Context: I am working on a web form application hosted using an Azure App service. The WebForm application is hosted together with a WebApp project
I would want that API requests from Angular no longer pass the Arrafinity cookie ( which is HttpOnly), or that the the cookie is ignored by just the API.
How could I achieve this ? ( The API is stateless, the Web Form is not )
ARR Affinity can be disabled on the Web App Configuration General Settings tab. See this article for more details.
Related
Basic question: how does one setup a web application and web services where they use windows authentication to connect the web application to the web service?
I have inherited an application written in asp.net 2.0 and am working to migrate it to asp.net 4.8. The solution is designed with a project for the web UI and a project for the web services. I have deployed both projects to an IIS site on a Windows 2019 server as separate applications on the same server in the Default Web Site. Each has their own application pool with AppPoolIdentity as the identity and both use Windows Authentication method and have all other authentication methods disabled. Each application is set to use pass-through-authentication when connecting.
When I run the UI application project it tries to call the first web service and I get 401 Unauthorized at the web service call. I have added some logging in the web application and the web service and can see it is authenticating me on the web application and verified the exact url (http://localhost/{appname}/authenticate.asmx) being used to call the web service but it is rejecting the attempt to access the web service with the 401 Unauthorized error from the web application. When I independently access the webservice it is accessible, authenticates me, and works as expected verified by logging output.
What do I need to change to get the application to connect to the web service with the same authenticated user? Do I need to change the AppPoolIdentity to something else like a service account or set it to Network Service or something else? I would have thought the UI application would pass-through the authenticated user to the web wervice but that must not be happening and I am not sure what to set to enable that connectivity.
Thank you in advance.
I'm currently trying to work out the best way to handle authentication for a new external web application and web service application using ASP.NET Core. Here is the general setup:
Username/password is stored in SQL Server database
Web application ONLY makes call to web service
Web service (Web API) makes calls to database and returns data to web application
So the idea is that the user logs in once and using the built-in cookies authentication provider will stay logged in. However, I want to pass that authentication token or whatever to the web service application and have whatever it does run under the appropriate security context for that user. I've looked for examples that resemble this design but haven't found a good one. Could anyone make any high-level recommendations or point me to some helpful resources on how I can achieve this design?
Take asp.net core MVC and web api as an example, put the login page in the web application. Put cookie authentication in web api. After the user logs in, it applies for a token through the web api, and the token will be stored in the cookie cache of the browser.
Here is the cookie configuration. In Startup.cs (web api).
services.AddAuthentication("scheme")
.AddCookie("scheme", options =>
{
options.Cookie.Name = "authname";
});
If the token is successfully applied, it will be written in browser.
Then I add a action that gets the cookie tocken.
[Route("getTocken")]
public string getTocken( )
{
string cookie ="";
HttpContext.Request.Cookies.TryGetValue("authname", out
cookie);
return cookie;
}
This is the result.
This cookie tocken could be saved in session for maintaining state.
We currently have an ASP.NET Core MVC app in combination with IdentityServer4 for authentication. The user authenticates via IdentityServer (with the HybridAndClientCredentials flow) to ADFS before it has access to the MVC application.
The SignInScheme on the MVC client is set to the values "Cookies".
We would like to extend our MVC app to host multiple Angular apps. Sometimes even more than 1 Angular app per MVC view.
The angular apps will call seperate ASP.NET Core Web API's on behalf of the user.
My question is how does the angular apps know that the user is already authenticated in the MVC application, retrieve the access token and call the API's on the user behalf?
I have been playing around with solution Scott Brady came up with but there seems no integration between the MVC app & Angular app. The Angular app will try to authenticate to identityserver and expect a callback on a particular page.
I am looking for a solution how to share the accesstokens between the MVC app and the angular apps but I am stuck. Any help is much appreciated.
If they have to sign in via the server-side hybrid flow already then the simplest way would be an endpoint in your MVC app that is cookie-secured that the client side app can call to get the access token.
Another approach is to use oidc-client-js and have the client side Angular app obtain its own token.
You could abstract this away from the client side app itself so it's easy to change the mechanism later if you need to. As it happens we use a combination of server side and client side flows and it works fine.
I have a web application done in razor and i want to convert it to a normal client application. So what i thought of is to self host that web application and serve it through WebControl in WinForms, i already done this using owin. However the self hosted application can also be accessed through a browser or any external machine if privileges are given. My question here, how to prevent any external browser from accessing my self hosted owin web app, and still connect through the my client's internal browser ?
How Passive adfs 2.0 authenitcation for Web application can consume WCF Restful Services?
I am using ASP.NET 4.0, C# to develop web application and WCF Rest Service.....
So could you please help me to understand how to secure Restful service using claim based authentication
Here is what I need: -
I have a Web App and WCF Rest service with webhttpbinding gets called from ajax jquery.
Now the user logs into the Web App which is relying party, he is redirected to the adfs login page.
Once logged in, he is redirected back to the Web app.
This web app invokes the wcf Service.
Passive authentication is working fine but issue is when calling WCF service.
In ajax call for wcf service get undefined error. (namespace attribute is not getting added example
var svc = project.services.AjaxService()
where project does not include services and namespace attribute is missing which is present when same code is getting called from form authentication.
Where project.services is namespace for service class AjaxService.
And also same service is getting called using Telerik controls WebServiceSettings.
Can anyone please help me in this. what configuration setting is required and anything else need to be added?
How can i achieve both using ajax and telerik.