I'm currently playing around with asp.net / MVC5 so I had an idea I wanted to create a WPF login so I can use the login the wpf app with my asp.net info. I assume I have to Create a login form onto WPF and send it to you MVC website, the server verifies them and if the credentials are correctly it emits an authentication cookie which is sent back to the client. The client stores this cookie for further authentication.
So this means you will need to send a POST request to the MVC website that verifies the username and password, then the server returns a cookie which is stored by the client in a CookieContainer.
How ever I am rather stuck on how I would go ahead and do this.
As #Goobering pointed out in the comment above, this is too big of a question to be answered on a stack overflow post. You're looking for tutorials. More importantly, is this WPF app only going to reach out to the MVC webiste for authentication and/or authorization, or are you going to get other data as well?
My suggestion is that you make a WCF authorization web service that is hosted on the same website as your MVC. Integrating identity into WCF would be easy, and then integrating WCF into WPF apps is even simpler. This would also support getting any other data you need from the MVC website. Here are some links:
http://www.codemag.com/article/0611051
https://msdn.microsoft.com/en-us/library/ee748498.aspx
http://www.codeproject.com/Articles/802435/Authentication-and-Authorization-with-ASP-NET-Iden
Validating a user in WCF using ASP.net Identity 2.0 Framework
Related
I have a requirement that has me a little baffled. A client has an app that allows it's customers to view it's account and billing statements. In the past the app invoked a web page on my web server built on an ASP.NET application that allowed the user to enter his credit card information and the web app processed the payment with the payment gateway.
Now the client requires that the payment page require authentication. Since the app uses JWT authentication when connecting to it's own services, the idea is to provide the JWT to the ASP.NET application so that we can verify that the call is authenticated and read some information from it. But I can't find any way for a regular ASP.NET MVC 5 web app to read a JWT that comes from somewhere else.
Has anyone seen anything like this? Anyone has any pointers for me to look at?
We currently have an ASP.NET Core MVC app in combination with IdentityServer4 for authentication. The user authenticates via IdentityServer (with the HybridAndClientCredentials flow) to ADFS before it has access to the MVC application.
The SignInScheme on the MVC client is set to the values "Cookies".
We would like to extend our MVC app to host multiple Angular apps. Sometimes even more than 1 Angular app per MVC view.
The angular apps will call seperate ASP.NET Core Web API's on behalf of the user.
My question is how does the angular apps know that the user is already authenticated in the MVC application, retrieve the access token and call the API's on the user behalf?
I have been playing around with solution Scott Brady came up with but there seems no integration between the MVC app & Angular app. The Angular app will try to authenticate to identityserver and expect a callback on a particular page.
I am looking for a solution how to share the accesstokens between the MVC app and the angular apps but I am stuck. Any help is much appreciated.
If they have to sign in via the server-side hybrid flow already then the simplest way would be an endpoint in your MVC app that is cookie-secured that the client side app can call to get the access token.
Another approach is to use oidc-client-js and have the client side Angular app obtain its own token.
You could abstract this away from the client side app itself so it's easy to change the mechanism later if you need to. As it happens we use a combination of server side and client side flows and it works fine.
We are starting a project which will consist in:
Web project (ASP.NET MVC)
IOS app
and both will consume data from a .NET WEB API service.
The WEB API service will expose a POST Method with the url "user/create". But i don't know how can i avoid another apps for making post to this url? I know i need a security protocol, but i wanted to know which one you recommend me, and if you have, an article where is it explained.
Thanks
web api 2 provides oauth authentication. You will need to get a token from the token end point of web api and pass that token in subsequent requests.
You should find lot of online resources if you search for web api 2 oauth.
We did something similar recently using OWIN OAuth 2.0 Authorization Server
Reference this ASP.NET page for details. Sample code is included as well for several different implementations.
For our purposes, we used the Client Credentials Grant section about half-way down the page. Our implementation involved server-server OAuth (Web API to MVC), but I bet it's pretty similar to have iOS connect. The only thing I would caution is to somehow encrypt the login credentials on the iOS side, and I'm sure there is a way to do that.
So you want the WebAPI to only be used by the MVC page? The best architectural method is to separate the two rather than leave both in one project. Why? Because the MVC app is a experience layer for humans. The WebAPI is an experience layer for the MVC app. Move it back where it can't be accessed.
You can add on tokens, etc, but the MVC app sits on the server, but is accessed on the client computer. The wider the scope of the application (ie, intranet or internet or something in between?), the more difficult the problem and the harder it is for your users to access the application. Moving the WebAPI internal and leaving the MVC app exposed guarantees external users cannot use the API.
The main reason WebAPI and MVC exist together in a single project (still a mistake in most instances, IMO) is you are exposing both to the same audience. If that is not your intent, don't do it.
I have a Windows Service running a Web API hosted as a OWIN middleware - the server. The API uses application cookie authentication and validates users against a database, using OWINs identity model. Now I would like to authenticate a user who accesses the API through a standard MVC web application (the client), but I'm unsure how to achieve this, e.g. after I received a response along with the cookie from the API, where do I have to store it inside the MVC application so that the cookie will be automatically sent along with further API calls.
You won't need to. Cookies are stored by the client's browser, and are sent to the web server with every request on the same domain name. Each subdomain will have its own sandbox for cookies. The main domain's cookies can be accessed by all subdomains.
MVC application will store it in the users browser the cookie. If you need to find an alternate way to achieve it, why not try localstorage. You can then send the authorization token with every request header using your Ajax calls. If you are interested in an Angular Application, here is an excellent tutorial that should help clarify a lot of question.
I currently have a MVC application that is using Forms Authentication. I realize that you cannot self host a MVC application. Business requirements dictate that my application has to be self hosted. I was thinking of creating either a WCF or Web API application that is self hosted, where I can expose various endpoints. However, the problem I am facing has to do with authentication. In my MVC, I used Forms Auth, and allowed the user to use a form to enter credentials. How can I do something similar in WCF or Web API. I know how to render the HTML for the login page, etc, but the part that I am not familiar with is how to code up the smarts that anyone who tries to access one of my endpoints needs to be redirected to another service, so that I can do my thing to authenticate them.
I guess I'm trying to do something similar to the Forms Authentication redirect, but, within the context of WCF or Web API. I started looking into message interceptors and route filters, but, still need to do some research.
Any ideas to point me in the right direction ?
Forms Authentication Control Flow is explained here. This is what you need to implement using a DelegatingHandler for ASP.NET Web API.