I am having some issues of finding forums/tutorials/examples on how to fully authenticate an angular app with Azure Active Directory. So in short, I need to log in to the user via angular 8 and I am using the https://www.npmjs.com/package/#azure/msal-angular library which I found really good and easy. I am retrieving the token id and the user after login. The issue is, that I need to add that user to the Database because I have like a role management system which I need to add the user in the aspnet users db. I need to call an api which needs to authenticate that the user is real from .net side and then add the user to the aspnet users db. If he's already existing there so it just need to authenticate him and create a token. I need to know example of .net on how to populate the User.Identy with the user. I am sending the api 2 headers, Authorization which is the bearer token id and access token. Can someone please help?
assuming you're using aspnet core, you just need a middleware which will validate your JWT token acquired from the front end, and check if the user / token are valid (and also populate the User.Identity for you).
More info: https://github.com/aspnet/AspNetCore/tree/master/src/Azure/AzureAD/samples/AzureADSample
EDIT:
for asp.net mvc (non core), you'll do the same approach:
https://www.c-sharpcorner.com/article/azure-ad-authentication-for-mvc-web-application/
Related
I am currently diving into Identity Server 4 and working on a local project for my own learning.
I currently have a login page located within the Identity Server 4 project which allows the user to login, this works perfectly fine.
The question I have is, can I make a REST API request passing in username and password to authenticate the user instead of using the login page located within the Identity Server project? this may sound a very simple question for some, but my knowledge on this is very limited at present.
You are talking about Resource owner password flow.
It allows you to request access token with username/password pair.
After that you can use access token in a usual way to access your API.
Link above says that
The spec recommends using the resource owner password grant only for “trusted” (or legacy) applications.
I've got a user authenticated via IdS4, along with a few claims and a role, now I'm lost about what to with it. The general flow for the user is: Go to my site, log in redirects to IdS4 server. They enter their username/password, and redirect back to my site, along with cookies set.
I've not seen much beyond authentication in the tutorials I've found.
Should/How do I persist the user? Should I set up Identity on my MVC site? I'm just looking for a general idea, I think I can figure out the specifics, at this point my general Googling hasn't turned up much.
Thank you.
You can add ASP.Net Identity to manage users in your client MVC application , or directly use EF Core to store users in database without ASP.Net Identity .
But the problem is why you want to perisit or manage users in your client application ? You are using Identity Server to do authentication and IDS will connect the database/configration file to validate user and fill user claims , if you want to manage users/roles , you can add apis(CURD operations to user database) as protected resource , and your client app acquire access token to access that apis to perform user management . So that user management operations are share to clients which have permission to get api's access token . But if you want to manage specific users which only available to one client , you can mix asp.net identity and IDS4 authentication in client app .
I have a MVC5 website and WebApi using ASP.Net identity. I have configured the website to use Microsoft Account as an external login.
The Windows Store App will use the WebApi, and the user should have the same identity when using their Microsoft Account from either the website or the app. As users are already logged into their Microsoft Account when using Windows Store App, I don't want them to have to enter their credentials again.
I'm wondering what is a good way for my app to be able to access the WebApi. Can I retrieve the Microsoft Account authentication token and pass that to my website's token endpoint with an authorization code grant in order to retrieve the token for my app to use to access the WebApi? Is there another way?
I want to avoid making changes to my WebApi's Account Controller as this process does not really fit into the MVC part of the website as it does not need to redirect to views, etc. So I plan to extend the Token endpoint with a custom grant type (e.g. exchange), which will return the local token to the consumer. Consumers will send the Token endpoint a request with a grant_type of exchange, my app's client id and secret, the name of the external provider (e.g. MicrosoftAccount), and the access code from the external provider. For example, the app will send a request like this:
http://myhost.com/token?grant_type=exchange&client_id=CLIENTID&client_secret=SECRET&provider=MicrosoftAccount&code=LIVESDKACCESSCODE
I'll provide an implementation of the ApplicationOAuthProvider's GrantCustomExtension method, the pseudo code will be like this
validate the client id and secret
If client id and secret are valid, use the access code to get an access token from the Live SDK
parse the Live SDK access token to retrieve the id value
try to find the corresponding id value in the AspNetUserLogins table
If the login is not found, add a new AspNetUser record for the user and a record in the AspNetUserLogins table
create a token for the user and return the token
Once the app has the token, it can be stored in the Credential Locker for any other calls to the WebApi
I have an ASP.NET Application created using the Visual Studio 2013 project template. For security, I chose Azure Active Directory. I have all of the login working, but I'd like to start using the Graph API to manage users in my application. I have created an Application Key to use with Azure AD, but I'm not quite sure how to go about making graph calls.
I've studied the code at https://github.com/AzureADSamples/WebApp-GraphAPI-DotNet, but using the graph API in that way requires a token.
Is there a way to get a token from my ASP.NET application after it has successfully logged into AD that I can use to call the graph API? Maybe by adding a method to Global.asax?
Is there another way to call the graph API from an ASP.NET application created with this project template?
Indeed, you do need an OAuth token using which your web application can access the Graph API, on behalf of the logged in user. If you're using .Net, you are looking at the correct sample - OpenID Connect is the recommended protocol to sign-in the user and get an authorization code to access Graph API: https://github.com/AzureADSamples/WebApp-GraphAPI-DotNet.
The OpenIDConnect (SSO + Auth Code Grant flow) begins when the user clicks Sign-in link. See the _LoginPartial view (https://github.com/AzureADSamples/WebApp-GraphAPI-DotNet/blob/master/WebAppGraphAPI/Views/Shared/_LoginPartial.cshtml) and the SignIn Action in the AccountController.
The main magic happens in Startup.Auth.cs (https://github.com/AzureADSamples/WebApp-GraphAPI-DotNet/blob/master/WebAppGraphAPI/App_Start/Startup.Auth.cs): It configures a delegate on the event AccessCodeReceived to redeem the OAuth Access Code for a Refresh Token and Access Token for the resource (Graph API) and puts the tokens in the token cache.
See AuthUtils class (https://github.com/AzureADSamples/WebApp-GraphAPI-DotNet/blob/master/WebAppGraphAPI/Utils/AuthUtils.cs): The GetAuthToken method first tries to retrieve an access token from the token cache. If the access token and refresh tokens have expired, it re-authenticates the user to populate the token cache with fresh refresh token.
See TokenCacheUtils class (https://github.com/AzureADSamples/WebApp-GraphAPI-DotNet/blob/master/WebAppGraphAPI/Utils/TokenCacheUtils.cs): It calls the AAD token endpoint to get an Access token for the resource (Graph API in your case), using the Refresh token using the code
Hope this helps
I'm implementing some WebApi to upload/convert/return videos.
Another developer will implement a PhoneGap application that will call my WebApi to upload/convert/show videos to users.
The PhoneGap application uses OpenId to allow users to login using google and facebook.
My problem is that I want to make sure the client that is calling my WebApi has been logged in on the PhoneGap app using google or facebook.
I know that all I need is the client to send me a token in the request header that I can "extract" on the web api to validate the user. My question is how can my WebApi know what is the token that has been generated by openId (google/fb) on the PhoneGap app?
Well I am also searching into this and what I have got so far i will share with you in following steps:-
1) Whenever user call my login page I will create the token in response header to make sure that request is coming from legitimate user. just like antiforgery token in mvc.
2) Then upon successful login i will create the authentication cookie and set the current user context value this will Authorize the user and generate another token as mentioned above.
3)Then after this i will use normal Authorise, Roles attribute provided by WEBApi.
Let me know what you think? I am more than happy to contribute.
Another approach is when user login create a hashed token and add it to response header and create custom attribute which grab that token and check it against the database. The problem with this approach is that you will be hammering ur database all the time.