I am trying to figure out how to authenticate incoming requests from another site.
Site A is a PHP based ecommerce solution belonging to a company other than us.
Site B is our own ASP.Net based web forms ordering system.
What I want to do is be able to have site A hit a web address that will include some sort of authentication along with order info (such as order id or similar)
I can't figure out if the right direction would be to do a query string setup with some sort public/private key?
All the examples of site to site authentication I have found do not cover a situation such as this.
Thanks!
Related
I am developing a web application using MVC 5, C#. This is a SaaS application where each company has its unique URL at signup and that URL will become the link to its own portal where its members or customers can go to sign up, login and much more. I would like to be able to give those companies the ability to do Custom Domain Mapping where they can use their own existing domain in lieu of their automatically generated portal URL. All my research has been unsuccessful so far, even though I know applications that have those capabilities.
Please, help with any idea on how I can approach this.
I'm having an issue with a website plus API I'm writing. These are in the same project, if that matters.
Reduced to its simplest form, it's a catalogue website and API. You have products in a database and pages which display product information. You also have other pages which allow editing this information and adding new products, etc.
There are three ways you can do this:
Anonymous users can list products and view public information about them on the website.
Signed-in users can list, view (including private info), edit, create and delete products on the website.
Users with a valid API key can list, view (including private info), edit, create and delete products using the API.
The problem I'm having is that the website uses AJAX calls to the API, and these only work if the user of the website is authenticated. Calling the API without an authentication cookie or an API key fails by design.
What would be the recommended way of identifying the unauthenticated website to the back-end API in a secure way that allows it to work?
The ideas I've had include:
A special API key for the website, but it would by necessity be visible to the world at large somewhere in the Javascript code and therefore something someone could use to access the API themselves and bypass any rate limiting I wanted to implement.
I considered setting something in the session on the web controllers which could then be verified in the API controllers, but I encountered issues where unauthenticated calls to the API redirect to the login page on the Account controller, which then sets the relevant session variable, which means subsequent API calls succeed whether legitimately authenticated or not. This seems like the most promising option, but I'm not familiar enough with ASP.NET Core's workings to make it robust.
You should use Jason Web Token Authentication, to implement one in your API please check the following the link:
https://medium.com/#adegokesimi/implementing-jwt-and-refresh-token-in-net-core-2-2-web-api-b21ef6de2a19
By using JWT authentication in the pipe line of your WebApi your problem will be solved.
Also, you can use a ASP.NET Core identity system for things like roles that can be implemented on specific controller methods, for example, "EDIT" can be allowed only to role admin, etc.
Kind regards,
.js
I have an Asp.Net Web form based Application, which relies on an Identity Server for authentication. I'm planning to create a Chat to be used as an independent Asp.Net Core Web Application (using SignalR), which would be authenticated in the same way as the Asp.Net Web form based Application (Both using the "Single Sign-On" approach). So, based on the given context, the key point is that I'd like to be able to render the Chat from inside the Web forms application through an IFRAME and I'm wondering if anyone could help me to identify potential problems that I could come across if I use this approach, specially when it comes to the Security stuff.
Thanks in advance.
Iframes act like a normal pages, or tabs in most aspects.
SSO protocols, including OIDC, are designed exactly to securely simplify the authentication procedure for different web (but not only) apps.
Follow the recommendations regarding the choice of grant type, always use https, do not store refresh tokens nor secrets in browser, and you are secure.
Enable two factor auth, signing keys rotation, and you are secure a bit more. There is nothing absolute in the world, but for general purposees... you are on the right way.
I'm developing a system with my classmate, he created a self-hosted API using WPF, while I'm on the mobile part. I already get the data using GetAsync and Post data using Post Async, What I want now is Login Authentication to our system.
Here is the Web API I'm talking about.
What I want is to use this as my API for authentication, But whenever I search for this topic, all of the results are Azure, WCF, ASP.Net.
I know that my friend uses ASP nugget to create API while searching so far on this topic. Theirs always using those 3 and the codes for validation is in the ASP, WCF or Azure.
I also don't get the concept of a token and I guess I don't need it on the self-hosted API.
This is the best example of what I'm talking about:
http://www.c-sharpcorner.com/article/xamarin-android-create-login-with-web-api-using-azure-sql-server-part-one/
http://www.c-sharpcorner.com/article/xamarin-android-create-login-with-web-api-using-azure-sql-server-part-two/
These two set of tutorials are very helpful, but I'm not aiming for this thing. I just want a simple authentication using the API on the picture.
It's just a simple school work, I'm the beginner in mobile development and c#.
Thanks in advance for viewing my POST :)
While your question is waaaaaay to broad for a single answer on Stack Overflow, here are some pointers for you. Don't overthink things and keep it simple.
I think the easiest way to tackle your problem is to issue a token for your mobile app. This can be any type of token if you don't really care about security.
So in your app, you present the user with a username/password dialog. Pressing a login button:
you hit your API sending that username and password
API checks whether username and password is in database or a valid combination
generates a token if OK and sends as response and saves that token in database
then when hitting other urls in your API from mobile app, you need to provide the token as header or query string parameter
This is probably the simplest form of authentication you can do.
I am stuck in a situation where i have a bunch of urls and i have to distinguish them based on whether they belongs to website or webapp.
I tried to look at Response Header from the request and discovered that i can use server field & powered By field to check it.
But for most of the requests they are disabled so is there any other way to distinguish webapps from websites.
There is no way to identify that website id webapp or website on basis of user agent or some other property. its just term, here other question which might suite you - What's the difference between a web site and a web application?