I have a ASP.NET Core MVC application that register/login users using ASP.NET Identity by providing a registration/login form or using Google OAuth. Now we want to build a mobile application to use our API server (build with ASP.NET Core Web API hosted in a sub-domain of the website) but we want to have the same register/login flow in that too.
I dig around and find out that IdentityServer4 has the necessary features to support our needs and read its documentation but unfortunately I couldn't make it to work as I wanted to.
The scenario is that we have a Web Application, Web API and a Mobile application which all of them should use same register login flow which is to register and login in the application or use Google OAuth.
I appreciate if anyone can point me to a good documentation or sample code for both MVC client application and Identity Server (for authentication) with the same requirements.
If you take a look at the quickstart samples, it will give you a good place to start. That sample has MVC client using implicit flow for authentication against the identity provider. You can easily extend the controllers (like this one for example) with routes and code to do registration logic. This sample does external login using google for your convenience. For mobile you would probably want to use Hybrid grant/flow and depending on your platform/device google can help you find libraries to do this.
HTH
Related
I have three application Web API, MVC Application(Web App), Java Native App(Mobile App). I need to authenticate my web app and mobile app from web api. So which authentication is best for this scenario?
Please help me, I have experience of developing on MVC Application but with Web API it is new for me and for same android which is also new to me?
I would suggest the following read: https://learn.microsoft.com/en-us/dotnet/architecture/microservices/secure-net-microservices-web-applications/
It will provide you with different authentication and authorization options. You might opt to use social identity server like Google or Facebook, or go with your own identity provider. In both cases the protocols you need to know about are:
Check out what openid connect is: https://openid.net/connect/
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
Check out what oauth 2.0 is: https://oauth.net/2/
OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.
For web app SPA use the implicit grant
For native apps, great read here: https://www.oauth.com/oauth2-servers/oauth-native-apps/
The current industry best practice is to use the Authorization Flow while omitting the client secret, and to use an external user agent to complete the flow.
Last but not least, if you want to create your own identity provider you can use the open source identity server for both openid connect and oauth2: https://learn.microsoft.com/en-us/dotnet/architecture/cloud-native/identity-server
I suggest for you to use web tokens and to implement it in your Web API project, i encourage you to see these series of videos to do that, It's describe how to implement JWT in Asp.net Core Web API project:
ASP.NET Core Authentication with JWT (JSON Web Token)
ASP.NET Core Authentication with Custom Handler
Role-based Authorization in ASP.Net Core (With Custom Authentication Handler)
Policy-based Authorization in ASP.Net Core (with Custom Authorization Handler)
JWT Refresh Token in ASP.Net Core (a deep dive)
That series will help you to build JWT in your Web API, And if you want to implement OAuth 2.0 and OpenID you can read the guideline for the protocol and you'll implement by your own, It's not default to implement.
[EDIT]
you can use Microsoft.AspNetCore.Authentication.OpenIdConnect for OpenID after seeing that series, and this Article will be helpful .NET Core 2.x native OpenID Connect example
We have a Asp.Net MVC web application with custom authentication functionality (not using .Net authentication framework). Now we want to integrate it with Azure Active Directory with multi tenant support. I have followed following application example and the sample app directs me to AD login page.
However, when I do same thing in my app, it just redirects me to http://localhost:14223/app/login.aspx?
We are not using FormsAuthentication or anything, so I am not sure how this is happening and what is the process to avoid it.
Any help would be appreciated.
Thanks.
Please read this part of ADAL.NET's conceptual documentation for the ways for confidential client applications (Web applications, Web APIs, daemon applications) to acquire tokens.
More generally you might want to read the full page: Acquiring a token: this depends on the kind of application
We are starting a project which will consist in:
Web project (ASP.NET MVC)
IOS app
and both will consume data from a .NET WEB API service.
The WEB API service will expose a POST Method with the url "user/create". But i don't know how can i avoid another apps for making post to this url? I know i need a security protocol, but i wanted to know which one you recommend me, and if you have, an article where is it explained.
Thanks
web api 2 provides oauth authentication. You will need to get a token from the token end point of web api and pass that token in subsequent requests.
You should find lot of online resources if you search for web api 2 oauth.
We did something similar recently using OWIN OAuth 2.0 Authorization Server
Reference this ASP.NET page for details. Sample code is included as well for several different implementations.
For our purposes, we used the Client Credentials Grant section about half-way down the page. Our implementation involved server-server OAuth (Web API to MVC), but I bet it's pretty similar to have iOS connect. The only thing I would caution is to somehow encrypt the login credentials on the iOS side, and I'm sure there is a way to do that.
So you want the WebAPI to only be used by the MVC page? The best architectural method is to separate the two rather than leave both in one project. Why? Because the MVC app is a experience layer for humans. The WebAPI is an experience layer for the MVC app. Move it back where it can't be accessed.
You can add on tokens, etc, but the MVC app sits on the server, but is accessed on the client computer. The wider the scope of the application (ie, intranet or internet or something in between?), the more difficult the problem and the harder it is for your users to access the application. Moving the WebAPI internal and leaving the MVC app exposed guarantees external users cannot use the API.
The main reason WebAPI and MVC exist together in a single project (still a mistake in most instances, IMO) is you are exposing both to the same audience. If that is not your intent, don't do it.
I want to Integrate Single Sign on through SAML into my web application which is using Forms Authentication and membership. I really dont have an Idea on how to achieve this. any links or tutorials will be helpful. I would like to know where to start exactly and the various things i need to do to achieve this
Thanks
To work with SAML in .NET, you should use standard components. There are several commercial and open source options available.
I'm working on the Kentor AuthServices open source library. Using that library, you could migrate by:
Upgrade your application to use OWIN-based cookie-authentication and ASP.NET Identity instead of membership. This will increase security in general.
Configure the Kentor AuthServices SAML2 Owin middleware to be used as an external authentication provider with ASP.NET Identity.
To get started, it's probably easiest to create a new empty ASP.NET application where all code is generated for you. Then you can copy that code.
You can use Componet Pro SAML
Componet Pro SAML can be used from ASP.NET web pages, Windows Forms and Web Services and runs under .NET Framework 2.x and above.
Componet Pro SAML supports Single Sign (SSO) scenario
I am learning to develop asp.net Web API with AngularJS frontend framework. I have been doing a lot of research on this for about a week now.I have read about oauth 2, owin and other. But now confused which is better.
I have a couple of Question and hope you guys can help me with it.
1) In my application - Only Registered User will be able to have access in to application through log-in with email and password. Can someone please point me to a good resource or article on how to create a good registration and log-in authentication with API.Which is secure enough as i will be gathering user data and storing them.
2) What type of security i need to protect my API, at first the API would be behind the firewall and then ones project is finished it will be open to the world? and also please point me to right direction if possible.
Please note this is not a duplicate question i have been through most of the post on stackoverflow and asking this after i could not find answer.
Any suggestion or help on this is appreciated.
Thanks for all your effort on this topic
You can use token based authentication using Asp.Net Web API 2, OWIN, Asp.Net Identity and AngularJS.
Asp.Net Web API now fully supports OWIN. Katana is microsofts OWIN implementation.
Asp.Net Web API now supports authorization using OAuth 2.0. OAuth is made possible with Microsoft OWIN components.
Are yo confused with the terms Identity,OWIN,OAuth ... here is brief overview of them.
Asp.Net Identity is developed to overcome problems by asp.net membership system. Asp.Net Identity allows us to use different storages(Table storage,No SQL) and allows us to use external identity providers as it uses OWIN.
OWIN is to break tight coupling b/w Asp.Net and IIS. OWIN is just a specification. Katana is Microsoft's OWIN implementation. OWIN sits in http request pipeline. OWIN pipeline has middleware components, where we can mention external login mechanisms.
OAuth was created to remove the need for users to share their passwords with third-party applications.
Note:
Here Asp.Net Identity has nothing to do with OWIN, OAuth and vice versa. They are three separate concepts. Asp.Net Identity is Microsoft's implementation. OWIN, OAuth are open
standard concepts. Because Microsoft has implemented OWIN, OAuth is made possible.
So, Web API 2 uses OAuth bearer token instead of forms authentication cookie, which is more correct in Web API world. Because it allows to use variety of end user devices like mobile devices.
In your case, you can use the default templates provided in visual studio 2013.
1. Create New Project and select Asp.Net web application.
2. Select Web API or SPA template.
3. Change authentication and Select individual user accounts.
4. Click Ok.
Now, everything is configured by default in order to use OWIN, Asp.Net Identity, OAuth. Be cause we use token based authentication, you can find there is no login method available in Account Controller.
To register users, use Register method available in AccountController
To login, you need to post data in following format to
http://example.com/token (Which can be configured in StartUp.Auth.cs)
grant_type=password&username=Alice&password=password123
After login, we recieve bearer token, which we need to send with authorization header with every request to access protected resource.
As you are using awesome frontend framework AngularJs, you can save bearer token in local storage, and you can write a http interceptor service, which takes care of sending bearer token with each request.
Here registering the user is taken care by Asp.Net identity, where as authenticating user is taken care by OAuthAuthorizationServer which is present in Providers folder by default.
Bearer tokens, that we recieve are not towards a specific client,so any one can intercept them. So use them only over SSL.
Please go through this links
http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api
http://bitoftech.net/2014/06/09/angularjs-token-authentication-using-asp-net-web-api-2-owin-asp-net-identity/
Vs2013 webapplication project template comes with a good owin setup. I suggest to look into that