We have a WCF service that uses REST. This will contain all the business logic when we will implement several others clients besides using web-clients.
I have used Thinktecture as a STS because we already have a infrastructure for identifying roles in old clients that we would like to reuse.
To test everything I have a MVC application that uses jQuery to call the WCF service. The MVC application displays correctly the claims and authentication but I cannot make the WCF service to reuse this information.
I have succeeded to make MVC consume the WCF over https and on another domain: the MVC uses https://localhost:40321 and WCF uses https://localhost:40033
I have read this How do you pass a (Claims) security Token to a WIF enable WCF service but the accepted answer uses the 3.5 .NET framework and we would like to use 4.5.
So my questions are:
Is there a possibility of using jQuery with WIF together with Thinktecture and CORS? if yes, would you point me in the right direction? All the information that I have read about securing WCF seems to assume that you will use SOAP and not REST.
If point 1 is impossible in jQuery (or javascript) what authentication should I use? oAuth 1.0, 2.0 or something else.
As I see in Thinktecture you can specify the token to be returned to JWT. Is this a better way to use authetication. How do you configure the WCF to accept this token? How do you extract this token with javascript/jQuery? I saw that if you specify that jQuery should use "jsonp" it includes a cookie in requested headers.
I have read this http://msdn.microsoft.com/en-us/library/hh446531.aspx but as far as I see the example is using a WEB service and not a WCF.
thank you in advance.
I have read more and I think that I have the answer for my own questions.
Is there a possibility of using jQuery with WIF together with
Thinktecture and CORS? if yes, would you point me in the right
direction? All the information that I have read about securing WCF
seems to assume that you will use SOAP and not REST.
No you cannot use jQuery to access a WIF enabled WCF directly. It is better to create a WEB.NET api that implements REST and use the WCF as a reference in that project. Consume the WCF in C# code and just add a thin layer for REST calls.
If point 1 is impossible in jQuery (or javascript) what
authentication should I use? oAuth 1.0, 2.0 or something else.
If you want to use WIF I think it is better to use Microsofts stuff for better compatibility. I am NOT saying that one is better than the other.
As I see in Thinktecture you can specify the token to be returned to
JWT. Is this a better way to use authetication. How do you configure
the WCF to accept this token? How do you extract this token with
javascript/jQuery? I saw that if you specify that jQuery should use
"jsonp" it includes a cookie in requested headers.
Se answer 1 and 2.
Related
I have been exploring IdentityServer4 for a couple of days. It performs hosting internally generating a connect/token endpoint which internally validates and generates an access token.
Even to call it a discovery URL is needed ultimately requiring a web app template for hosting.
Is it possible to use IdentityServer4 as a library that just allows access tokens to be generated?
**Updated Based on input from Bryan
What I am trying to achieve here is GSMA Compliance that requires both OpenID Connect and OAuth. I need to generate an Access Token as well as Identity_Token. But the caveat here is that IdentityServer4 hosts its internal endpoint where I do have custom endpoints. Also it require http based calling and I do require a sort of library that I can integrate and internally call to generate Access token as well as Identity Token.
** Some more update
We have hosted a custom GSMA compliant Web API Project and have hosted several endpoints as per required by GSMA ultimately validating and sanitizing the request landing on our endpoints. Internally we do require an Access token and Identity Token to be generated and shared back on the callback of the calling party. Currently, I have used an Identity Server template which is MVC based project ultimately requiring us to use at least two ports/project one for our Custom GSMA compliant APIs and one for Identity Server. Calling identity server via URL add a new hop and an HTTP request needs to be sent out to Identity Server whereas I was thinking to use IdentityServer as a class library somewhat allowing me to pass in input parameter and do get an access token/ identity toke.
Upon dissecting server Identity Server project like
Identity Server 4
Identity Mode
Identity Storage
I got the impression that it's very difficult to exact a library out of these projects that can help me generate access token/identity token easily.
IdentityServer4 is an OpenID Connect (and OAuth) identity service -- it's not just about tokens. Those technologies are primarily HTTP-based. Thus IS4 is built on top of ASP.Net Core's web tech. If you just need tokens (JWT, I assume), it's pretty simple to roll your own and use them however you see fit. A few Google searches (or an SO search) will provide you with the code needed to create your own JWTs (for example: https://houseofcat.io/tutorials/csharp/identity/createjwt). Without more information about how you want to use them, I can't elaborate on this answer.
I’m working on an existing single-page application consuming data from WebAPI.
Authentication is largely handled with WebSecurity and SimpleMembership via forms authentication as the application was originally built on MVC.
I know that this is bad (CSRF), and I want to fix it either by
implementing some kind of CSRF protection (preferred)
or by reimplementing Authentication and Authorization to use tokens instead of cookies.
Would implementing header validation be an adequate solution? The API is being consumed by both web and mobile clients, in case it matters.
I’m not too skilled around security and want to make sure we’re not setting ourselves up for vulnerability by using cookies here.
Well, you would have to leave cookies anyway because otherwise you wouldn't be able to authenticate returning users (they would have to authenticate every time they open the app page). (Of course there are other exotic options like using client local storage or "Flash cookies" but this is pretty much the same approach.)
To answer your question, yes, you will need to implement CSRF protection. It doesn't matter which implementation you choose: it can be the implementation that uses custom HTTP headers or additional WebAPI request params, it can be implemented using built-in anti-forgery API (described in the article you mentioned) or you can make your own implementation.
I would probably implement custom CSRF protection mechanism because this way you can make it more suitable for your SPA (for example you can send it through WebAPI response as a result of authentication operation instead of rendering it to the HTML or JS as it was suggested in the article).
We are starting a project which will consist in:
Web project (ASP.NET MVC)
IOS app
and both will consume data from a .NET WEB API service.
The WEB API service will expose a POST Method with the url "user/create". But i don't know how can i avoid another apps for making post to this url? I know i need a security protocol, but i wanted to know which one you recommend me, and if you have, an article where is it explained.
Thanks
web api 2 provides oauth authentication. You will need to get a token from the token end point of web api and pass that token in subsequent requests.
You should find lot of online resources if you search for web api 2 oauth.
We did something similar recently using OWIN OAuth 2.0 Authorization Server
Reference this ASP.NET page for details. Sample code is included as well for several different implementations.
For our purposes, we used the Client Credentials Grant section about half-way down the page. Our implementation involved server-server OAuth (Web API to MVC), but I bet it's pretty similar to have iOS connect. The only thing I would caution is to somehow encrypt the login credentials on the iOS side, and I'm sure there is a way to do that.
So you want the WebAPI to only be used by the MVC page? The best architectural method is to separate the two rather than leave both in one project. Why? Because the MVC app is a experience layer for humans. The WebAPI is an experience layer for the MVC app. Move it back where it can't be accessed.
You can add on tokens, etc, but the MVC app sits on the server, but is accessed on the client computer. The wider the scope of the application (ie, intranet or internet or something in between?), the more difficult the problem and the harder it is for your users to access the application. Moving the WebAPI internal and leaving the MVC app exposed guarantees external users cannot use the API.
The main reason WebAPI and MVC exist together in a single project (still a mistake in most instances, IMO) is you are exposing both to the same audience. If that is not your intent, don't do it.
I currently have a web api 2 project acting as my applications middle tier. I need to secure this project as well as provide an authentication service for my MVC project and potentially iOS and Android applications.
The web api business logic requires the checking of the user permissions/roles to ensure security, the mvc project requires the same functionally to ensure the request to the controllers are valid. How do I do this using Asp.net Identity or some other means? Are there any reference projects for this sort of thing?
Some good info here:
http://www.asp.net/web-api/overview/security/authentication-filters
Another way I've seen it done is have a separate API to generate access tokens for a 'transaction' using whatever credentials you want to use...but usually done via https! This token is then passed by the client to the business layer API as a parameter. Various checks can be carried out on the token e.g. Same client that requested token? Token expired? Token already used? Etc
Let me know how you got on.
Thanks.
UPDATE
Web API Security with local accounts:
http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api
I have a custom STS made in WIF that works as an IDP and now I need to configure SSO to a Service Provider made in SimpleSamlPHP. (The SP only supports Post Binding and Web Browser SSO Profile.)
Any, idea on how should I approach this requirement? Does WIF support Post Binding and SAML 2.0?
Any idea will be greatly appreciated,
Thanks!
As per #Wiktor, there is no SAML support in WIF.
But you need the server side of the SAML stack not the client side.
Your best bet may be to put ADFS v2.0 in the middle and use it as a broker to provide the SAML support.
If you want SAML support, vote here.
WIF has no restrictions on bindings, it is just a set of Apis that makes it easier to develop Idps and Spses. What people usually do is they implement redirect binding on the service provider and post binding on the identity provider - all books and tutorials I've read are like this. This means that the service provider should redirect to the identity provider with wa=wsignin1.0 and the identity provider responds with a form containing the token posted to the service provider.
However, I don't see any obvious reasons you would not be able to implement post bindings for both sides.
As far as I know, there is still no SAML2 protocol support for WIF apart from a ctp that hasn't been updated for ages. If your service needs saml2, you'd have to take a look at some commercial implementations, like the one from componentspace.