I recently took over a .NET core MVC project and have to extend it with an API. For authentication .NET core Identity is used. Coming from swift iOS/Mac development i started a demo project getting into it and doing some basic authentication.
When reading up on the identity on Microsofts Docs they foucs on WebApps. So my questions are:
Should i use identity for API authentication or is it just for internal identity Management and WebApp stuff?
Does identity/.NET core already offer me jwt and e.g. basic auth to initially obtain the jwt or do i have to create a lot myself?
My Goal rn is to just create jwt-auth protected routes and to be able to get a jwt with a username and a password.
ASP.NET Core Identity isn't suitable for guarding APIs, usage of other identity providers is directed by the Docs:
ASP.NET Core Identity adds user interface (UI) login functionality to
ASP.NET Core web apps. To secure web APIs and SPAs, use one of the
following:
Azure Active Directory
Azure Active Directory B2C (Azure AD B2C)
IdentityServer4
and as per the previous link:
IdentityServer4 is an OpenID Connect and OAuth 2.0 framework for
ASP.NET Core. IdentityServer4 enables the following security features:
Authentication as a Service (AaaS)
Single sign-on/off (SSO) over multiple application types
Access control for APIs
Federation Gateway
So you will need to go with IdentityServer4
You should use identity server4 for this.
Refer a simple example of identity server 4 to protect client with token.
identity-server4 simple example
There are a lot more things you will have to understand refer identity server 4 official doc.
Moreover you can also follow step by step identity server setup video tutorial.
Related
I am building an ASP.NET Core web app and Angular and I want to secure it using token-based authentication. I am relatively new to the authentication mechanism, so have few clarifications.
I have decided to go about using jwt token based authentication using this tutorial link
https://medium.com/c-sharp-progarmming/asp-net-core-5-jwt-authentication-tutorial-with-example-api-aa59e80d02da
I also came across another tutorial which explains token based using authentication using owin
https://www.c-sharpcorner.com/UploadFile/ff2f08/token-based-authentication-using-Asp-Net-web-api-owin-and-i/
Now my question is which protocol does the link1 implement? Is it OWIN? Do we need a separate server for maintaining something called OAuth Authorization framework as explained in link2.
What's the difference between OWIN, OAuth and Identity and are all these concepts internally used if I follow link1 and secure the application using jwt token based authentication?
OWIN Is a Middleware and OAuth is the protocol. if you are using .NET core or .NET 5, try to use .NET core middleware for authentication/authorization. Follow First Link (Medium)
If you need a fully fledge Identity Server then you have to create a separate Identity server if you want only token things you can just implement them on your project, but recommended approach is to create a server for identity management.
I'm interested in implementing SSO for an organisation using Azure Active Directory and ASP.NET Framework 4.x.
After studying the Microsoft docs I came across the advice to use MSAL (Microsoft Authentication Library) and also a code sample on GitHub here. The code sample is referenced by this article.
According to NuGet this is the MSAL library. But the code sample above makes no reference to that library. As can be seen in the packages.config file here.
The packages.config file and the article make reference to other libraries:
Microsoft.Owin.Security.OpenIdConnect
Microsoft.Owin.Security.Cookies
Microsoft.Owin.Host.SystemWeb
So what is the relationship of these packages to MSAL?
The packages you mention are used by an ASP.NET MVC app to authenticate users with the OpenID Connect + Cookies combo.
They are used to authenticate the user in the app.
In the context of back-end Web apps, MSAL deals with token acquisition, not user authentication.
So if your app needs to call e.g. MS Graph API, you can use MSAL to get the access token for that, after the OpenID Connect package has finished authenticating the user and received an authorization code.
MSAL can request for tokens, and handles token caching and token refresh for you.
Microsoft Authentication Library
MSAL is a library that can be used to acquire and manage tokens from Microsoft identity platform endpoint in order to authenticate users and access some protected APIs (e.g. Graph API).
Microsoft.Owin.Security.* (ASP.NET MVC)
These are packages that you can use in ASP.NET MVC applications. Microsoft.Owin.Security.OpenIdConnect is a package which contains OWIN middleware which accepts and validates incoming access tokens.
So:
if you want to sign users into your ASP.NET MVC application using AzureAD, use Microsoft.Owin.Securit.OpenIdConnect. You can check following tutorial.
if you want to acquire and manage tokens on behalf of some user, use MSAL
I have three application Web API, MVC Application(Web App), Java Native App(Mobile App). I need to authenticate my web app and mobile app from web api. So which authentication is best for this scenario?
Please help me, I have experience of developing on MVC Application but with Web API it is new for me and for same android which is also new to me?
I would suggest the following read: https://learn.microsoft.com/en-us/dotnet/architecture/microservices/secure-net-microservices-web-applications/
It will provide you with different authentication and authorization options. You might opt to use social identity server like Google or Facebook, or go with your own identity provider. In both cases the protocols you need to know about are:
Check out what openid connect is: https://openid.net/connect/
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
Check out what oauth 2.0 is: https://oauth.net/2/
OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.
For web app SPA use the implicit grant
For native apps, great read here: https://www.oauth.com/oauth2-servers/oauth-native-apps/
The current industry best practice is to use the Authorization Flow while omitting the client secret, and to use an external user agent to complete the flow.
Last but not least, if you want to create your own identity provider you can use the open source identity server for both openid connect and oauth2: https://learn.microsoft.com/en-us/dotnet/architecture/cloud-native/identity-server
I suggest for you to use web tokens and to implement it in your Web API project, i encourage you to see these series of videos to do that, It's describe how to implement JWT in Asp.net Core Web API project:
ASP.NET Core Authentication with JWT (JSON Web Token)
ASP.NET Core Authentication with Custom Handler
Role-based Authorization in ASP.Net Core (With Custom Authentication Handler)
Policy-based Authorization in ASP.Net Core (with Custom Authorization Handler)
JWT Refresh Token in ASP.Net Core (a deep dive)
That series will help you to build JWT in your Web API, And if you want to implement OAuth 2.0 and OpenID you can read the guideline for the protocol and you'll implement by your own, It's not default to implement.
[EDIT]
you can use Microsoft.AspNetCore.Authentication.OpenIdConnect for OpenID after seeing that series, and this Article will be helpful .NET Core 2.x native OpenID Connect example
We are building an application with Angular 10 based front-end and .NET Core 3.1 based Web APIs. For Authentication and Authorization we want to use ASP.NET Core Identity. I want to know if we can have Identity system integrated with our Web API project and use Authentication method via Web APIs to generate JWT and later Authorization. I am wondering if this is good approach to follow or there is any security flaw in this approach. I get this doubt because I have read somewhere that the Authentication must be over server rendered pages instead of JavaScript based front-ends.
I have an ASP.NET MVC project and a Web Api project (separate projects). Access to the database is fully realized through Web Api (including authorization and authentication). ASP.NET MVC is a client, Web Api is a server.
So, how to correctly implement authorization and authentication in the ASP.NET MVC project (on the client side)? I read a lot how this is implemented in Web Api (through a token), but I can not understand how to correctly use this token in ASP.NET MVC.
Realize wrap for each request? I also do not know how to define the user role in ASP.NET MVC. Maybe there is some way to rewrite standard methods of ASP.NET MVC authorization to work with the Web Api token? Will the Authorize attributes on the ASP.NET MVC client side work? Suggest please in an example of such an implementation if possible, or tell me how best to implement it.
First of all if you are not in production yet, it might be time to jump to .Net Core 2.x. It does not separate Web API and MVC underground and it's up to date technology.If, for some reason, you can't upgrade the framework, then yes, employ Microsoft.Owin, Microsoft.Owin.Security.OpenIdConnect and all the dependencies.OIdC defines two types of tokens: Identity token, describing a user and Authorization token, giving access to API. There should be some Identity Provider in the system, authenticating users and authorizing clients (such as your MVC APP). Such provider could be external (Google, Office 365 etc), or internal -- you can use free Identity Server 4.x implementation and adjust it to feet your needs. You could even build the IdP into your app.The flow for both .Net Core and Owin OIdC implementations should be identical:
You register all your apps (API and MVC in Identity provider)
User requests an MVC resource, OIdC middleware redirects him to IdP.
IdP authenticates the user issuing identity and access tokens.
MVC validates the Identity token and uses it to create a local Authentication cookie, so the user becomes authenticated in the app.
MVC controller calls some API and put into the request access token, requested from IdP.
API validates the token and responds with requested data.
I would recommend you to use OWIN interface to implement token based authentication for web api and MVC. You should provide authentication token in your web api and give ability to deserialize the token in MVC and Web Api. So, you can find an example open source project here which I developed it about how can you implement token based authentication with OWIN for Web api.
For MVC project, you should follow the same practice by using OWIN.
The best way is to use Azure active directory authentication if active directory is configured for using your application. You can get more info here