I have already created a web application using Microsoft Visual Studio 2010. The database was created using SQL 2008.
I use a normal log in where the username and password is entered. NO encryption or security is being used.
To increase the security i found out that OAuth can be used for the purpose of authentication.
What I need to know is whether i could use OAuth for my existing web application. Basically the users who are registerd in my database should only have login access.
Please guide me to implement this.
Your valuable help is much appreciated.
Thanks & Regards
OAuth is used for enabling delegated access to protected resources. In other words, that means that you use OAuth when you want to give a third-party access to your data (for example: I want to allow an application to access my facebook data on behalf of me) without giving the third-party your username and password.
OAuth isn't really used for the type of security that it sounds like you are trying to apply to your web application.
You may want to consider Forms Authentication or another native .NET form of authentication -- OAuth is not what you're looking for.
Related
I'm using the Novell.Directory.Ldap library to get communication between my intranet application and an Active Directory server.
However I need to implement an authentication where I verify if the user is authenticated in my local network and is part of a certain group.
All the user verification logic with the AD and if it is part of this particular group is already ready using the library mentioned above. However, I need this to work alongside ASP.NET authentication.
Has anyone implemented anything like this and can you help me with this?
I am working on creating a website for my web systems class in which I will be implementing a login platform. The website after becoming authenticated the user will be able to send messages to other users, I will be implementing SignalR to perform the real-time messaging.
I want to create a system that within AngularJS I can call a C# backend provide a username and password and authenticate. I would also at the same time like to use SignalR's role based authentication to ensure my methods are secure.
Example:
[Authorize(Roles = "Admin")]
public class AdminAuthHub : Hub
{
}
Currently I've written my own code to accept a username and password and hash it and store the hash value. However, I don't want to reinvent the wheel here. I want to use a Microsoft based authentication system because I am working within a C# backend and SignalR technology.
I am currently hosting using Microsoft Azure and that works and all but I am eventually going to be switching to a locally hosted Windows Server I maintain. I have heard about using Active Directory but have never worked with it and would have to do extensive setup to get a fresh server ready for that.
My overall question is what path do I go? Also if I go the strictly Microsoft everything way, is setting up active directory simple on Windows Server 2016? During my research I found that there is a ASP.NET method of authenticating a user against a SQL Server database. Would this method be preferable because the system can be used outside of ASP.NET and the data is in a form that I've worked with before?
Do I write my own custom authenticate logic, accepting username and password and hashing and using my own tables and databases. Then within the SignalR side of things find a way of setting the user variable and setting their role from my database. Then simply performing a check at the beginning of each method call.
There is a lot of information on the internet about how to potentially approach some of those questions.
A quick google for "Angualr / Asp.net identity / signalr" returns a few resources that you may suite your needs, maybe not solely, but you should be able to combine some of the approaches.
Here a few links for you :
SignalR Authorization using Web API Token
https://logcorner.com/angular-js-token-based-authentication-using-asp-net-identity-and-asp-net-web-api/
https://www.codeproject.com/Articles/884647/Web-app-using-Web-API-SignalR-and-AngularJS
I cant seem to find the relevant resource for learning this. I am trying to achieve a simple login for my C# application where users will be required to authenticate to use the application, and such the users account level would determine what can be accessed inside the app.
Lets say i have a forum and i want my users to authenticate via the application using the forum credentials, is this possible? what should i know about Security and how is this accomplished?
My thoughts would be i should be able to authenticate using some kind of SQL library? though i am new to C# so i might not be on the right track here.
Thanks for your suggestions.
To authenticate with a web site (forum) you need something like OAuth, see this guide for example. The website needs to provide OAuth.
Authenticating with a web site that was not explicitly designed to support an app client is not really possible, at least not correctly.
I've written a website that requires log in using openauth/openID on top of MVC5, using the instruction http://www.asp.net/mvc/tutorials/mvc-5/create-an-aspnet-mvc-5-app-with-facebook-and-google-oauth2-and-openid-sign-on
I've found this technique to be very simple and actually enjoyed the process
Now I'd like to add a REST API that is accessed from a C# application running on a remote PC, such that the applications user interacts with an application and not a browser
What is the technique for doing this? Does C# provide an easy way to pop up a browser such that the authentication happens, cookies collected, but then control is given back to the program?
Actually, there are more oauth2 flows and some of them are better suited for different types of applications.
Specifically, there is authorization code grant flow which is for passive clients (browsers) and it involves showing the logon ui from the identity provider.
However, there is the resource owner password flow which basically consist in passing the username and password in the request and getting the auth token right back. This flow is great for desktop/mobile/native apps where you can even have a custom logon ui at the client side.
There are no native libraries, however implementing oauth2 is possible with the DotnetOpenAuth library.
I am in the processing of developing a web application which will integrate directly with a Google Calendar associated with a specific Google account. The account being accessed by the Google Data API is not likely to change, so I'm unsure what the most appropriate account authentication method is going to be.
I've reviewed the options avilable and it would seem that AuthSub and OAuth are inappropriate as I will not be logging users into their own account- only displaying and updating a fixed account. The other options available are ClientLogin and Gadgets authentication. Of all of them, ClientLogin seems the best fit, but the documentation states that it is intended for installed applications. While the web application I am developing is not specifically an installed application, it closely mirrors one in this scenario- which is why I think ClientLogin makes the most sense.
Which Google authentication option would be the best fit in this scenario?
After reading http://code.google.com/apis/gdata/docs/auth/overview.html it seems to me that OAuth is the most secure way to achieve your goals. Google recommends OAuth or AuthSub over ClientLogin for Web Applications. In addition using OAuth and AuthSub prevents your application from ever having control of the users email and password meaning you dont need to take the extra steps to protect and update the information. Between OAuth and AuthSub, OAuth is more universally adopted, and more secure due to the fact that requests are signed. Hope that helps.
EDIT: So I misunderstood exactly what your application was doing, if you are only using your google account any method of authentication is probably fine, that said google recommends OAuth or AuthSub for web apps. However the important thing to find out about OAuth and AuthSub is what the life of the token is. If there is no way to make the token last for a long time (months, years) then I would try to use ClientLogin, because then your application will always be able to login to the account. As a side note however for security I would recommend you NOT use your primary google account for the application instead create a second account and simply share the calendar with your primary account, that way if you application was compromised you would not lose your primary google account.