I hope someone can at least point me in the right direction here.
I have a need for Open Authentication in my business.
However it is not to use other services like facebook or google etc.
We have a membership database - a standard asp.net membership database (slightly modified with an additional table for profile information).
We also have multiple applications that our customers can use but require a log in, so we would like to use the membership database as an authentication source for these applications using open auth.
But i'm not sure where to start with it... everything i look at seems to point to using facebook or google etc as the source of authentication.
Where do I start with being the provider for open auth?
Any recommendations? Any advice for a newbie to open auth?
Our website is webforms, not mvc and runs on .net 4.0.
Thank you in advance!
Try to look at Thinktecture IdentityServer v2. It is an IAM that handles authentication. It is customizable. With little coding you can wire your membership database with it. See this page and IdentityServer wiki for more info.
You should start looking at the code from DotNetopenAuth, particularly the Samples. This is should give you enough to get started with OAuth and/or Open ID.
Particurlarly, look at this sample, as this uses OAuth2 to protect a web api, which can be used a starting point to something that can be used by clients in a very similar way to facebook or google logins.
Related
I cant seem to find the relevant resource for learning this. I am trying to achieve a simple login for my C# application where users will be required to authenticate to use the application, and such the users account level would determine what can be accessed inside the app.
Lets say i have a forum and i want my users to authenticate via the application using the forum credentials, is this possible? what should i know about Security and how is this accomplished?
My thoughts would be i should be able to authenticate using some kind of SQL library? though i am new to C# so i might not be on the right track here.
Thanks for your suggestions.
To authenticate with a web site (forum) you need something like OAuth, see this guide for example. The website needs to provide OAuth.
Authenticating with a web site that was not explicitly designed to support an app client is not really possible, at least not correctly.
I am looking to write an auth service using Web Api, and SQL Server for authenticating and authorizing users on my .net site, but ios and Android apps as well. I'm speculating that basic authentication over SSL is the easiest way to go, but I'm pretty new to this whole section of .net. I'm having trouble finding some clear tutorials that explain how to write such a service. Can anyone point me to some resources on how to do this? I'd appreciate it.
I think you need to look OAuth implementation in .NET.
Here is a video to give you some background on Web API security.
I also suggest getting a trial subscription to Pluralsight training and check out the courses on Web API security.
You may want to target the latest release of Web API 2.0 from Microsoft, it has the most features you'll need.
I think this might be useful for you:
http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api
does dotnetopenauth allows or has the ability to run own identity server?
We are interested in building a id provider such as stack exchange, google, or fb.
As well as authentication, we are interested in allowing users to register and then using same creds, accessing corps any resource without login again and again.
what s the best place to start? any source code to research for such impl?
Yes, indeed it does!
Best place to start would be the samples included on GitHub.
OpenID Provider
This example will show you the basics for setting up an OpenID provider.
OAUTH
An example of protecting an API with OAUTH - including an example implementation of an Authorisation Server
Have a look, it's a deep dive but worth it if you are serious about being an ID provider - a decision which should not be taken lightly. If you need help then search/post back here on StackOverflow, post on the Google Groups or talk in the JabbR room
I'm starting a new project, using ASP.NET MVC 3, and one requirement is to support multiple authentication providers, i.e. Live ID, Google, Facebook, etc. I've looked at companies that provide such a service, but ideally I need a free solution.
Does anyone know of a free service?
If not, the only other solution is to develop something similar to support the providers I'm interest in. Has anyone implemented such a thing? If so, can someone provide any suggestions, articles, guidence, etc, to help with this?
I don't think there is an open source library that supports all the sites out there. You may take a look at OpenId for those that support this protocol. For FaceBook you could use the Graph API.
Jainrain Engage is free for their basic accounts.
Whilst not free the Windows Azure Access Control Service provides just that
You use Windows Identity Foundation in your website to point at the ACS, and configure the ACS with Live ID, Google, Yahoo ID and/or Facebook (as well as potentially any other STS)
I am in the processing of developing a web application which will integrate directly with a Google Calendar associated with a specific Google account. The account being accessed by the Google Data API is not likely to change, so I'm unsure what the most appropriate account authentication method is going to be.
I've reviewed the options avilable and it would seem that AuthSub and OAuth are inappropriate as I will not be logging users into their own account- only displaying and updating a fixed account. The other options available are ClientLogin and Gadgets authentication. Of all of them, ClientLogin seems the best fit, but the documentation states that it is intended for installed applications. While the web application I am developing is not specifically an installed application, it closely mirrors one in this scenario- which is why I think ClientLogin makes the most sense.
Which Google authentication option would be the best fit in this scenario?
After reading http://code.google.com/apis/gdata/docs/auth/overview.html it seems to me that OAuth is the most secure way to achieve your goals. Google recommends OAuth or AuthSub over ClientLogin for Web Applications. In addition using OAuth and AuthSub prevents your application from ever having control of the users email and password meaning you dont need to take the extra steps to protect and update the information. Between OAuth and AuthSub, OAuth is more universally adopted, and more secure due to the fact that requests are signed. Hope that helps.
EDIT: So I misunderstood exactly what your application was doing, if you are only using your google account any method of authentication is probably fine, that said google recommends OAuth or AuthSub for web apps. However the important thing to find out about OAuth and AuthSub is what the life of the token is. If there is no way to make the token last for a long time (months, years) then I would try to use ClientLogin, because then your application will always be able to login to the account. As a side note however for security I would recommend you NOT use your primary google account for the application instead create a second account and simply share the calendar with your primary account, that way if you application was compromised you would not lose your primary google account.