I'm interested in implementing SSO for an organisation using Azure Active Directory and ASP.NET Framework 4.x.
After studying the Microsoft docs I came across the advice to use MSAL (Microsoft Authentication Library) and also a code sample on GitHub here. The code sample is referenced by this article.
According to NuGet this is the MSAL library. But the code sample above makes no reference to that library. As can be seen in the packages.config file here.
The packages.config file and the article make reference to other libraries:
Microsoft.Owin.Security.OpenIdConnect
Microsoft.Owin.Security.Cookies
Microsoft.Owin.Host.SystemWeb
So what is the relationship of these packages to MSAL?
The packages you mention are used by an ASP.NET MVC app to authenticate users with the OpenID Connect + Cookies combo.
They are used to authenticate the user in the app.
In the context of back-end Web apps, MSAL deals with token acquisition, not user authentication.
So if your app needs to call e.g. MS Graph API, you can use MSAL to get the access token for that, after the OpenID Connect package has finished authenticating the user and received an authorization code.
MSAL can request for tokens, and handles token caching and token refresh for you.
Microsoft Authentication Library
MSAL is a library that can be used to acquire and manage tokens from Microsoft identity platform endpoint in order to authenticate users and access some protected APIs (e.g. Graph API).
Microsoft.Owin.Security.* (ASP.NET MVC)
These are packages that you can use in ASP.NET MVC applications. Microsoft.Owin.Security.OpenIdConnect is a package which contains OWIN middleware which accepts and validates incoming access tokens.
So:
if you want to sign users into your ASP.NET MVC application using AzureAD, use Microsoft.Owin.Securit.OpenIdConnect. You can check following tutorial.
if you want to acquire and manage tokens on behalf of some user, use MSAL
Related
I have a webapi in c# and a frontend angular application. The angular application is making calls to active directory services such as azure ad, to get the access token. While on subsequent webapi calls the web api application needs to validate the access token.
My webapi was using Microsoft.Owin.Security jwt token validation up until now. I want to replace Microsoft.Owin.Security with IdentityModel.OidcClient ( since this is certified c# openid connect library). Please help me out on how to use the OidcClient framework to validate the token.
To validate tokens you should not use IdentityModel.OidcClient, instead you should use the Microsoft.AspNetCore.Authentication.JwtBearer Nuget Package to properly validate JWT tokens in an API.
I have three application Web API, MVC Application(Web App), Java Native App(Mobile App). I need to authenticate my web app and mobile app from web api. So which authentication is best for this scenario?
Please help me, I have experience of developing on MVC Application but with Web API it is new for me and for same android which is also new to me?
I would suggest the following read: https://learn.microsoft.com/en-us/dotnet/architecture/microservices/secure-net-microservices-web-applications/
It will provide you with different authentication and authorization options. You might opt to use social identity server like Google or Facebook, or go with your own identity provider. In both cases the protocols you need to know about are:
Check out what openid connect is: https://openid.net/connect/
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
Check out what oauth 2.0 is: https://oauth.net/2/
OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.
For web app SPA use the implicit grant
For native apps, great read here: https://www.oauth.com/oauth2-servers/oauth-native-apps/
The current industry best practice is to use the Authorization Flow while omitting the client secret, and to use an external user agent to complete the flow.
Last but not least, if you want to create your own identity provider you can use the open source identity server for both openid connect and oauth2: https://learn.microsoft.com/en-us/dotnet/architecture/cloud-native/identity-server
I suggest for you to use web tokens and to implement it in your Web API project, i encourage you to see these series of videos to do that, It's describe how to implement JWT in Asp.net Core Web API project:
ASP.NET Core Authentication with JWT (JSON Web Token)
ASP.NET Core Authentication with Custom Handler
Role-based Authorization in ASP.Net Core (With Custom Authentication Handler)
Policy-based Authorization in ASP.Net Core (with Custom Authorization Handler)
JWT Refresh Token in ASP.Net Core (a deep dive)
That series will help you to build JWT in your Web API, And if you want to implement OAuth 2.0 and OpenID you can read the guideline for the protocol and you'll implement by your own, It's not default to implement.
[EDIT]
you can use Microsoft.AspNetCore.Authentication.OpenIdConnect for OpenID after seeing that series, and this Article will be helpful .NET Core 2.x native OpenID Connect example
I recently took over a .NET core MVC project and have to extend it with an API. For authentication .NET core Identity is used. Coming from swift iOS/Mac development i started a demo project getting into it and doing some basic authentication.
When reading up on the identity on Microsofts Docs they foucs on WebApps. So my questions are:
Should i use identity for API authentication or is it just for internal identity Management and WebApp stuff?
Does identity/.NET core already offer me jwt and e.g. basic auth to initially obtain the jwt or do i have to create a lot myself?
My Goal rn is to just create jwt-auth protected routes and to be able to get a jwt with a username and a password.
ASP.NET Core Identity isn't suitable for guarding APIs, usage of other identity providers is directed by the Docs:
ASP.NET Core Identity adds user interface (UI) login functionality to
ASP.NET Core web apps. To secure web APIs and SPAs, use one of the
following:
Azure Active Directory
Azure Active Directory B2C (Azure AD B2C)
IdentityServer4
and as per the previous link:
IdentityServer4 is an OpenID Connect and OAuth 2.0 framework for
ASP.NET Core. IdentityServer4 enables the following security features:
Authentication as a Service (AaaS)
Single sign-on/off (SSO) over multiple application types
Access control for APIs
Federation Gateway
So you will need to go with IdentityServer4
You should use identity server4 for this.
Refer a simple example of identity server 4 to protect client with token.
identity-server4 simple example
There are a lot more things you will have to understand refer identity server 4 official doc.
Moreover you can also follow step by step identity server setup video tutorial.
I am learning to develop asp.net Web API with AngularJS frontend framework. I have been doing a lot of research on this for about a week now.I have read about oauth 2, owin and other. But now confused which is better.
I have a couple of Question and hope you guys can help me with it.
1) In my application - Only Registered User will be able to have access in to application through log-in with email and password. Can someone please point me to a good resource or article on how to create a good registration and log-in authentication with API.Which is secure enough as i will be gathering user data and storing them.
2) What type of security i need to protect my API, at first the API would be behind the firewall and then ones project is finished it will be open to the world? and also please point me to right direction if possible.
Please note this is not a duplicate question i have been through most of the post on stackoverflow and asking this after i could not find answer.
Any suggestion or help on this is appreciated.
Thanks for all your effort on this topic
You can use token based authentication using Asp.Net Web API 2, OWIN, Asp.Net Identity and AngularJS.
Asp.Net Web API now fully supports OWIN. Katana is microsofts OWIN implementation.
Asp.Net Web API now supports authorization using OAuth 2.0. OAuth is made possible with Microsoft OWIN components.
Are yo confused with the terms Identity,OWIN,OAuth ... here is brief overview of them.
Asp.Net Identity is developed to overcome problems by asp.net membership system. Asp.Net Identity allows us to use different storages(Table storage,No SQL) and allows us to use external identity providers as it uses OWIN.
OWIN is to break tight coupling b/w Asp.Net and IIS. OWIN is just a specification. Katana is Microsoft's OWIN implementation. OWIN sits in http request pipeline. OWIN pipeline has middleware components, where we can mention external login mechanisms.
OAuth was created to remove the need for users to share their passwords with third-party applications.
Note:
Here Asp.Net Identity has nothing to do with OWIN, OAuth and vice versa. They are three separate concepts. Asp.Net Identity is Microsoft's implementation. OWIN, OAuth are open
standard concepts. Because Microsoft has implemented OWIN, OAuth is made possible.
So, Web API 2 uses OAuth bearer token instead of forms authentication cookie, which is more correct in Web API world. Because it allows to use variety of end user devices like mobile devices.
In your case, you can use the default templates provided in visual studio 2013.
1. Create New Project and select Asp.Net web application.
2. Select Web API or SPA template.
3. Change authentication and Select individual user accounts.
4. Click Ok.
Now, everything is configured by default in order to use OWIN, Asp.Net Identity, OAuth. Be cause we use token based authentication, you can find there is no login method available in Account Controller.
To register users, use Register method available in AccountController
To login, you need to post data in following format to
http://example.com/token (Which can be configured in StartUp.Auth.cs)
grant_type=password&username=Alice&password=password123
After login, we recieve bearer token, which we need to send with authorization header with every request to access protected resource.
As you are using awesome frontend framework AngularJs, you can save bearer token in local storage, and you can write a http interceptor service, which takes care of sending bearer token with each request.
Here registering the user is taken care by Asp.Net identity, where as authenticating user is taken care by OAuthAuthorizationServer which is present in Providers folder by default.
Bearer tokens, that we recieve are not towards a specific client,so any one can intercept them. So use them only over SSL.
Please go through this links
http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api
http://bitoftech.net/2014/06/09/angularjs-token-authentication-using-asp-net-web-api-2-owin-asp-net-identity/
Vs2013 webapplication project template comes with a good owin setup. I suggest to look into that
I have a Web API application and I've understood OAuth would be the standard security model for APIs where an Authentication Server would become responsible to generate Authorization Tokens so that the user can send to our server and consume the services.
I'm very new to this but I understand the roles involved:
Resource Owner
Client
Resource Server
Authorization Server
But what is OAuth exactly in practice, not in theory? Is it a .NET library? Is it a service provided by a separate Company? Is it something I can configure on my local development machine and see how it works?
How to get started with OAuth to secure a Web API application?
OAuth is a protocol; the current version is OAuth 2.0. More to your question, that link lists several implementations of the protocol in various technologies. For use with the .NET Web API you're probably interested in DotNetOpenAuth which provides implementations of both OAuth 1 and OAuth 2.
I'm using DotNetOpenAuth in an app I'm working on now to secure a .NET Web API. I've got an OAuth2Handler which extends DelegatingHandler which is inserted into the Web API pipeline before incoming requests reach any controllers. OAuth2Handler does the following:
Instantiates a DotNetOpenAuth ResourceServer
Calls ResourceServer.GetPrincipal() which reads and decrypts an access
token (issued elsewhere by the AuthorizationServer and returns an
OAuthPrincipal (In my case I'm reading additional data that the DotNetOpenAuth implementation allows you to pass and creating a ClaimsPrincipal.)
Assigning the IPrincipal containing the user information read from the access token to the User property of the thread and current HTTP context so it is available from the ApiController.User property in the service controllers: httpContext.User = Thread.CurrentPrincipal = principal;
Honestly, getting this all working (e.g. setting up the authorization server, resource server, certificates, etc.) isn't trivial. Unfortunately there didn't seem to be a good guide on the DotNetOpenAuth site. Here's a few other tasks you'll have ahead of you if you go this route:
Implement IAuthorizationServer - This is the interface provided by
DotNetOpenAuth that allows you to plug in to the library and use
their implementation to issue OAuth2 access tokens. You'll also need to implement INonceStore and ICryptoKeyStore which I did using an EntityFramework context for storage.
Configure Certificates - The AuthorizationServer and ResourceServer each use certificates to encrypt/decrypt the access token ensuring they are only accessible to each other. I built some custom configuration so I could manage this configuration in the web.config files of my authorization server app and my Web API services (resource server).
Manage Refresh Token - When first requesting an access token from the authorization server you'll get back (depending on your configuration) both an OAuth2 refresh token and an access token. The services use the access token which should be short-lived. The refresh token is used to get more access tokens. The refresh token should be kept secret (whatever that means in your scenario). For me it means the refresh token is never exposed to client-side javascript in my web app.
I hope that helps give you a high level idea of how to get started with OAuth and .NET Web API. Here's a blog post demonstrating some of these steps. This SO answer gives a few more high level details of the client side of the picture.
(The DotNetOpenAuth online docs appear to be down right now... sorry for no links to them; Apparently it has happened before).