I'm building a web app (c#, asp.net-core-mvc) for internal use in my company. Authentication is required through user Microsoft Accounts (either through Windows Authentication or Azure, both options are working).
The issue I'm having is that I have been asked to require password confirmation when executing certain actions.
I have looked in all the documentation I could find but have not been able to find anything about this use-case.
The one thing I have found out is that it's apparently impossible with Windows Authentication since you can't log someone out.
I have been able to prompt the login page by using return Challenge();, but it loops back on the login page when you login (or shows 401 error page if you cancel), and doesn't return anything I have been able to exploit.
With Azure it also loops right back to the login page.
It would in theory be possible through Azure authentication by logging the user out and then back in, but I haven't been able to send the user back to the right page with the right information after logging back in.
So if anyone has a solution I'm ready to try anything that uses Microsoft accounts (custom user accounts isn't really an option since it's an intranet application).
Related
I'm developing an app which requires oAuth2.0 code authorization. So, I want to open a browser and get the Access Token by logging into their website. But I want to do that within my app, without opening any external browser. Can Anyone Help me ??
The Documentation for the oAuth is Found Here.
I Want to open a browser within an UWP app (for oAuth2 grant)
UWP platform provide WebAuthenticationBroker class to get the Access Token by logging into their website within internal webview. And here is the detail steps how to use WebAuthenticationBroker. For more info please refer to official WebAuthenticationBroker code sample.
I understand what it is that you want to do. However what you are requesting would be a security risk for the user.
There is a reason why you cant / shouldnt do this.
By using the default web browser on the users machine. The user can be sure that this was their browser of choice and not an internal browser in your system which they have no control over.
second by opening it in a browser window the user can see the URL bar and verify that the authorization server is what they expect it to be
Oauth window opening for Google oauth you can see that the server it is going to is in fact googles authorization server.
What if this was possible.
If it was possible to request authorization from with in your app and you It would be very easy for you to set up a login screen to look exactly like the login for this authorization server. The user would then have no way of knowing that this was a fake login screen they were typing their credentials into.
All that being said I am not familiar with AniList API but I would hope that they do not allow you to do this. Open consent screen in the users browser and let them know that you are concerned with their security.
I have currently implemented the code into my app from https://github.com/mattleib/o365api-as-apponly-webapp
It all works when clicking sign up, Auth's the account properly and returns to the same Page and allows me to load the calendar events.
My issue is that i need this to be persistent across the entire app as my aim is to do the following.
Administrator on initial login and or app start up, Auth's the app to Office 365.
When a user logs in they have a link to a page that will display the calendar that is configured for the page, a Resource.
Im assuming i need to setup a token cache, but not sure where from the above code sample, the token is generated and returned. I think it is stored in this variable on postback, Request.Form["id_token"] but unsure on how to store this in a cache/make it available for the entire application.
I have seen some examples that use Session Token Caches but if i am correct, this will require re auth to offcie 365 for each and every user and not be an app wide auth.
Ive tried searching for some samples or any pointers but cant seem to find any.
Anyone able to point me in the right direction
We have 3-4 ASP.Net MVC 5 applications for which we want to implement the solution of single sign on.
Our requirements are
Any user trying to access anyone of the application (any page)
and if he has not signed in into the same or another application in
the same browser should be re-directed to the login page.
If the login is successful till that application is running, the user
should not be asked the login credentials again.
If the user logs out from one application, he should log out from all other
applications
Things which may be useful while suggesting a solution.
Currently 2 applications are hosted on different domains. Other 2 applications are on subdomains
Though they are on the same server, one application can have access to database of other application but we would like to have a solution where in this direct access of db should not be required.
We would like to have a 5th application which will do the account management and also login and logout will be handled by this application
We are not just looking at a solution where authentication will be done by the identity server but we are also looking at the authorization wherein the identity server will authorize the level of access of requesting application.
Going ahead if this solution can help us take care of mobile devices as well as webservice based client access, it would be an added bonus.
We are using forms authentication in our application right now.
We have seen some examples on internet which but we seem to be lost on some or the other feature. Either we are going wrong somewhere or we are not looking in the right direction.
Hence we are looking for an answer. Appreciate your time to read this big question.
Thanks
I'm trying to implement Office 365 Single Sign On using WSFederation and I have built an ASP.NET MCV app according to these instructions.
It works to a degree; the user is directed to sign in to Azure AD and reaches the home page.
Some people who will use this app belong to companies who have their own custom Microsoft login pages- the user is redirected to these when they enter their email and press tab. If their login page is very customised, they then have to enter their email again. My question is this: is there a way to redirect the user to the custom login page automatically, since I already know which organisation they belong to?
I have tried changing the wsFederation homeRealm in the web.config to the organisation domain name, which ought to work but does not. It adds "&?whr=domain.org" (for example) to the end of the URL generated by the app. The reason it doesn't work is that when this URL is followed, Microsoft redirects the user to a slightly different address where they log in and the home realm (whr) parameter is lost.
Is there any way to automatically redirect to the organisation's login page? Or am I simply building the wrong type of app?
Thanks in advance,
LD.
Well, I seem to have answered my own question.
There are probably better ways, but this is what I did:
Using these instructions I created a sign in controller and passed the url of the actual login page (which is different from the url generated by the app) into the Redirect function. I added a whr parameter to this and everything redirects properly.
I'm not quite sure I understand how to integrate Facebook into my website.
What I would like to do is allow users to sign in using their Facebook credentials.
The login is easy enough - but what I don't understand is the lifetime of the login. What I'm seeing is when I login through the popup, I get logged into Facebook as well. This isn't what I would expect.
Also, when I log out of Facebook, the Facebook cookie is deleted from my website as well.
Is this the expected behavior? It seems weird that if at some point in browsing my website the user logs out of Facebook they are logged out of my site as well.
I'm working with c# and asp.net if that matters.
As I understand, you just want to use Facebook as an easy way to log in. You're not pulling information from Facebook during the session with your app?
If that's the case, I'd keep my own authentication system but make it possible to use Facebook for logging in by claiming a user's user ID on Facebook. That way, as soon as they authenticate using Facebook you can get the user object by Facebook ID from your local data store, and use that to log in the user.
Your own (Forms) authentication system will then put your own cookies on the client for authentication, so as soon they log out of Facebook they'll remain logged in at your site.
Whenever you log in to Facebook as part of the Graph API flow, you remain logged in. And as soon as you log out, you're also logged out of your site. That is expected.