Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 5 years ago.
Improve this question
I have created token in Class library using C# and created method for token generation in Web API Controller.
I don't know how to implement that token and create authentication in Angular 2 because I'm new to Angular 2.
If someone has a useful example or link feel free to put it in comments.
Thanks!
Basic flow is this:
User enters valid credentials to auth server (could be even facebook or google)
Server returns some token with an expiry date and info (e.g. userid, scopes, etc.)
Client makes requests to your api/server with that token usually in the header
Your application validates the token is valid, i.e. not expired, or you can also make a call to the issuing server to make sure it's valid and get more info about the user
If it's valid proceed with the flow, else force user to log in again, going back to step 1.
As you can see most of the logic is actually on the server, not sure what is the issue with the angularjs. May be you can have logic in the angularjs routing that anytime the server returns 403 you re-route to login page.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 2 years ago.
Improve this question
We have a mobile app with ServiceStack-based cookie authentication. The app stores the user's login cookie and keeps itself logged in if the user so desires.
We have a 'Purchase PIN' feature in the app - the user can set a PIN and require it to be entered every time they make a purchase. The intention is to guard against purchases being made on a stolen or mislaid unlocked phone.
The app has a settings/configuration view in which, amongst other things, the user can set and turn on and off the purchase PIN. We therefore need to force the user to re-authenticate to be able to edit their settings.
Our thinking is that when the user tries to enter the settings page:
The app requires the user to re-authenticate with their password.
In response, the API issues a token back to the app. The token represents some secret that only the API knows, plus the user ID, plus an expiry timestamp in the near future.
All user-settings-related API calls require a valid token to be sent in the request.
The API validates that the token was issued for the same user, and checks that the timestamp is still good.
If the API finds that the token isn't valid or has expired, it responds with a signal that the UI should have the user re-authenticate to obtain a new token before continuing.
This all has to live outside / alongside the existing ServiceStack cookie authentication (reworking our current auth layer is outside scope and timeline for various reasons).
What's the best practice for implementing this additional level of security in ServiceStack?
You may want look at the WebSudoFeature Plugin which allows a privileged protected service to force the user having to re-authenticate in order to be able to access Services annotated with [WebSudoRequired].
As for the expiring token I'd implement that as a separate App Layer security feature passed as a Request DTO property into your Service instead of trying to integrate it with ServiceStack's top-level authentication.
For its implementation you could create a JWT Token manually which you could validate in your App or you could generate a DB entry with a UUID/Guid PK that contains the expiry as you may want this to maintain audit info (e.g. time/IP) when these PIN authorized tokens are used rather using a stateless Token without any audit history.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 2 years ago.
Improve this question
We have developed a web service application using WebAPI C#. We want to change our authentication method to Firebase. So our client applications could log in using Firebase authentication, then with that authentication have access to our C# web service.
Are there any libraries developed for this method? I have seen libraries, but they are meant to be used in a c# client application, not in a server-side application.
This is in fact a well supported scenario. After the user signs in to Firebase Authentication on the client, you'll want to pass their ID token to your web service over a secure connection. Your server can then decode and verify the ID token, and use the information in there to grant the user access to information they're authorized to.
This flow is also described in the Firebase documentation on verifying an ID token, so I recommend checking that out.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 5 years ago.
Improve this question
I have done so many googling on SAML 2.0 usage with C#, but not found any understandable link. So hope someone can help on this
1) How the SSO is working - A diagram on calls
2) I'm using ping federated. So what will be the working flow of that? Got 0% idea with their documentation
3) Do I need to write any code to embed SSO with ping federated? If so is that regarding IDP or is it for SP?
4) How to handle SAML 2.0 requests through C#.net. What are the technologies (ex: send request : plain http redirect , receive response : http handler or a wcf service)
Use a SAML client side stack like Kentor. That has good documentation.
Your client will be the SP. Ping will be the IDP.
No, no code just Ping configuration.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I have created an asp.net MVC web API application which uses JWT token to authorise the users after normal login.
I am able to implement it correctly but I have following concerns regarding security:
If someone copies the token of valid user and tries to access the api
(my current implementation not able to identify it).
How to detect if someone logins from two different machines?
What are the other things needed to be included in JWT token generation? (I have now used userid in my current implementation)
I need some guidance.
Thanks In advance!!
Copying the token is not easy as you will store it in local storage of browser. It will be more secure than stealing cookie.
You can add one more claim : Mac Address. Then on each request compare the Mac Address of Request with Mac of Claim.
Use a long random string, it should be enough. I would recommend 25 characters as standard. Don't store the key in web.config. Your token is as secure as the secrecy of your key.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 8 years ago.
Improve this question
I want to do silent uploads, without the need of authorization. I've already authorized my app, I've got my access token (which Dropbox now can show it to you in it's account app settings). I just want to use some form of API to communicate with Dropbox without app secret and app key, as those already gave me access token. I've tried REST, Dropnet, SharpBox. Using C#. Any help appreciated. :)
The dropbox API documentation on file uploading is here: https://www.dropbox.com/developers/core/docs#files_put
To use the access token you have to put it in the HTTP Headers when you make the upload request, your header should include like this:
Authorization: Bearer <myToken>
Then Dropbox will auth using the token found in the header and upload the file.