Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I am building a restful web service api using ASP.NET WebAPI. I'll be consuming it with MVC as a web application and eventually in a mobile app. I want to make the api standalone and not couple it with the MVC application.
I am having trouble figuring out how the authentication should be structured. I need the api to be consumable only from a specific sources(the web app and the mobile app). However, I dont know how to link the authentication in the WebAPI with the MVC one. New users should register in the MVC and their auth info should be supplied to the WebAPI. I'm using the Individual accounts Identity system for the project.
In short, how to use the same authentication for both the Api and the Client? Should they be deployed to the same domain?
I recently did something similar.
I think you have 2 issues here:
You want to only accept Web API requests from known sources.
You want to authenticate the user.
For number 1:
You want to add authentication to the Web API Request. This could be basic authentication, but it shows the call is coming from a known application. By using this, you know where the call is coming from. Despite what you read, Basic Authentication is ok, but only if the call is over a TLS (HTTPS) connection . Otherwise the call could be seen and the authentication could be used in a replay attack.
For number 2:
You could have a method that the user can call, such as a login request, where the user can be authenticated and, if successful, issue them with a token. JWTs (Javascript Web Tokens) are one token that you can use. Then the token can be sent with each subsequent call. However, please bear in mind that they can be a pain to use!
It depends on how tight your security needs to be. It might be that basic authentication, along with TLS might be enough for you.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
Blazor is one of those technologies that has me really excited to get started with. I am an experienced Asp.Net MVC and Web API (.Net Framework. not Core) developer. My first app that I am creating in Blazor is a PWA Web Assembly App with Individual User Accounts Hosted on Asp.Net Core using .Net 5.0. I've chosen to go the hosted route mainly because I want the Asp.Net Identity User Store functionality.
In my newly constructed Blazor Core Hosted Wasm PWA I have three projects.
App.Client
App.Server
App.Library
App.Server in many ways functions like an Api but it is different. One of those differences as far as I can tell is how it authenticates with App.Client. My question is two-fold in the fact that I want to know if other technologies/ clients like Xamarin.Forms can integrate with Blazor's App.Server... or can only Blazor Clients?
Second Question is that App.Server "seems" like an Api... but it is not. What are the differences specifically?
Blazor is designed to be used with html and create web content delivery applications. A Web API project has the similarities you've noted because they both exist as a content delivery service via web server. The difference is in the content you're delivering. Blazor is made for web pages, while an API project enables you to deliver data via REST endpoints.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 4 years ago.
Improve this question
Perhaps the question I am about to ask is very obvious and simple, but as a beginner in IdentityServer4 and more or less in oAuth2, OpenID and API's in general, I find it quite hard to understand.
Our company's goal is to move to a more secure application building way (Visual Studio 2017, C#, .NET Core 2) using Authentication and Authorization. After some days of research I ended up with using IdentityServer4 (also because the documentation is really great).
After following the IdentityServer Documentation (https://media.readthedocs.org/pdf/identityserver4/release/identityserver4.pdf) up till chapter 7, I have one remaining.
I am trying to build a MVC application (web) with an API backend for retrieving / inserting the data so that I can later use the API for other applications, like a SPA / Xamarin application. For the IdentityServer host I went for IdentityServer with asp.net identity. I got it running and it all works great, however the following question remains:
What are the disadvantages of hosting my API, in which I want to handle Database operations, together with the IdentityServer host?
It doesn't seem logical to me to have so many different projects while (so far as I can tell) these 2 (the API and IdentityServer host) can be joined together perfectly fine.
In (almost) all the examples found of IdentityServer4 the IdentityServer host and API's are separate projects, what are the advantages of hosting the two as separate projects.
I would say Single Responsibility.
Treat it like this - Identity Server is a framework, that provides you the authentication against your clients/API's. That's it! (of course this is all done based on your rules, policies etc).
It is not Identity Servers' purpose to add/edit/delete users from your database. It is not Identity Servers' purpose to give roles to this users.
And most important - it is not Identity Servers' purpose to authorize this users.
All these must be done in your clients/api's.
In your case - you need a separate API that will take care for the users (and other data that you need), but I guess that you want this API to be protected by Identity Server.
This is where the separation comes and should be kept - Identity Server should not authenticate its own API against himself.
There is a reason that all the examples, articles and etc are with separated projects.
PS: Of course there are some examples of achieving this (damienbod's one is good).
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I had an app that used an MVC template, prescaffolded with authentication (the one with bootstrap). I am migrating the project over to Web API and a React Client, but I still need this same functionality. The MVC authentication used SQL Server. I really want to do all I can the same, unless something better is possible. How can I implement authentication/authorization with Web API? I guess I can store the password in React's state/props, and then maybe pass that into the HTTP calls?
You can generate token using web api and then store it on react front-end in local storage. And whenever you do http call put that token in authorization header and match it from web api backend.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I'm not found answer for my question - and opened this topic.
So I want develop project.
Database:
Or Couchbase or SQL Server (right now it is not important, but I think it will be Couchbase)
Website:
Asp .NET MVC + Angular etc. - Simple Website
Web Api:
ASP .NET WebAPI
**Mobile Application (This is hard side for me)**
I'm a good C# developer - it's a reason why I want write Application by Xamarin.
If its bad idea - tell me (and tell me WHY IS BAD IDEA)
if is good framework, I have a few question:
1) How work with API
2) Or I need write for each platform(iOS, Android, WP) - service (like WCF) = (3 services?)
3) Which way better for Authentication (I want give to user option Registration by FB, Google, What's Up, etc...)
I dont know, maybe you can give me links for good topics, or same question here (I'm not found)
Or maybe you can give me a name of good course on Lynda or plularsight?
Thank you.
With ASP.NET Web API you can make a REST web service working through HTTP protocol. Any platform which supports HTTP protocol, can consume your web service.
You need only one web service for all platforms.
In current ASP.NET Web API version, you can use ASP.NET Identity which supports local account and external account through OAuth.
For example, this post shows how to consume a ASP.NET Web API in Android. And this one is about how to use external account for authentication. There're some more posts in that blog discussing about ASP.NET Web API, just spend some minutes flying over it, you'll find some useful infos.
I have no experience with Xamarin so I can't say anything about it. I write mobile app in their native platforms (Android with Java, IOS with Objective C++).
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
Hi I'm developing a wcf web service that integrates with OneDrive and I need to access to the files (list, delete, download and upload) of the users that use my web service.
Is there a way to use Onedrive in an easy way? maybe some C# API...
I found the Live SDK but I can't understand how to use it, then there is SkyNet but I don't know how to use it and if it works with OneDrive.
In case I would have to use REST calls, can you explain how to authenticate and list file with REST?
thank you all
The main challenge you'll have with writing a WCF service is doing authentication. I'm not aware of a straightforward way to proxy authentication with your WCF service into the OneDrive service. The easiest approach would be to have the caller of the WCF service handle generating the auth token (see the examples for how to generate an auth token in the OAuth reference) and pass it to your service as one of the call parameters.
After that, you can use the Live SDK to make server-side calls using the token provided to your service from the caller as a parameter to your WCF method. You can either use the Live SDK to generate those calls, or you can make them yourself following the REST reference. Neither give you an object model that you can interact with, you'll need to understand how the REST service works and the structure of the returned JSON data to use the Live SDK.