I am looking to write an auth service using Web Api, and SQL Server for authenticating and authorizing users on my .net site, but ios and Android apps as well. I'm speculating that basic authentication over SSL is the easiest way to go, but I'm pretty new to this whole section of .net. I'm having trouble finding some clear tutorials that explain how to write such a service. Can anyone point me to some resources on how to do this? I'd appreciate it.
I think you need to look OAuth implementation in .NET.
Here is a video to give you some background on Web API security.
I also suggest getting a trial subscription to Pluralsight training and check out the courses on Web API security.
You may want to target the latest release of Web API 2.0 from Microsoft, it has the most features you'll need.
I think this might be useful for you:
http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api
Related
There is a project I am working on using asp.netcore 3.1. d app is a web API and will b consumed by multiple clients(web browser, android and Windows forms). How can I build the OAuth2 server in c# to protect my API.
Most companies don't build their own Authorization Server, since it is a job for security experts. Instead they use a cloud provider, and these are often very low cost or free.
In the early days this is a good learning guide and will save you a lot of time. You can then focus on OAuth integration into your UIs and APIs.
As long as you keep security in your UI and API standards based you will then be able to easily swap between providers later - or use an open source one perhaps.
Here are a couple of resources of mine that you might find useful. My early code is in NodeJS, but based on OAuth messages, so easily translatable to .Net Core:
Setting up an Authorization Server
Initial Tutorial
OAuth Messages - see Step 16 for API Integration
I hope someone can at least point me in the right direction here.
I have a need for Open Authentication in my business.
However it is not to use other services like facebook or google etc.
We have a membership database - a standard asp.net membership database (slightly modified with an additional table for profile information).
We also have multiple applications that our customers can use but require a log in, so we would like to use the membership database as an authentication source for these applications using open auth.
But i'm not sure where to start with it... everything i look at seems to point to using facebook or google etc as the source of authentication.
Where do I start with being the provider for open auth?
Any recommendations? Any advice for a newbie to open auth?
Our website is webforms, not mvc and runs on .net 4.0.
Thank you in advance!
Try to look at Thinktecture IdentityServer v2. It is an IAM that handles authentication. It is customizable. With little coding you can wire your membership database with it. See this page and IdentityServer wiki for more info.
You should start looking at the code from DotNetopenAuth, particularly the Samples. This is should give you enough to get started with OAuth and/or Open ID.
Particurlarly, look at this sample, as this uses OAuth2 to protect a web api, which can be used a starting point to something that can be used by clients in a very similar way to facebook or google logins.
Does anyone know of an analytics package, either open source or commercial, that can be integrated into a corporate MVC3 site running in a restricted environment?
The (rather rigid) requirements for my project are: -
The solution must be installed locally, which sadly rules out Google Analytics.
The solution must track analytics for individual users / customers.
The solution must work on a Microsoft technology stack and work under IIS 7.5.
Unfortunately due to client sensitivities (I.E., security and brand reputation) they cannot use publically analytics packages and thus rule out Google, Open Web Analytics, etc.)
Thanks, and let me know if I need to make the requirements clearer.
Piwik is one of the best open source Web Analytics solution. I understand you need a solution in Microsoft stack but this is based on PHP.
I am using this to tracking SharePoint web applications and I am running Piwik using IIS 7.5.
Configure IIS to use a detailed log. Then use a IIS log analayzer tool (there is plenty, google).
http://awstats.sourceforge.net/ is pretty popular. (PHP, but easy to configure in a separate website in IIS)
A .NET based analyzer: http://www.iis.net/community/default.aspx?tabid=34&i=1864&g=6
I have an application running on a server that periodically extracts data from Google Analytics. It doesn't issue many queries so I don't think any limit would be a problem.
I have a prototype running, however I had to provide a login a password for the authentication (in code).
I see that I can generate API keys and other kind of authentication bits and pieces in the Google APIs Console, however I am not sure how to use them and whether they can be used in place of the login/password.
It just doesn't seem right to use a user login/password to authenticate a server application.
Is there another way?
(I am using the C# client library)
You should be using OAuth 2.0. See:
http://code.google.com/p/google-gdata/source/browse/trunk/clients/cs/samples/oauth2_sample/oauth2demo.cs
for a sample OAuth workflow.
The best way to do this is with Google Service Accounts
https://developers.google.com/accounts/docs/OAuth2ServiceAccount
However, I don't know off the top of my head the best library for c#, but there does appear to be support for it in the Google library. http://code.google.com/p/google-api-dotnet-client/wiki/OAuth2#Service_Accounts
Here's a answer specifically about the PHP client.
Service Applications and Google Analytics API V3: Server-to-server OAuth2 authentication?
I'm starting a new project, using ASP.NET MVC 3, and one requirement is to support multiple authentication providers, i.e. Live ID, Google, Facebook, etc. I've looked at companies that provide such a service, but ideally I need a free solution.
Does anyone know of a free service?
If not, the only other solution is to develop something similar to support the providers I'm interest in. Has anyone implemented such a thing? If so, can someone provide any suggestions, articles, guidence, etc, to help with this?
I don't think there is an open source library that supports all the sites out there. You may take a look at OpenId for those that support this protocol. For FaceBook you could use the Graph API.
Jainrain Engage is free for their basic accounts.
Whilst not free the Windows Azure Access Control Service provides just that
You use Windows Identity Foundation in your website to point at the ACS, and configure the ACS with Live ID, Google, Yahoo ID and/or Facebook (as well as potentially any other STS)