I have a react-native app, a web api written in asp.net C# and a web app where i used forms authentication from asp.net. It checks the username and password stored in my db and sets cookie.
What is the type of authentication i should follow?
Can i use same forms authentication even in react-native. If yes then whats the approach.
I want all the api calls to be made by authenticated users only. if not authenticated, then send back to login screen.
You should follow a token based authentication, you can read more here
The form authentication in react native as well as in standard native mobile or web application works the following way:
User types in his credentials in the application form
Your application takes his input data and sends it to a server to check the validity
If the credentials are valid, the server sends a unique TOKEN which you have to save in memory for additional ussage. This also means the user has successfully authenticated.
In every next http request, you have to pass the TOKEN a server sent before. In every request, server will check TOKEN validity, if it's valid, server will send data. Otherwise not.
You have to setup your application state where you store user information. For example, once your server returns a TOKEN informing, you change your user's state to { loggedIn: true } Based on that value, you can navigate user to the corresponding screens such as Login or in app dashboard.
You can also check https://auth0.com/
Related
We are looking into a way to request a JWT token from ADFS 2016 via webservice call by sending a user UID, which is stored in a database or in AD LDS. The token should contain the full domain username as a claim. A C# service would request the token without user GUI interaction (UID provided by an ID card), and then forward it to an intranet web application.
Is this possible with OAuth 2.0 or WS-Trust 1.3 in ADFS 2016, and what steps would be involved?
Right now I have tried using OAuth 2.0 (HTTP POST to /adfs/oauth2/token), but haven't been able to correctly configure ADFS (application groups, relaying parties, ...) and sending the correct HTTP parameters to even get a token by providing username/password.
It would be great if somebody could point me in the right direction.
EDIT
A more detailed description of what we want to achieve:
Goal is to create a windows service which handles NFC card login and sends JWT with user information to arbitrary web applications.
C# windows service reads card UID from a NFC card reader.
Windows service requests JWT from ADFS by providing card UID. That can be OAuth or WS-Trust, whichever works.
ADFS looks up card UID from a confidential database. The database entry also contains the username. It could then further enrich this data by finding the domain user in ADLDS.
ADFS creates token containing at least the domain user name and sends it back to the C# windows service. No user interaction with ADFS login screens required.
Windows service receives token and forwards it to preconfigured web application login handler.
Web application validates token signature and handles login.
The credential in this case would solely be the card UID. Is this possible with ADFS? If not, my backup plan would be to create the token directly in my windows service.
I am building an app using Xamarin in C#. My app can do the following:
1.) Display Google+ Login UI.
2.) Authenticate User and retrieve the access token.
3.) Use the access token to retrieve the User's sensitive information from Google.
4.) Takes this information (email,picture,name etc) and stores it in my database on a server using JSON and https.
5.) Returns that storing it was a success and application can continue.
What I am missing is when a user opens the app again, how can I authenticate them without them having to open up the login page again? I'm a bit confused as they are authenticated via Google+ API they have no password. I was thinking of doing the following:
1) Storing the token in the database as the password (hashed and salted obvs!)
2) Storing the token + email on the phone.
3) On logging into the app it asks the server if the token and email match if so information is then passed from server to app and the app continues.
Just a bit confused and I would like to do this properly without cutting corners!
J
I have already created a form authentication application. I had User table and created a custom membership provider. My user table has relations with other tables such as roles and permissions.
I change that to work using Windows Authentication. It looks easy but I have no clue how to still be able to read permissions from my tables? some tables are related to User table and requires user id, what to do here? should I break the foreign key?
If a user is accessing the page from LAN, s/he should get logged automatically, but if they accessed the application over internet, I should allow them to login? How to do this? What passwords should they use to login (active directory or my User table)?
I hope i get simple and easy answers.
Regards
In your controllers you can use User.Identity.Name to get the users AD username. You can then add a field to your users table called ADUSername (or update the values in the existing username field) so that you can link the logged in user to the existing user record in your database.
You don't have to do anything, if the user is accessing it from an external network or any machine that is not on the domain the browser will pop up a username/password prompt.
If you use Windows authentication, the user is going to be prompted for credentials just to access your site. You won't be able to prevent that. They won't even get to your code until they are authenticated.
We've done similar things using SSO (single sign-on), though I've never tied it to Windows authentication. The idea would be that you have two apps that share user credentials and, if you are logged into one, you are logged into the other. The first app would be your normal application which supports forms-based authentication. The second would be an app that only does Windows authentication and then, upon successful login, redirects to your normal application. Since you're already authenticated, the normal application simply creates it's standard authentication cookie and takes you to the main page of the application.
Typically these work by passing a token in the URL which you can then redeem via a back channel to the SSO server (or, in your case the Windows authentication server) to confirm that the token is authentic. The response to the back channel call contains the user name and other pertinent details if the token is successfully redeemed.
A sketch of the process might look like:
Get request to protected action on site.
If not authenticated, redirect to login site without token
Your login site contains both a forms-based login form and a link to the Windows authentication url
User clicks the Windows authentication url
Windows authentication site authenticates, creates a one-time use token in DB for user, and redirects back to your login action with token
Your login action redeems the token via back channel WebRequest to the Windows authentication server.
Windows authentication server validates the token, marking it as used, then returns the username to your login action.
Your login action creates standard forms authentication cookie and continues as normal.
We have a client application running on each users computer that has a link to the associated web application.
A recent requirement is that if the user is logged in on the client application that they should be able to click the link and be automatically logged in on the web application.
Our web application is encrypted using SSL. Our client application is in Silverlight.
Is there a way to achieve this securely?
Our first naive thought was simply to embed the username and password in the url for the site, but obviously this is not secure because it is visible in the history and via the back button.
Attempt two involved simply converting the password segment into Base64 as to obscure it from view and trust in the SSL to encrypt it.
I'm still not happy. Ideally we would want to use some sort of time based token that expires within minutes of being used.
Where do we start?
If this becomes overly complicated (special hardware) or requires the user to do anything other than click the link-button then the feature will be dropped.
Perhaps you could make an authenticated web service call from the client application to the web application to obtain a token when the user clicks on the link, and then append the token to the querystring? Then the user is logged into the web application using the token, which is then immediately invalidated (valid for one-time use only).
This webservice is written in C#, and I want to use an OpenID to authenticate.
This authentication request will be called by a WPF, and an asp.net applicantion.
the webservice will then try to authenticate in OpenID server, and in this case I use OpenID-LDAP software.
The big problem is how to use OpenID without showing the web page to login (the webservice is who is going to inform user and password)?
Open ID will, by design, not work here ... because it works by delegating the authentication to another party (when it shows the open ID provider's website to let the user log in). What you probably want to do is authenticate the user once in your WPF app, and then set up some sort of authentication token between your app and the webservice.