I am trying to resolve a problem with Sign-In to ADFS on premise from Angular. We have received a FederationMetadata.xml. However, all examples for angular adal require a clientId. Is that something I can get from there?
I am able to get the login url, when I put the AddWsFederation to my C# Controller and call HttpContext.ChallengeAsync. However I would like to have more clients on one server, so I would prefer something more flexible. MS examples have only one clientId in the web.config and setup them at the start.
Thank you very much for any piece of advice.
The metadata file is for a SAML or WS-Federation connection.
Client_id implies an OpenID Connect connection.
Typically, Angular connections would use OpenID Connect e.g. sample here.
What version of ADFS? If 2019, rather use the MSAL rather than the ADAL sample.
That sample shows the ADFS configuration.
They then need to send you the client_id, redirect_url etc.
This information is not contained in the metadata.
Related
We have a self hosted WCF REST API service (not ASP.Net). We currently support Basic and Negotiate authentication.
We would like to add support for JWT in a cookie, so that we dont have to authenticate against the DB on each call, and so we dont have to set headers. The main issue is that we want our web application, which uses the API to be able to provide links to retrieve resources for downloading without setting headers, ie rely on browser having a JWT pushed into a cookie.
We have an endpoint called /API/AuthToken, which supports Basic Authentication, but we’re not sure what the code to generate a JWT token, and pushing it to a cookie would look like. Specifically, what does the code for generating a JWT token should do.
I have not been able to find any documentation or samples on how to do this? Any leads or code snippets?
I'm trying to get information how to authenticate and authorize a user from a backend WCF service using OpenID Connect configuration rather than using a client application (like Angular / .Net MVC web application).
Can this be achieved using "Authorization Code Flow"?
If yes, could one please guide me, how this can be achieved as we will not be able to configure the re-direction URL for a backend service to get the access token.
If not, could one please tell me how this can be achieved? I did read that this can be achieved by back channel communication (i.e. https://openid.net/specs/openid-connect-backchannel-1_0.html. If one can help me with the tutorial document that is available in internet that would be really helpful.
The link you mention is about back-channel logout: a communication from your OpenID provider toward your backend to notify your backend of a user ending her/his session at the OpenID provider. I do not see how this could be used to authenticate a user.
It feels somewhat odd that you are trying to authenticate a user from a backend service. The whole idea behind OAuth and OpenID is to pass a credential allow with your request to the backend. The backend must verify that credential but should not involve in gathering and issuing that credential, it should rely on a trusted party (the OpenID provider) to issue those credentials.
In a WASM Blazor application I am injecting the Http client by doing this in the top:
#inject HttpClient Http
Now I want to be able to set a username and password like in regular .NET, there you would do:
handler.Credentials = new NetworkCredential(userName, password);
However, I cannot find any property of Http where I can set my credentials, how can I set it?
It's not clear what you do as you provide almost no code to demonstrate your issue. However, it is very clear what you're striving at.
In order to authenticate and authorize users in Blazor WebAssembly App you can use Jwt authentication or OpenID connect that pass a user's credentials to a Web Api end points to verify the users, create a Jwt token, and pass it back to the front end where you can store the Jwt Token in the local storage, and retrieve it when the user logs in, accesses various resources, etc.
Note also that the HttpClient is not really the actual HttpClient. It is based on the JavaScript Fetch Api, and it is missing features like WebSockets, etc.
I've posted in this section answers about how to use Jwt Authentication and OpenID Connection. You'll have to search for those answers dealing with Jwt Authentication, as it was relatively long time ago, and I don't remember their locations. However, here is the links to Adding OpenID Connect to IdentityServer4, and Accessing token from Blazor
Hope this helps...
In my company we have a requirement from the client for SSO using ADFS. The client has provided the IDP certificate fingerprint and IDP target URL.
I tried doing some research on how to accomplish this but have not found what exactly is to be done. Can someone please guide me on how to proceed and what other information I should get from the client?
When you say the "client", you mean the client is the one using ADFS?
In which case, you have the URL, just navigate to:
https://IDP URL/FederationMetadata/2007-06/FederationMetadata.xml
and you have the metadata.
In terms of adding support into your application, use the NuGet OWIN package for WS-Fed or WIF as above. (OWIN is the modern way).
I have a Web API application and I've understood OAuth would be the standard security model for APIs where an Authentication Server would become responsible to generate Authorization Tokens so that the user can send to our server and consume the services.
I'm very new to this but I understand the roles involved:
Resource Owner
Client
Resource Server
Authorization Server
But what is OAuth exactly in practice, not in theory? Is it a .NET library? Is it a service provided by a separate Company? Is it something I can configure on my local development machine and see how it works?
How to get started with OAuth to secure a Web API application?
OAuth is a protocol; the current version is OAuth 2.0. More to your question, that link lists several implementations of the protocol in various technologies. For use with the .NET Web API you're probably interested in DotNetOpenAuth which provides implementations of both OAuth 1 and OAuth 2.
I'm using DotNetOpenAuth in an app I'm working on now to secure a .NET Web API. I've got an OAuth2Handler which extends DelegatingHandler which is inserted into the Web API pipeline before incoming requests reach any controllers. OAuth2Handler does the following:
Instantiates a DotNetOpenAuth ResourceServer
Calls ResourceServer.GetPrincipal() which reads and decrypts an access
token (issued elsewhere by the AuthorizationServer and returns an
OAuthPrincipal (In my case I'm reading additional data that the DotNetOpenAuth implementation allows you to pass and creating a ClaimsPrincipal.)
Assigning the IPrincipal containing the user information read from the access token to the User property of the thread and current HTTP context so it is available from the ApiController.User property in the service controllers: httpContext.User = Thread.CurrentPrincipal = principal;
Honestly, getting this all working (e.g. setting up the authorization server, resource server, certificates, etc.) isn't trivial. Unfortunately there didn't seem to be a good guide on the DotNetOpenAuth site. Here's a few other tasks you'll have ahead of you if you go this route:
Implement IAuthorizationServer - This is the interface provided by
DotNetOpenAuth that allows you to plug in to the library and use
their implementation to issue OAuth2 access tokens. You'll also need to implement INonceStore and ICryptoKeyStore which I did using an EntityFramework context for storage.
Configure Certificates - The AuthorizationServer and ResourceServer each use certificates to encrypt/decrypt the access token ensuring they are only accessible to each other. I built some custom configuration so I could manage this configuration in the web.config files of my authorization server app and my Web API services (resource server).
Manage Refresh Token - When first requesting an access token from the authorization server you'll get back (depending on your configuration) both an OAuth2 refresh token and an access token. The services use the access token which should be short-lived. The refresh token is used to get more access tokens. The refresh token should be kept secret (whatever that means in your scenario). For me it means the refresh token is never exposed to client-side javascript in my web app.
I hope that helps give you a high level idea of how to get started with OAuth and .NET Web API. Here's a blog post demonstrating some of these steps. This SO answer gives a few more high level details of the client side of the picture.
(The DotNetOpenAuth online docs appear to be down right now... sorry for no links to them; Apparently it has happened before).