Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 4 years ago.
Improve this question
Perhaps the question I am about to ask is very obvious and simple, but as a beginner in IdentityServer4 and more or less in oAuth2, OpenID and API's in general, I find it quite hard to understand.
Our company's goal is to move to a more secure application building way (Visual Studio 2017, C#, .NET Core 2) using Authentication and Authorization. After some days of research I ended up with using IdentityServer4 (also because the documentation is really great).
After following the IdentityServer Documentation (https://media.readthedocs.org/pdf/identityserver4/release/identityserver4.pdf) up till chapter 7, I have one remaining.
I am trying to build a MVC application (web) with an API backend for retrieving / inserting the data so that I can later use the API for other applications, like a SPA / Xamarin application. For the IdentityServer host I went for IdentityServer with asp.net identity. I got it running and it all works great, however the following question remains:
What are the disadvantages of hosting my API, in which I want to handle Database operations, together with the IdentityServer host?
It doesn't seem logical to me to have so many different projects while (so far as I can tell) these 2 (the API and IdentityServer host) can be joined together perfectly fine.
In (almost) all the examples found of IdentityServer4 the IdentityServer host and API's are separate projects, what are the advantages of hosting the two as separate projects.
I would say Single Responsibility.
Treat it like this - Identity Server is a framework, that provides you the authentication against your clients/API's. That's it! (of course this is all done based on your rules, policies etc).
It is not Identity Servers' purpose to add/edit/delete users from your database. It is not Identity Servers' purpose to give roles to this users.
And most important - it is not Identity Servers' purpose to authorize this users.
All these must be done in your clients/api's.
In your case - you need a separate API that will take care for the users (and other data that you need), but I guess that you want this API to be protected by Identity Server.
This is where the separation comes and should be kept - Identity Server should not authenticate its own API against himself.
There is a reason that all the examples, articles and etc are with separated projects.
PS: Of course there are some examples of achieving this (damienbod's one is good).
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
Blazor is one of those technologies that has me really excited to get started with. I am an experienced Asp.Net MVC and Web API (.Net Framework. not Core) developer. My first app that I am creating in Blazor is a PWA Web Assembly App with Individual User Accounts Hosted on Asp.Net Core using .Net 5.0. I've chosen to go the hosted route mainly because I want the Asp.Net Identity User Store functionality.
In my newly constructed Blazor Core Hosted Wasm PWA I have three projects.
App.Client
App.Server
App.Library
App.Server in many ways functions like an Api but it is different. One of those differences as far as I can tell is how it authenticates with App.Client. My question is two-fold in the fact that I want to know if other technologies/ clients like Xamarin.Forms can integrate with Blazor's App.Server... or can only Blazor Clients?
Second Question is that App.Server "seems" like an Api... but it is not. What are the differences specifically?
Blazor is designed to be used with html and create web content delivery applications. A Web API project has the similarities you've noted because they both exist as a content delivery service via web server. The difference is in the content you're delivering. Blazor is made for web pages, while an API project enables you to deliver data via REST endpoints.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 6 years ago.
Improve this question
When ASP.NET MVC came, Microsoft announced many times in many places that it wasn't supposed to replace ASP.NET Web Forms. In other words, it's just another technology that you might find useful, or you might use Web Forms in other scenarios.
However, as companies enter into the market, they can't have a jungle of technologies, because that's too expensive. They usually select a mature technology, stick to it, build on it and extend it and reuse elements in it to reduce costs.
Now we're trying to decide to move to Owin/Katana from Web API. We just wonder if it's OK that we move 100% to Owin?
The reason I'm asking this question is because we've created a very rich codebase for Web API, including streaming, compression, authentication, normalization of UGC, support of I18N & L10N, and more.
If we want to move to Owin, we need to re-create these facilities/utilities again for Owin, because its architecture is different from Web API.
We want to move to Owin, because it's faster, lighter, self-hosted server, and seems to be the future of service technologies from Microsoft.
Is it safe for us to move to Owin completely and imagine a future in which all of our services are delivered through Owin, and we discontinue using Web API?
OWIN is just a specification, nothing more. It describes a common interface that servers and applications can both use, so that applications don't need to be tightly coupled to servers.
Katana was the first step towards decoupling ASP.NET from IIS. Work on Katana has stopped now, according to the official roadmap. The ideas and technologies developed for Katana have made their way into the next version of ASP.NET (ASP.NET Core).
It rarely makes sense to build applications on top of OWIN itself, because you're operating at the lowest level of abstraction above HTTP (literally dealing with raw requests and responses). That's usually only necessary if you are building middleware components that need low-level access.
In other words: you shouldn't rebuild your application on OWIN, because you'd be spending a lot of time reinventing all of the stuff already in ASP.NET.
ASP.NET Core is the next evolution of ASP.NET and Web API. It has all the things you mentioned: it's fast, lightweight, and can self-host. If you need to rebuild your architecture, do it on ASP.NET Core.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I am building a restful web service api using ASP.NET WebAPI. I'll be consuming it with MVC as a web application and eventually in a mobile app. I want to make the api standalone and not couple it with the MVC application.
I am having trouble figuring out how the authentication should be structured. I need the api to be consumable only from a specific sources(the web app and the mobile app). However, I dont know how to link the authentication in the WebAPI with the MVC one. New users should register in the MVC and their auth info should be supplied to the WebAPI. I'm using the Individual accounts Identity system for the project.
In short, how to use the same authentication for both the Api and the Client? Should they be deployed to the same domain?
I recently did something similar.
I think you have 2 issues here:
You want to only accept Web API requests from known sources.
You want to authenticate the user.
For number 1:
You want to add authentication to the Web API Request. This could be basic authentication, but it shows the call is coming from a known application. By using this, you know where the call is coming from. Despite what you read, Basic Authentication is ok, but only if the call is over a TLS (HTTPS) connection . Otherwise the call could be seen and the authentication could be used in a replay attack.
For number 2:
You could have a method that the user can call, such as a login request, where the user can be authenticated and, if successful, issue them with a token. JWTs (Javascript Web Tokens) are one token that you can use. Then the token can be sent with each subsequent call. However, please bear in mind that they can be a pain to use!
It depends on how tight your security needs to be. It might be that basic authentication, along with TLS might be enough for you.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I'm not found answer for my question - and opened this topic.
So I want develop project.
Database:
Or Couchbase or SQL Server (right now it is not important, but I think it will be Couchbase)
Website:
Asp .NET MVC + Angular etc. - Simple Website
Web Api:
ASP .NET WebAPI
**Mobile Application (This is hard side for me)**
I'm a good C# developer - it's a reason why I want write Application by Xamarin.
If its bad idea - tell me (and tell me WHY IS BAD IDEA)
if is good framework, I have a few question:
1) How work with API
2) Or I need write for each platform(iOS, Android, WP) - service (like WCF) = (3 services?)
3) Which way better for Authentication (I want give to user option Registration by FB, Google, What's Up, etc...)
I dont know, maybe you can give me links for good topics, or same question here (I'm not found)
Or maybe you can give me a name of good course on Lynda or plularsight?
Thank you.
With ASP.NET Web API you can make a REST web service working through HTTP protocol. Any platform which supports HTTP protocol, can consume your web service.
You need only one web service for all platforms.
In current ASP.NET Web API version, you can use ASP.NET Identity which supports local account and external account through OAuth.
For example, this post shows how to consume a ASP.NET Web API in Android. And this one is about how to use external account for authentication. There're some more posts in that blog discussing about ASP.NET Web API, just spend some minutes flying over it, you'll find some useful infos.
I have no experience with Xamarin so I can't say anything about it. I write mobile app in their native platforms (Android with Java, IOS with Objective C++).
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 3 years ago.
Improve this question
I'm going to be working on a project that involves a number of elements:
ASP.NET MVC website
C# console application
iPhone App
To get all these separate applications talking to the database, my immediate thought was to use a WCF Service.
However, I now need to add an API to the site to allow third parties to select, insert and update records from their own applications.
In my mind, I would just create a separate RESTful service endpoint on my WCF Service which would be locked down using authentication and would only give access to certain methods.
However, I've been reading today about the Web API feature in MVC 4 which is meant to be the latest thing for RESTful APIs?
Should I be going along the line of using the Web API? or because my other applications need a web service, should I stick with a WCF Service?
If you intend to do RESTful development then you will definitely want to use the ASP.Net Web Api (which was originally called WCF Web Api and created with the goal of "Making REST a first class citizen in .NET".
Another thing to consider is that the WCF REST Starter kit is no longer supported.
Note that using Web Api doesn't mean you have to use ASP.Net MVC or IIS even as it can be self hosted.
For handling operations which are non-CRUD in nature I'd recommend Googling "REST non-CRUD". I found this blog post RESTful URLs for non-CRUD operations (and particularly the comments interesting). If you decide you NEED to have RPC calls then those may have to be done with WCF. That said since WCF REST is being killed off I'm not sure what the best solution is going to be. Having both is probably the best answer but at the same time it's not necessarily a good answer.
Another alternative would be a WCF OData Service but I'm not sure if that gets any support from an iPhone.
One last point to make (that can be deleted in the future as this is time sensitive)
Microsoft has provided a Go Live license with the beta which means that it is supported by Microsoft and you shouldn't have any problems upgrading to the file RTM.
Service Stack also looks like an option.
Demos, overview, examples is available here.
There's no right answer here. You can certainly do fairly well with a WCF RESTful service. Or you could use ASP.NET MVC. Both are perfectly valid, and both have strengths and weaknesses.
Ultimately, I'd suggest you go with whatever feels the most maintainable to you.
I would like to note that MVC 4 is in beta, so watch out for bugs and don't go live until it's out of beta.
Since you are going to create an ASP.NET MVC web site, it would be quite comfortable to use ASP.NET Web API also because programming model is very similar and those solutions are more or less integrated with each other.
I would be inlclined to look at what has the best support on all platforms that you are going to use, I suspect the iPhone app may end up driving your choices.
If it was pure .net I would still tend to lean toweards a SOAP service - it is not considered cool these days but it generally will do what you need on most platforms without having to roll custom solutions.
EDIT
ASP.NET Web API means that .NET now provides a great framework for developing a restful API, I revise my answer to say that I would now lean towards this - progress is great!
I have the same question.
In the MSDN site,
http://msdn.microsoft.com/en-us/library/jj823172(v=vs.110).aspx
Found a video tutorial where they said that for machine cosumption like iPhone or web app clients of JSON or xml, web API is recommended option. Its around the last part of the video.
While for more complex machine to machine communication WCF is prefereable.
http://channel9.msdn.com/Series/Building-Web-Apps-with-ASP-NET-Jump-Start/Building-Web-Apps-with-ASPNET-Jump-Start-04-Building-a-Service-Layer-with-ASPNET-Web-API
Here is a screenshot from their presentation.