Tokens.
I know how to do it in ASP.NET CORE but I don't know how to access that information in Xamarin.Forms.
Thank you so much for your help !
Assuming that you have a sign-in page, where the user enters his credentials that you send to your API and get a response, you can do two things.
Return the user id along with the token and save it in the storage, e.g. by using the Preferences.
Decode the JWT token and get the user id from there How to decode JWT Token
I am having some issues of finding forums/tutorials/examples on how to fully authenticate an angular app with Azure Active Directory. So in short, I need to log in to the user via angular 8 and I am using the https://www.npmjs.com/package/#azure/msal-angular library which I found really good and easy. I am retrieving the token id and the user after login. The issue is, that I need to add that user to the Database because I have like a role management system which I need to add the user in the aspnet users db. I need to call an api which needs to authenticate that the user is real from .net side and then add the user to the aspnet users db. If he's already existing there so it just need to authenticate him and create a token. I need to know example of .net on how to populate the User.Identy with the user. I am sending the api 2 headers, Authorization which is the bearer token id and access token. Can someone please help?
assuming you're using aspnet core, you just need a middleware which will validate your JWT token acquired from the front end, and check if the user / token are valid (and also populate the User.Identity for you).
More info: https://github.com/aspnet/AspNetCore/tree/master/src/Azure/AzureAD/samples/AzureADSample
EDIT:
for asp.net mvc (non core), you'll do the same approach:
https://www.c-sharpcorner.com/article/azure-ad-authentication-for-mvc-web-application/
I've been looking at examples and documentation for using token/claims based authentication in .net applications using wif or thinktecture identitymodel.
One example was: Token based authentication
But I cant seem to find information regarding how tokens 'should' be used.
Given the .net console app scenario:
How are or how do you persist the tokens?
Where should they be stored?
Should they be stored?
Or are you sposed to request a new token everytime the user loads the console app?
Naively I assumed, the user would load the app, request a token, STS would issue token (if their username maps against a username in the provider etc.), token would be sent to user, app would deserialize token, extract claims and use claims accordingly.
I'd like to understand how tokens should be persisted, then I assumed you should check for a token upon app loading, check if token hasnt expired etc.
View from anyone with token/claims based authentication in .net/windows apps (winforms, console) would be great hear.
I have a MVC5 website and WebApi using ASP.Net identity. I have configured the website to use Microsoft Account as an external login.
The Windows Store App will use the WebApi, and the user should have the same identity when using their Microsoft Account from either the website or the app. As users are already logged into their Microsoft Account when using Windows Store App, I don't want them to have to enter their credentials again.
I'm wondering what is a good way for my app to be able to access the WebApi. Can I retrieve the Microsoft Account authentication token and pass that to my website's token endpoint with an authorization code grant in order to retrieve the token for my app to use to access the WebApi? Is there another way?
I want to avoid making changes to my WebApi's Account Controller as this process does not really fit into the MVC part of the website as it does not need to redirect to views, etc. So I plan to extend the Token endpoint with a custom grant type (e.g. exchange), which will return the local token to the consumer. Consumers will send the Token endpoint a request with a grant_type of exchange, my app's client id and secret, the name of the external provider (e.g. MicrosoftAccount), and the access code from the external provider. For example, the app will send a request like this:
http://myhost.com/token?grant_type=exchange&client_id=CLIENTID&client_secret=SECRET&provider=MicrosoftAccount&code=LIVESDKACCESSCODE
I'll provide an implementation of the ApplicationOAuthProvider's GrantCustomExtension method, the pseudo code will be like this
validate the client id and secret
If client id and secret are valid, use the access code to get an access token from the Live SDK
parse the Live SDK access token to retrieve the id value
try to find the corresponding id value in the AspNetUserLogins table
If the login is not found, add a new AspNetUser record for the user and a record in the AspNetUserLogins table
create a token for the user and return the token
Once the app has the token, it can be stored in the Credential Locker for any other calls to the WebApi
When returning from Azure ACS I retrieve a federation authentication result inside a FormCollection. The value containing the information I need is inside an encrypted value called "wresult". I'm having problems decrypting this value to use it for further authentication.
I don't want to use the WSFederationAuthenticationModule because I don't authorization cookies to be set. When the module is used, it'll automatically set auth-cookies with the Federated-Authenticationtype.
I instead want to retrieve the claims contained in the wresult and then set my own security token (be it JWT, SAML 2.0 or whatever).
The only possible workaround I found so far is to use the FAModule, and then delete the session token cookie right away. But this will result in the auth-cookies to be set twice in the response, with the value and right away unsetting it.
What I want to achieve in the end is the following:
Providing the possibility to either authenticate with a forms site, or authenticate using any identity provider in Azure ACS. Using the forms authentication I can compare the username and password right away and set the security token with whatever claims I want it to have. But when using Azure ACS, I want to compare the retrieve nameidentifier with saved values in my database first, and then set my custom security token, instead of the WS federation one. Or in case the nameidentifier is unknown, I want to redirect to a forms page where the user can authenticate this nameidentifier with his credentials. I don't want the azure ACS returned value to be calculated as authenticated.
You don't have to register the FAM - but you can still use its helper methods (e.g. GetSignInResponseMessage()) to parse the sign-in response message from ACS.
This gives you access to the protocol details and the returned security token without having to use the WIF cookie system.
Instead of modifying WSFederatedAuthenticationModule's default handling of cookies, I would suggest an alternative setup:
Create and host your own forms based auth identity provider STS. There are some nice options to help set this up.
Configure your new IP STS in ACS
Use the default ACS login page (home realm discovery page) or customize your own.
Now your users will get asked to choose which identity provider they want to authenticate with. If they choose yours, upon entering a username/password, your IP will send a nameidentifier to ACS, which in turn sends it to your relying party website. Same goes if you add google as an identity provider. The benefit is your RP doesn't need to behave differently depending on what IP the user logged in from, but if you want to customize some behavior based on the IP, that information is available in the token issued by ACS.
Also, if you want to use JWT tokens instead of SAML, you can configure ACS to issue them from your relying party page in the ACS portal (though this is marked as beta functionality).