I cant seem to find the relevant resource for learning this. I am trying to achieve a simple login for my C# application where users will be required to authenticate to use the application, and such the users account level would determine what can be accessed inside the app.
Lets say i have a forum and i want my users to authenticate via the application using the forum credentials, is this possible? what should i know about Security and how is this accomplished?
My thoughts would be i should be able to authenticate using some kind of SQL library? though i am new to C# so i might not be on the right track here.
Thanks for your suggestions.
To authenticate with a web site (forum) you need something like OAuth, see this guide for example. The website needs to provide OAuth.
Authenticating with a web site that was not explicitly designed to support an app client is not really possible, at least not correctly.
Related
I'm developing a system with my classmate, he created a self-hosted API using WPF, while I'm on the mobile part. I already get the data using GetAsync and Post data using Post Async, What I want now is Login Authentication to our system.
Here is the Web API I'm talking about.
What I want is to use this as my API for authentication, But whenever I search for this topic, all of the results are Azure, WCF, ASP.Net.
I know that my friend uses ASP nugget to create API while searching so far on this topic. Theirs always using those 3 and the codes for validation is in the ASP, WCF or Azure.
I also don't get the concept of a token and I guess I don't need it on the self-hosted API.
This is the best example of what I'm talking about:
http://www.c-sharpcorner.com/article/xamarin-android-create-login-with-web-api-using-azure-sql-server-part-one/
http://www.c-sharpcorner.com/article/xamarin-android-create-login-with-web-api-using-azure-sql-server-part-two/
These two set of tutorials are very helpful, but I'm not aiming for this thing. I just want a simple authentication using the API on the picture.
It's just a simple school work, I'm the beginner in mobile development and c#.
Thanks in advance for viewing my POST :)
While your question is waaaaaay to broad for a single answer on Stack Overflow, here are some pointers for you. Don't overthink things and keep it simple.
I think the easiest way to tackle your problem is to issue a token for your mobile app. This can be any type of token if you don't really care about security.
So in your app, you present the user with a username/password dialog. Pressing a login button:
you hit your API sending that username and password
API checks whether username and password is in database or a valid combination
generates a token if OK and sends as response and saves that token in database
then when hitting other urls in your API from mobile app, you need to provide the token as header or query string parameter
This is probably the simplest form of authentication you can do.
I have already created a web application using Microsoft Visual Studio 2010. The database was created using SQL 2008.
I use a normal log in where the username and password is entered. NO encryption or security is being used.
To increase the security i found out that OAuth can be used for the purpose of authentication.
What I need to know is whether i could use OAuth for my existing web application. Basically the users who are registerd in my database should only have login access.
Please guide me to implement this.
Your valuable help is much appreciated.
Thanks & Regards
OAuth is used for enabling delegated access to protected resources. In other words, that means that you use OAuth when you want to give a third-party access to your data (for example: I want to allow an application to access my facebook data on behalf of me) without giving the third-party your username and password.
OAuth isn't really used for the type of security that it sounds like you are trying to apply to your web application.
You may want to consider Forms Authentication or another native .NET form of authentication -- OAuth is not what you're looking for.
I hope someone can at least point me in the right direction here.
I have a need for Open Authentication in my business.
However it is not to use other services like facebook or google etc.
We have a membership database - a standard asp.net membership database (slightly modified with an additional table for profile information).
We also have multiple applications that our customers can use but require a log in, so we would like to use the membership database as an authentication source for these applications using open auth.
But i'm not sure where to start with it... everything i look at seems to point to using facebook or google etc as the source of authentication.
Where do I start with being the provider for open auth?
Any recommendations? Any advice for a newbie to open auth?
Our website is webforms, not mvc and runs on .net 4.0.
Thank you in advance!
Try to look at Thinktecture IdentityServer v2. It is an IAM that handles authentication. It is customizable. With little coding you can wire your membership database with it. See this page and IdentityServer wiki for more info.
You should start looking at the code from DotNetopenAuth, particularly the Samples. This is should give you enough to get started with OAuth and/or Open ID.
Particurlarly, look at this sample, as this uses OAuth2 to protect a web api, which can be used a starting point to something that can be used by clients in a very similar way to facebook or google logins.
I am currently building an authentication server for a game. Basically how I have it planned out is a client will connect to our servers and they will authenticate the client and then issue the client a ticket. As long as the ticket is valid the client is able to join servers. Besides authentication I would like to display user stats and other stuff on their profile. I have not done anything with ASP.NET before but I think that is the right way to go on this. I was wondering if anyone knows where I might get started with communication with an ASP.NET web app. Is that too big of a step since I haven't used ASP.NET before? Should I start with something smaller?
EDIT:
Ok so I have a simple WCF Service now but I am having trouble understanding exactly how to use it. How do I actually use the service I created to exchange data between a console app and a ASP web site? Anyone know of a tutorial that creates a WCF service then actually shows how to implement it into a project?
Another option is to use someone else authentication server. I.e. Facebook, Messenger (Live.com), Google all provide OAuth authentication if you can agree to use their list of users.
Side benefit is that you don't need to worry a bit less about personal information (i.e. child accounts require much more care that you want :) ).
What kind of game? Is it a game played on your website or a client application? If it's a website then all you really need is a Login page. Otherwise, yeah WCF.
I'm looking for some guidance on the best way to authenticate to my WebService. Right now, I have a standard WebService on .NET 3.5, and a MVC website that sits on top of this WebService.
The MVC website uses OpenID to authenticate users, and during the development phase, we have simply been passing the user's OpenID Claimed Identifier to the WebService to authenticate. Obviously this is not what we will be releasing to the customer when we go live.
So my question is this: What's the best way to authenticate to the WebService?
Some of the API's I've played around with use Authentication Tokens. Another idea we had was to, upon connection to the WebService, pass the client an encryption key which they could use for all transfers.
I'm thinking out loud here, and again, any help is greatly appreciated! Thanks!
...
UPDATE: Right now I have created a custom SoapAuthenticationHeader which has an OpenIdURL property. This is used on all service calls to authenticate the user. The problem is two-fold:
If a hacker know's a user's OpenIdURL, they can easily gain access to the WebService.
The OpenIdURL is currently passed in plain-text.
So I could pass an encryption key to the client upon connection to the WebService, and have the client encrypt the OpenIdURL in the SoapAuthentication header. But I'm not sure about how to best go about that...
You might want to take a look at OAuth:
http://oauth.net/
(Use http://oauth.net/code/ for coding.)
As it is geared specifically for this scenario (Open ID isn't, really).
There is another question on SA which asks about the best way to secure a web service, and Open ID and OAuth are both discussed:
Web Service Authentication using OpenID
ASMX web services (which Microsoft now considers to be "legacy") have no ability to use OpenID for authentication. They can only use what IIS provides to them. You could possibly add a SoapExtension that would do OpenID authentication for them, but I wouldn't spend time there.
I don't know enough about OpenID to be certain, but I suspect it can integrate with WCF through federated security. I'm sure someone else will answer with details on that.
This isn't really an answer, but I can't leave comments...
You say "I have a standard WebService on .NET 3.5, and a MVC website that sits on top of this WebService".
I might be way off base here, but the language implies that these two sit on the same server. If so, why can't you just share the users database and the cookie token?
James