I am working on learning the basics of Asp.Net Web API and started to tackle the area of authentication. After doing some research it seemed that the right direction to go was OAuth2 and JWT so that is what I started to learn.
I have now ran through several tutorials, the final one being here which I found to be incredibly informative.
At this point I have a functional authentication server that issues JWT and a Web API endpoints that consume the tokens and even authenticate based on roles defined in the tokens. I feel that I have a solid understanding of the basics but it has left me with a questions that I haven't been able to find good answer to.
How do you handle a Web API that manages permission sets for multiple objects? A good example would be GitHub and repos; I could have different roles for each of the repos I have access to.
Originally I thought the solution was to just place a claim in the token for each repo with the permissions for that repo but it is possible for me to be a part of 100s or repos, that would have to result in a fairly large token.
I also considered a hybrid approach where put the claims in the token until a user belongs to some number of repos, say 10 for example, then I just put an indication in the token saying I need to query the db for the list of permissions.
I suppose both would work but neither of them feel right. I was just wondering if there was a best practice for this kind of use case and I'm sure someone has answered this before but I was having a hard time coming up with the correct search terms to get the answer. Thanks for any help you can provide.
Related
Basically, I have a homework assignment which involves me creating a MVC app in Asp.Net (the standard version, not Core). I need to provide authentication using jwt, but i have to use a separate authentication server, so the token creation and validation are delegated to that server, and if a server like that already exists (perhaps a facebook or twitter authentication server using jwt), i should use it rather than create my own. I am not sure if there is a jwt authentication server which I could use, and I don't know what is the best way to handle jwt tokens, for example if i have a form that submits stuff to a controller action, how to place a jwt token in the request. Any help on this would be much appreciated!
As this is a homework assignment I'm going to try and provide a jumping off point rather than provide code samples or anything.
A JWT can be issued from another authority and used within your own application provided your application is set up to use that authority. For example, in house we use AWS Cognito to store our users, and in each of our web applications we specify that our JWT tokens are being issued by that Cognito user pool.
I've had a quick look around online for any issuers that may provide this service for free, and found the following blog post for Auth0 which boasts being able to support up to 7000 users for free (there may be hidden costs, I haven't looked into it fully)
The tutorial in the blog post seems to follow a .Net standard rather than a core implementation. Hopefully you find this useful and good luck with your assignment!
I've been wrestling with how to simplify our WebAPI/Identity authentication for our current/future WebAPIs. I'm new at this, but I'll explain it the best I can. We started with a single WebAPI and setup ASP.Net Identity to handle the authentication and such. Then we setup another, and soon it will be 30.
The problem here is obvious - for every new WebAPI we have to plug in yet another MS Identity Authorization layer. In some cases just having a single, massive WebAPI would work, but in this case these are totally separate products (plus its bad design).
So we wanted to shoot for something like this:
But I'm having a hard time figuring out how each WebAPI would get User information so I could check roles and such.
I've read many posts on WebAPI authentication such as: this this and this but it seems everything I find has to do with securing that SINGLE WebAPI and we know how to do that already. It feels like what we need is an SSO approach for our WebAPIs. It almost seems that we need something like the External Authentication approach (like Facebook, Twitter, etc) but using our own backend DB - I just don't know the proper terminology.
So I'm turning to the experts for help in getting me headed the right direction:
Is it common practice to have each WebAPI have it's own authentication/authorization layer that each point to the same DB?
Is the single auth layer concept built in to the WebAPI/Identity already or do I have to do it from scratch?
Is an Authentication Filter what we should be using?
I could hack it all together behind the scenes, but it feels like there is an obvious answer out there that I am missing.
Is there a built-in way to setup a "Trust" between each WebAPI and an Authentication API to do something like this:
This is the direction we are currently heading:
If I could just get a general push in the right direction, I'd be pleased as punch. I just don't want to reinvent the wheel.
Oh, and before I forget, we are using asp.net 4.5, WebAPI 2, Identity 2, on IIS
Thank you for any pointers.
What you are looking for is Federated Identity for your own web apis and is something that Thinktecture's Identity Server aims to solve. The documentation is probably the best place to start
Not to give too simplistic an answer but couldn't you just build an API as a fasad around the others. The top level API handles all of the authorization and then forwards calls to your other API's. I'm not an architect but that's what I would do.
does dotnetopenauth allows or has the ability to run own identity server?
We are interested in building a id provider such as stack exchange, google, or fb.
As well as authentication, we are interested in allowing users to register and then using same creds, accessing corps any resource without login again and again.
what s the best place to start? any source code to research for such impl?
Yes, indeed it does!
Best place to start would be the samples included on GitHub.
OpenID Provider
This example will show you the basics for setting up an OpenID provider.
OAUTH
An example of protecting an API with OAUTH - including an example implementation of an Authorisation Server
Have a look, it's a deep dive but worth it if you are serious about being an ID provider - a decision which should not be taken lightly. If you need help then search/post back here on StackOverflow, post on the Google Groups or talk in the JabbR room
I want to guard OData service with custom authentication associated to a user table in database. I have been obssessed with this problem and searched solutions for a long time in vain. I mean, yes, there are quite a lot articles on the web but they are just quite trivial, for example implementing IPrincipal or IHttpContext with basic authentication on. Notably, many of them can data back to 2010 where OData is not as mature as today. So I'm wondering if there is any rapid solution to database-based custom authentication.
Any guidance would be greatly appreciated!
OData and authentication (and even authorization for that matter) are unrelated for the most part by design. That doesn't mean that OData stacks can't provide good support for authentication and authorization, just that the OData protocol itself doesn't comment on it. Protocol aside, both Web API and WCF Data Services are working on getting better support here. Speaking as a member of the .NET community (and not as a Microsoft employee), I think it's reasonable to expect that as those stacks implement authorization APIs they will probably be looking to claims-based authorization. Again, I want to state explicitly that I'm not trying to hide or divulge any plans here - I'm merely speculating about where authentication and authorization are going.
In a nutshell, if I were in your shoes I'd find the easiest intersection I could between OAuth2 and claims-based authentication and make that work for now. Working out your claims and authentication now means that you only would need to consider integrating the actual authorization code later.
I would like to use oAuth as a system to allow developers access to my API but not require them to pass through the login information.
There does not seem to be any good how-to's or blogs on this topic. Everything I have found is based on consuming an oAuth system such as Facebook or twitter. Wondering if anyone has any links to good instructions or libraries that could get me started. If there are no examples out there perhaps someone could consider writing one, the community really needs it.
Using OAuth to login is actually a side-effect, not the main goal of the protocol. The best place to start with providing an OAuth-protected API is the protocol specification and since this is a new service, you should take a look at OAuth 2.0 1. It is pretty much done and ready for deployment.
To implement OAuth 2.0 you will need to make a few important decisions about which features you are going to support and your scaling needs. There are also a lot of security considerations to go through. I would suggest you start with supporting the authorization code and implicit grant types.
I would look into DotNetOpenAuth. It should work for your needs, but I've only used it for the OpenID stuff.