I have the following setup.
2 mobile apps communicating with an asp.net web api 2 project and they use Token Authentication. Each mobile client stores the token client side, never username and password.
I then have my web portal hosted on an asp.net mvc 5project which uses standard cookie authentication.
Now in some cases my mobile apps needs to load webpages from the mvc 5web portal. For example our payment gateway page. But the client needs to be authenticated in order to load this page.
At the moment when we show the user a web wrap of out web portal. It asks them to login again. This is very bad UX.
How can I authenticate the client on the MVC site, using my web api Token
I'm imagining a function like this in the MVC site:
pubic Action LogInWithToken(String token)
{
var user = GetUserFromToken(token);
var isAllowed = AuthenticateUserFromToken(user,token);
if(!isAllowed) return 401;
return CreateCookieForUser(user);
}
Is the Web Api 2 application hosted in the same machine as the MVC 5 application?
If they are, you can manually deserialize the token to get the id of the user. See Extract User details from web api auth token in MVC.
From there, you can sign in the user in CookieAuthentication automatically.
If they are hosted in different machines, however, you would have to specify the same machine key in the projects' Web.Config files.
Related
There is a asp.net webapp with angular frontend and asp.net web api2 backend. Here goes the URL details :
Web App: https://www.testapp.com
Web API: https://www.testapp.com/services/api
Azure AD with OpenIDConnect (authorization code flow) https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-asp-webapp has been used to implement authentication.
Since both web app and the web api are considered as single app in this case, hence there is only one registration done in Azure AD with Redirect URI : https://www.testapp.com
Is is possible that cookies generated as part of Azure AD login flow for the Redirect URI: https://www.testapp.com gets excluded whenever there is a call made to the web api: https://www.testapp.com/services/api
When I navigate to the URL:https://www.testapp.com using browser, in that case Azure AD login flow gets triggered but now if I try to navigate to the URL: https://www.testapp.com/services/api/test/method I don't see the Azure AD login flow getting triggered.
Can anyone help me here how to fix this issue.
I'm currently trying to work out the best way to handle authentication for a new external web application and web service application using ASP.NET Core. Here is the general setup:
Username/password is stored in SQL Server database
Web application ONLY makes call to web service
Web service (Web API) makes calls to database and returns data to web application
So the idea is that the user logs in once and using the built-in cookies authentication provider will stay logged in. However, I want to pass that authentication token or whatever to the web service application and have whatever it does run under the appropriate security context for that user. I've looked for examples that resemble this design but haven't found a good one. Could anyone make any high-level recommendations or point me to some helpful resources on how I can achieve this design?
Take asp.net core MVC and web api as an example, put the login page in the web application. Put cookie authentication in web api. After the user logs in, it applies for a token through the web api, and the token will be stored in the cookie cache of the browser.
Here is the cookie configuration. In Startup.cs (web api).
services.AddAuthentication("scheme")
.AddCookie("scheme", options =>
{
options.Cookie.Name = "authname";
});
If the token is successfully applied, it will be written in browser.
Then I add a action that gets the cookie tocken.
[Route("getTocken")]
public string getTocken( )
{
string cookie ="";
HttpContext.Request.Cookies.TryGetValue("authname", out
cookie);
return cookie;
}
This is the result.
This cookie tocken could be saved in session for maintaining state.
I'm building an ASP.NET Core web service that I would only like a few specific applications to access. I know Web Api's typically use Bearer Tokens for authentication. But the examples I see all send a username and password.
Is the same method of token authentication typically used for authorizing specific applications?
But instead, the application sends its client ID and password instead of username and password?
I have an AngularJS Single Page Application (SPA) hosted by an ASP.NET MVC application.
The back-end is ASP.NET Web Api.
I would like to protect it against CSRF attacks by generating an AntiForgeryToken in the ASP.NET MVC part, pass it to AngularJS, and then have Web Api validate the AntiForgeryToken received from the subsequent AngularJS calls.
However MVC App is hosted on A Server where as webApi is hosted on B Server
Updated from link: AngularJS Web Api AntiForgeryToken CSRF
Story I would like to execute
Story:
User visits via browser.
Server generates token call it TokenA for anonymous user and save it to Database.
Ques: Where i can do this, global.asax or other? However it would be great if i will generate token by SoapBased or Rest Based APi using other Custom Business Library and MVC doesn't have an access of C# library but web api do have
User will do operations like login, signing up using this token.
this token will authenticate using DB. via WebAPi hosted on different server and AngularJs
If valid then do login validation or signup validation process
Once validation done, user can login.
Once user login, Server generates other role based token call it TokenB i.e for users and specific user based token, call it TokenC.
with this token, user will do other operations.
However, user will be validated with the tokenA, TokenB and TokenC.
and what type of method i can use to generate these three types of tokens?
Requirement:
1. it is for scalable web app.
2. I would like to store sessions in separate db
What I have: 1 DB and 1 WebServer on godaddy
I have a Windows Service running a Web API hosted as a OWIN middleware - the server. The API uses application cookie authentication and validates users against a database, using OWINs identity model. Now I would like to authenticate a user who accesses the API through a standard MVC web application (the client), but I'm unsure how to achieve this, e.g. after I received a response along with the cookie from the API, where do I have to store it inside the MVC application so that the cookie will be automatically sent along with further API calls.
You won't need to. Cookies are stored by the client's browser, and are sent to the web server with every request on the same domain name. Each subdomain will have its own sandbox for cookies. The main domain's cookies can be accessed by all subdomains.
MVC application will store it in the users browser the cookie. If you need to find an alternate way to achieve it, why not try localstorage. You can then send the authorization token with every request header using your Ajax calls. If you are interested in an Angular Application, here is an excellent tutorial that should help clarify a lot of question.