As a warning, I am very new to ASP.NET Identity. I have a project I am working on, and am trying to create different projects to better organize it. I have my UI layer, which is an MVC5 project, and my WebAPI, which is the API that will get called to perform various actions.
I want to use ASP.NET Identity 2.0 to authenticate and authorize actions in both projects. What is the proper way to do this?
I have two projects in the same solution. Let's say that I run debugging for both of the projects, I want to test being able to authenticate in the UI, then try and access a protected API call and see if it works.
However, if the Identity information is configured in the UI (using the default template), how do I make sure the API properly authenticates users?
One approach is to perform all user actions via the Web API, including authentication and authorization, as well as other Identity-related tasks such as registering and confirming new user accounts. This way, your presentation layer (whether it is a web, desktop or mobile application) will be responsible only for interacting with your API and presenting the data (as it supposed to be).
Check out this series of blog posts that demonstrate how to implement this approach using ASP.NET Web API and AngularJS.
Related
I would like to write a SPA application in React that will communicate with the .net core API.
I think it would be easier to have two separate projects (API + UI) on different domains.
API should be protected, that only authenticated users could make requests.
In react i'd like to have login and registration forms that will allow me to register and login users, and also I would like to have social providers. I would like to create whole UI for managing users in react SPA, and saving this data using API.
I did a lot of research, and I'm a little confused.
I would really like to use Core Identity because it simply looks like made for it
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity?view=aspnetcore-5.0
it has a ready to go model of Users, Claims, Roles etc.
it has built in services for managing passwords, users, roles etc
it has features to customize authentication schemes, policies, roles etc,
there are lot of reasons why i think this is a good solution.
Unfortunatelly, on the documentation site there is an information that for SPA integration it works combined with Identity Server.
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-api-authorization?view=aspnetcore-5.0
Last year I went throug every episode of this tutorial https://www.youtube.com/watch?v=Fhfvbl_KbWo&ab_channel=RawCodingRawCoding (btw. great tutorial), and I'm pretty sure, that I don't want to use Identity Server 4 for this scenario. As far as I know - this is the best solution when you want to have SSO for multiple applications, and you would like to provide one common way to authenticate user for all of it. And it has it's own UI for managing user registration, login and managing. This is not what I need - I just want to have it all written in React, cause I want all application to have the same mui theme without redirects to Identity Server.
But maybe I'm wrong, and Identity Server will work for me. But I found it to be quite lot of work to provide my own UI rather than MVC
(https://medium.com/#piotrkarpaa/using-spa-react-angular-ui-with-identity-server-4-dc1f57e90b2c)
For now I think, that I should use Identity Core on the backend, and communicate with it from React SPA with custom controllers like in here:
https://www.c-sharpcorner.com/article/authentication-and-authorization-in-asp-net-core-web-api-with-json-web-tokens/
Authenticating React SPA with API with JWT token - I think that this will work according to this example:
https://www.youtube.com/watch?v=FSUa8Vd-td0&ab_channel=Geek%27sLesson - but in here this is without Identity Core.
But I'm not sure that this is the best approach, and I don't know if I will be able to add Social Providers this way.
Also, I found serveral tutorials how to comine React App with .net core backend (and authentication) like this one:
https://www.red-gate.com/simple-talk/development/dotnet-development/integrate-create-react-app-with-net-core-5/
but I would like to have two separate applications, API and UI.
What is the best approach to achieve this goal?
EDIT:
Few months later, I already have SPA application, API and IS4. There is lot of problems to make Identity Server views (registration, login etc) look similar to SPA Application. (React app in MUI, MVC with bootstrap... ).
Now I think it was a bad decision, causing lot of problems:
2 way integration of users from API and Identity Server 4
changes in SPA layout, styles, colors - it all needs to be maintened on Identity Server 4 too
Bad user expirience - editing user profile on another application, on another domain with slightly different styles
Now I'm about to rewrite application, not to use Identity Server 4. Components for registration, login and editing user profile will be in SPA application, maintaining users will be done using API.
The only think I do not know is how can I use social providers with this aproach?
My question is still remaining without answer, can someone help me with providing proper solution?
Finally I found proper solution for me:
https://mahdikarimipour.com/blog/google-auth-for-react-with-aspnet-identity
thank you for your post: Mahdi Karimipour
I am developing a solution using .NET ASP Core. It's current version is monolithic, and I want to switch it to a service architecture consisting of an HTTP API which is used by the iOS/Android apps and web site. Here is a visual:
I am using .NET ASP Core on the website and service layers. I have almost finished implementing the changes, but I'm hung up on how to handle authentication on the area of the website that allows administrators to edit the content of the system. The monolithic version uses Identity Core (custom implementation, not using Entity) which works great. I could move the identity authentication code into the service, but I'm not sure how to then handle the authentication on the web site (the apps are public content only, no auth needed). How do I pass the username/password from the website to the service? How do I then track the session between the end user and service layer? Or is another option like OAUTH make more sense? I'd prefer a solution that doesn't require me to implement duplicate roles/policies on the website and service.
Any suggestions welcome, I have no experience with a setup like this so I'm not really even sure where to begin. Thanks!
OpenID Connect or OAuth makes sense because all of the claims/roles you already have will be encapsulated into the token. I presently use IdentityServer4 and it works just fine for your exact situation.
Since you are already using Identity database implementation doesn't matter as long as you have a back end. In the end the calls to the site are till http in nature, all very well documented.
http://www.identityserver.io
We are starting a project which will consist in:
Web project (ASP.NET MVC)
IOS app
and both will consume data from a .NET WEB API service.
The WEB API service will expose a POST Method with the url "user/create". But i don't know how can i avoid another apps for making post to this url? I know i need a security protocol, but i wanted to know which one you recommend me, and if you have, an article where is it explained.
Thanks
web api 2 provides oauth authentication. You will need to get a token from the token end point of web api and pass that token in subsequent requests.
You should find lot of online resources if you search for web api 2 oauth.
We did something similar recently using OWIN OAuth 2.0 Authorization Server
Reference this ASP.NET page for details. Sample code is included as well for several different implementations.
For our purposes, we used the Client Credentials Grant section about half-way down the page. Our implementation involved server-server OAuth (Web API to MVC), but I bet it's pretty similar to have iOS connect. The only thing I would caution is to somehow encrypt the login credentials on the iOS side, and I'm sure there is a way to do that.
So you want the WebAPI to only be used by the MVC page? The best architectural method is to separate the two rather than leave both in one project. Why? Because the MVC app is a experience layer for humans. The WebAPI is an experience layer for the MVC app. Move it back where it can't be accessed.
You can add on tokens, etc, but the MVC app sits on the server, but is accessed on the client computer. The wider the scope of the application (ie, intranet or internet or something in between?), the more difficult the problem and the harder it is for your users to access the application. Moving the WebAPI internal and leaving the MVC app exposed guarantees external users cannot use the API.
The main reason WebAPI and MVC exist together in a single project (still a mistake in most instances, IMO) is you are exposing both to the same audience. If that is not your intent, don't do it.
I currently have a web api 2 project acting as my applications middle tier. I need to secure this project as well as provide an authentication service for my MVC project and potentially iOS and Android applications.
The web api business logic requires the checking of the user permissions/roles to ensure security, the mvc project requires the same functionally to ensure the request to the controllers are valid. How do I do this using Asp.net Identity or some other means? Are there any reference projects for this sort of thing?
Some good info here:
http://www.asp.net/web-api/overview/security/authentication-filters
Another way I've seen it done is have a separate API to generate access tokens for a 'transaction' using whatever credentials you want to use...but usually done via https! This token is then passed by the client to the business layer API as a parameter. Various checks can be carried out on the token e.g. Same client that requested token? Token expired? Token already used? Etc
Let me know how you got on.
Thanks.
UPDATE
Web API Security with local accounts:
http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api
I have an MVC4 internet solution which uses the following setup
N Tier Application with Repository Design
Authentication etc all decoupled from UI and on DAL Layer (Accessed via SecurityRepository)
Uses SimpleAuthentication in background
I have been asked to add a WebAPI project to the solution so I can share the datasource, purely for reading some data out to a Winform application internally.
Is it possible to still decorate the Controllers in the API with [Authorize] and call the SecurityRepository.Login method to authenticate a winform? Winforms don't use cookies so not sure how I would supply a token and manage access via roles. I want it to authenticate in the background and not have a login page, ideally seamless to the end user we have switched the current Winform app datasource to point to this WebAPI.
[Edit]
For future searchers, look here too: ASP.NET MVC 4 Web API Authentication with Membership Provider
You will have to change your Authentication for WebApi. The easiest way is to implement token autentication. There is a simple article on Steves Coding Blog about Basic Authentication with Asp.Net WebAPI