I've been trying to learn some C# and decided to try a Blazor app. I've been building web apps for a long time but not in the MS world. In reading the blazor docs it seems that a client side blazor app cannot be secured by role, since the user could simply change any js parameters and visit pages arbitrarily. However, am I wrong to think that you can still secure the basic app built with client side blazor as far as authenticating users via OIDC or some other auth flow?
To put it another way, it sounds like a truly secure web app would be well advised to use the client side blazor setup, but would the client side work for an intranet scenario, where we only care about making sure users should be able to login, but aren't too concerned with what they do once they're in?
I have a repo here that enables roles via Blazor WASM.
This commit shows the changes I made to the template. Its important to transform the roles with the CustomUserFactory as they are in a string array.
Related
We currently have an ASP.NET Core MVC app in combination with IdentityServer4 for authentication. The user authenticates via IdentityServer (with the HybridAndClientCredentials flow) to ADFS before it has access to the MVC application.
The SignInScheme on the MVC client is set to the values "Cookies".
We would like to extend our MVC app to host multiple Angular apps. Sometimes even more than 1 Angular app per MVC view.
The angular apps will call seperate ASP.NET Core Web API's on behalf of the user.
My question is how does the angular apps know that the user is already authenticated in the MVC application, retrieve the access token and call the API's on the user behalf?
I have been playing around with solution Scott Brady came up with but there seems no integration between the MVC app & Angular app. The Angular app will try to authenticate to identityserver and expect a callback on a particular page.
I am looking for a solution how to share the accesstokens between the MVC app and the angular apps but I am stuck. Any help is much appreciated.
If they have to sign in via the server-side hybrid flow already then the simplest way would be an endpoint in your MVC app that is cookie-secured that the client side app can call to get the access token.
Another approach is to use oidc-client-js and have the client side Angular app obtain its own token.
You could abstract this away from the client side app itself so it's easy to change the mechanism later if you need to. As it happens we use a combination of server side and client side flows and it works fine.
I am working on creating a website for my web systems class in which I will be implementing a login platform. The website after becoming authenticated the user will be able to send messages to other users, I will be implementing SignalR to perform the real-time messaging.
I want to create a system that within AngularJS I can call a C# backend provide a username and password and authenticate. I would also at the same time like to use SignalR's role based authentication to ensure my methods are secure.
Example:
[Authorize(Roles = "Admin")]
public class AdminAuthHub : Hub
{
}
Currently I've written my own code to accept a username and password and hash it and store the hash value. However, I don't want to reinvent the wheel here. I want to use a Microsoft based authentication system because I am working within a C# backend and SignalR technology.
I am currently hosting using Microsoft Azure and that works and all but I am eventually going to be switching to a locally hosted Windows Server I maintain. I have heard about using Active Directory but have never worked with it and would have to do extensive setup to get a fresh server ready for that.
My overall question is what path do I go? Also if I go the strictly Microsoft everything way, is setting up active directory simple on Windows Server 2016? During my research I found that there is a ASP.NET method of authenticating a user against a SQL Server database. Would this method be preferable because the system can be used outside of ASP.NET and the data is in a form that I've worked with before?
Do I write my own custom authenticate logic, accepting username and password and hashing and using my own tables and databases. Then within the SignalR side of things find a way of setting the user variable and setting their role from my database. Then simply performing a check at the beginning of each method call.
There is a lot of information on the internet about how to potentially approach some of those questions.
A quick google for "Angualr / Asp.net identity / signalr" returns a few resources that you may suite your needs, maybe not solely, but you should be able to combine some of the approaches.
Here a few links for you :
SignalR Authorization using Web API Token
https://logcorner.com/angular-js-token-based-authentication-using-asp-net-identity-and-asp-net-web-api/
https://www.codeproject.com/Articles/884647/Web-app-using-Web-API-SignalR-and-AngularJS
I am investigating how IdentityServer 3 works and I still have problem to fully understand.
In general concept is clear to me but still I am not sure how to implement this on real project.
This is basic example that I am trying to implement in my case: link
I have web api project and I want to call my api methods from any client (mvc, wpf, phone…)
So I need implementation that is suitable for all clients.
If I understand well (and probably I am not understand completely), I should have 3 projects:
Client
Api
Project that host IdentityServer
And all projects should have required stuff like on picture:
Steps on picture:
Get token
Return token
Call api
Check if Token is OK
If Token is fine than return data else show error
My questions are:
Is my thinking about how this works ok?
Where I making mistakes?
Is this example good enough for my case? Am I missing something
important?
Do I have to create project that host IdentityServer, or this is
needed just for example code ?
Does IdentityServer host project must be console application that
communicate with api and client(like in example), or in real world
this is done differently ?
Should project that host identity server be aware of Clients and
Users ?
Should some other project except host identity server project be aware of Clients and Users ?
What is diference between implicit and hybrid flow, what I need in my case and why?
How do I create my own login view? I want have html page for login if I use web client, but to have wpf login view if I use wpf, also different view for mobile client.
EDIT:
I think that I need Resource Owner flow . I supose that resource i view where user type user name and password.
Your basic flow is correct, with Identity Server acting as your authorization server and your client and web API separate.
You should host Identity Server in its own project to ensure it is separate from any other logic which has the potential to introduce security concerns. How you host it is up to you and your use case. Typically you would see it hosted within an ASP.NET project on an IIS Server.
Identity Server must be aware of clients and users in order to authenticate them. The only other projects that should be aware of your identity store (users) is any applications that concern things like admin, user registration, etc. The client store would only ever be used by Identity Server.
Views can be modified using the Identity Server templates or by introducing your own ViewService. See the docs for more info: https://identityserver.github.io/Documentation/docsv2/advanced/customizingViews.html
Regarding flows, the Resource Owner flow is OAuth only, so there will be no authentication (log in page), only authorization (server to server).
We are starting a project which will consist in:
Web project (ASP.NET MVC)
IOS app
and both will consume data from a .NET WEB API service.
The WEB API service will expose a POST Method with the url "user/create". But i don't know how can i avoid another apps for making post to this url? I know i need a security protocol, but i wanted to know which one you recommend me, and if you have, an article where is it explained.
Thanks
web api 2 provides oauth authentication. You will need to get a token from the token end point of web api and pass that token in subsequent requests.
You should find lot of online resources if you search for web api 2 oauth.
We did something similar recently using OWIN OAuth 2.0 Authorization Server
Reference this ASP.NET page for details. Sample code is included as well for several different implementations.
For our purposes, we used the Client Credentials Grant section about half-way down the page. Our implementation involved server-server OAuth (Web API to MVC), but I bet it's pretty similar to have iOS connect. The only thing I would caution is to somehow encrypt the login credentials on the iOS side, and I'm sure there is a way to do that.
So you want the WebAPI to only be used by the MVC page? The best architectural method is to separate the two rather than leave both in one project. Why? Because the MVC app is a experience layer for humans. The WebAPI is an experience layer for the MVC app. Move it back where it can't be accessed.
You can add on tokens, etc, but the MVC app sits on the server, but is accessed on the client computer. The wider the scope of the application (ie, intranet or internet or something in between?), the more difficult the problem and the harder it is for your users to access the application. Moving the WebAPI internal and leaving the MVC app exposed guarantees external users cannot use the API.
The main reason WebAPI and MVC exist together in a single project (still a mistake in most instances, IMO) is you are exposing both to the same audience. If that is not your intent, don't do it.
I am currently building an authentication server for a game. Basically how I have it planned out is a client will connect to our servers and they will authenticate the client and then issue the client a ticket. As long as the ticket is valid the client is able to join servers. Besides authentication I would like to display user stats and other stuff on their profile. I have not done anything with ASP.NET before but I think that is the right way to go on this. I was wondering if anyone knows where I might get started with communication with an ASP.NET web app. Is that too big of a step since I haven't used ASP.NET before? Should I start with something smaller?
EDIT:
Ok so I have a simple WCF Service now but I am having trouble understanding exactly how to use it. How do I actually use the service I created to exchange data between a console app and a ASP web site? Anyone know of a tutorial that creates a WCF service then actually shows how to implement it into a project?
Another option is to use someone else authentication server. I.e. Facebook, Messenger (Live.com), Google all provide OAuth authentication if you can agree to use their list of users.
Side benefit is that you don't need to worry a bit less about personal information (i.e. child accounts require much more care that you want :) ).
What kind of game? Is it a game played on your website or a client application? If it's a website then all you really need is a Login page. Otherwise, yeah WCF.