Ok, I have this scenario.
I have one WEB API which will provide functionality to an intranet application, the idea is this application WILL not be visible to the outside world, so it wont have a login page.
However, the web api will also be consumed by mobile apps outside the organization, so the webapi WILL be exposed via a public url.
How can I make the authentication/authorization here to support both scenarios?
1. Internal users will be able to consume the web api via the angular backend app without an explicit login page.
2. External users via the mobile app will consume the web api with their active directory account.
I found this:
https://stormpath.com/blog/token-authentication-asp-net-core
where I could easily replace the GetIdentity Method to go to Active Directory and check if user exists with that user and password, but on the intranet, I wont have that info.
ideas please?
The best way to handle such a scenario is to use HMAC Authentication as discussed here. This will allow easier access to the piblic endpoint without requirering some kind of a login from the mobile clients, while at the same time enabling you to know which mobile is acceessing your endpoint. This is the same workflow as implemented in External Auth services like login with google and facebook where you are given an apikey and a apisecret
YOU CAN FIND THE SOURCE CODE OF THE EXAMPLE USING ASP.NET HERE
Related
I have a RESTful API which is running in a Linux docker image on AWS ECS. This API needs to be called by a desktop application (C# fat client deployed via ClickOnce) which is using Windows authentication to identify the users.
Currently although it's behind our firewall I can't identify users who call the API. I looked into OIDC but it's not an option because it requires a redirect URI to callback with the access_token which can't really happen on a desktop application.
How can I identify the users who are calling the API from their desktop app and validate they have the correct group claim which would grant them access when calling the API?
In terms of considering OIDC as an option; depending upon your set-up, I would have thought that you should be able to embed a browser (/WebView) like User-Agent within your desktop app, that can then/finally pass-back the resulting OIDC info/tokens, back to the/your hosting/underlying app (?).
I develop a native android application that done it's authentication, authorization, getting resources using WebApi backend.
After many discussions about what is the best and secure way to implement authentication and authorization using .NET technologies we decided to use Thinktecture's IdentityServer3.
Before i was follow this series to implement a token based authentication using Asp.NET Identity system, every thing was OK but after investigations i decide to decouple the authentication server and using Thinktecture's Identity Server.
So now i have a separated web apps hosted on azure one for resources and other for authentication using IdentityServer3 and one native Android client .
My Android client application having an authentication using Facebook/Google, and i already implemented this before on android using Parse or separatly based on Facebook Android SDK & Google services
Also Users having roles.
Now i want to know if there is a correct approach for doing that from the authentication server perspective and also client android application perspective as there are many discussions about the configurations of identityserver3 with native apps also should i use a webview activity in android to handle connection with authentication server or using native java code with HTTP library like retrofit to send request and get response.
Also with Facebook, i already implemented authentication directly from android app using Facebook Android SDK and i can get the AuthToken and the approach that i think about is like shown in this question:
Authenticate user to Facebook from Android application.
Get the FB auth token to the android app.
Forward the authentication token & facebook UID from Android to web
server.
On web server, make Facebook API call with the submitted token.
If the Facebook API call from web server returns valid authentication, and the user id is equal to the one submitted by Android application, your server can trust the id (& you can be sure that the Android authentication real)
Or should i depend only on backend identityserver to handle Facebook authentication?
you can use the hybrid flow (if you need access tokens and refresh tokens)
, also You could use the implicit flow
just have alook at this topic
and about how can you do it,
Either, you can do it by doing a combination of web views and hybrid/implicit flow, or do the redirect style to the IdSvr login page. Using resource owner password flow
We have several Intranet websites that use MVC + .NET windows authentication. And then we have some Java based apps developed by 3rd party - which can be configured to use LDAP authentication. Both sets of apps use the same company URL, for instance, dotnet-app.company.org and java-app.company.org, and both sets use the same username.
Once a user has been authenticated against a .NET app, is there any way I can "post" that user information to Tomcat which can then generate a cookie for the user so they don't have to authenticate twice?
I have authorization to modify code on the .NET app only not on the Java app.
You are probably looking for a one sign-in option like on gmail and other google services. And yes, cookies are what you must be looking at.
I don't know how java authentication works(I assume it is Session based), and there is where you must read in user cookie information to get authentication details. On .NET, you will have to write custom logic in FormsAuthentication_OnAuthenticate in Global.asax file.
I have an MVC application using Windows Auth which consumes a Web Api service. Both are hosted within the same domain but sat on different servers (MVC is publicly accessible). Now lets suppose the Web Api service has a method "CreateFooBar" which requires that the user is in a particular AD group. At the MVC layer I can easily check that the user is indeed in the group, package up a JSON message and call "CreateFooBar". But how does the service perform such a check? How can I tell it which user has made the request?
Initial thought is just to add the userID to the JSON message and let the service method retrieve the details but this would allow someone to just pass in any userID they like so clearly this won't work. Can someone point me in the right direction please?
You should use something like Kerberos delegation.
The user will be authenticated in the MVC application using Kerberos then the Kerberos token will be passed to the Web API call.
We do that currently at work to pass credentials from an ASP.NET app to an Exchange Webserver. It works fine.
If you want more info check this KB: http://support.microsoft.com/kb/810572
You should look into what windows identity foundation can do for you. By setting up adfs in your environment and using claims you will address most the problems you are talking about.
you'll need the identity and access plugin for visual studio and you can test the idea out using a self hosted sts.
I am new to Silverlight, and I building a simple app which provides an interface for an expense report portal. The portal has a REST API which I can access; I know I can do it using WebClient or WebHttpRequest. However, to be able to access the API, I need to login first. The login is simple forms authentication on login.aspx of the site. How do I login (post to the login page) from Silverlight?
NOTE: The site has the clientaccesspolicy.xml setup, and I am able to access the REST URL that do not require you to be logged on.
Have you looked at the Silverlight Business Application project template and WCF Ria Services. The template has built in functionality to login to a forms authenticated website.
You can use this as a starting point for your silverlight application or simply use it to see how to perform authentication from silverlight.