I have an MVC application using Windows Auth which consumes a Web Api service. Both are hosted within the same domain but sat on different servers (MVC is publicly accessible). Now lets suppose the Web Api service has a method "CreateFooBar" which requires that the user is in a particular AD group. At the MVC layer I can easily check that the user is indeed in the group, package up a JSON message and call "CreateFooBar". But how does the service perform such a check? How can I tell it which user has made the request?
Initial thought is just to add the userID to the JSON message and let the service method retrieve the details but this would allow someone to just pass in any userID they like so clearly this won't work. Can someone point me in the right direction please?
You should use something like Kerberos delegation.
The user will be authenticated in the MVC application using Kerberos then the Kerberos token will be passed to the Web API call.
We do that currently at work to pass credentials from an ASP.NET app to an Exchange Webserver. It works fine.
If you want more info check this KB: http://support.microsoft.com/kb/810572
You should look into what windows identity foundation can do for you. By setting up adfs in your environment and using claims you will address most the problems you are talking about.
you'll need the identity and access plugin for visual studio and you can test the idea out using a self hosted sts.
Related
Ok, I have this scenario.
I have one WEB API which will provide functionality to an intranet application, the idea is this application WILL not be visible to the outside world, so it wont have a login page.
However, the web api will also be consumed by mobile apps outside the organization, so the webapi WILL be exposed via a public url.
How can I make the authentication/authorization here to support both scenarios?
1. Internal users will be able to consume the web api via the angular backend app without an explicit login page.
2. External users via the mobile app will consume the web api with their active directory account.
I found this:
https://stormpath.com/blog/token-authentication-asp-net-core
where I could easily replace the GetIdentity Method to go to Active Directory and check if user exists with that user and password, but on the intranet, I wont have that info.
ideas please?
The best way to handle such a scenario is to use HMAC Authentication as discussed here. This will allow easier access to the piblic endpoint without requirering some kind of a login from the mobile clients, while at the same time enabling you to know which mobile is acceessing your endpoint. This is the same workflow as implemented in External Auth services like login with google and facebook where you are given an apikey and a apisecret
YOU CAN FIND THE SOURCE CODE OF THE EXAMPLE USING ASP.NET HERE
I am investigating how IdentityServer 3 works and I still have problem to fully understand.
In general concept is clear to me but still I am not sure how to implement this on real project.
This is basic example that I am trying to implement in my case: link
I have web api project and I want to call my api methods from any client (mvc, wpf, phone…)
So I need implementation that is suitable for all clients.
If I understand well (and probably I am not understand completely), I should have 3 projects:
Client
Api
Project that host IdentityServer
And all projects should have required stuff like on picture:
Steps on picture:
Get token
Return token
Call api
Check if Token is OK
If Token is fine than return data else show error
My questions are:
Is my thinking about how this works ok?
Where I making mistakes?
Is this example good enough for my case? Am I missing something
important?
Do I have to create project that host IdentityServer, or this is
needed just for example code ?
Does IdentityServer host project must be console application that
communicate with api and client(like in example), or in real world
this is done differently ?
Should project that host identity server be aware of Clients and
Users ?
Should some other project except host identity server project be aware of Clients and Users ?
What is diference between implicit and hybrid flow, what I need in my case and why?
How do I create my own login view? I want have html page for login if I use web client, but to have wpf login view if I use wpf, also different view for mobile client.
EDIT:
I think that I need Resource Owner flow . I supose that resource i view where user type user name and password.
Your basic flow is correct, with Identity Server acting as your authorization server and your client and web API separate.
You should host Identity Server in its own project to ensure it is separate from any other logic which has the potential to introduce security concerns. How you host it is up to you and your use case. Typically you would see it hosted within an ASP.NET project on an IIS Server.
Identity Server must be aware of clients and users in order to authenticate them. The only other projects that should be aware of your identity store (users) is any applications that concern things like admin, user registration, etc. The client store would only ever be used by Identity Server.
Views can be modified using the Identity Server templates or by introducing your own ViewService. See the docs for more info: https://identityserver.github.io/Documentation/docsv2/advanced/customizingViews.html
Regarding flows, the Resource Owner flow is OAuth only, so there will be no authentication (log in page), only authorization (server to server).
I have two projects:
An ASP.NET MVC 5.2 Application using ASP.NET Identity 2.2
A WCF Application SOAP XML service.
Note: The WCF service is not hosted by ASP.NET, nor is it running in ASP.NET compatibility mode. A requirement of this project is that it is interface based and ASP.NET compatibility mode does not appear to allow an interface based implementation.
The ASP.NET MVC Application calls the WCF SOAP XML service server side when a user makes a specific action request. However, the WCF service is accessed via the public Internet so in theory anyone could call it if they knew the address. I need to ensure that only ASP.NET Identity registered users who are Administrator role are able to call it. The WCF Application could directly access the database but it doesn't seem like it would be the best solution?
How can I check from the WCF service whether a user is authenticated and authorized in ASP.NET MVC 5.2 using ASP.NET Identity 2.2 using object passing? Which objects or properties should be passed and checked? Is there any other solution? Is it possible to check authentication/authorization with attributes in wcf?
Do you own both, are they in the same domain?
You could interact with a database behind the scenes to generate an auth token, then have the wcf service pass a url with the token back to the user. When the user goes to the site via the tokenized url it checks against the database from the perspective of the ASP app and authenticates. It's a bit asymmetric, but it would handle your use case without getting into domain restrictions.
I currently have a web api 2 project acting as my applications middle tier. I need to secure this project as well as provide an authentication service for my MVC project and potentially iOS and Android applications.
The web api business logic requires the checking of the user permissions/roles to ensure security, the mvc project requires the same functionally to ensure the request to the controllers are valid. How do I do this using Asp.net Identity or some other means? Are there any reference projects for this sort of thing?
Some good info here:
http://www.asp.net/web-api/overview/security/authentication-filters
Another way I've seen it done is have a separate API to generate access tokens for a 'transaction' using whatever credentials you want to use...but usually done via https! This token is then passed by the client to the business layer API as a parameter. Various checks can be carried out on the token e.g. Same client that requested token? Token expired? Token already used? Etc
Let me know how you got on.
Thanks.
UPDATE
Web API Security with local accounts:
http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api
I have an ASP.NET web application I built for a client that uses default the ASP.NET forms authentication. They are now requesting a desktop (WinForms) app that works "with" the web application. I have created the webservices to access the data they want from the web app and put it into the desktop app. That works great.. but there needs to be the same level of security and data access based on roles that is already stored in the asp.net application.
So now it's time to make authentication work across both applications.
I would like to take advantage of the asp.net authentication by prompting a login when a user first opens the WinForms application and the calls possibly a web service to authenticate the user, get the users role, and profile.
I'm sure this has done and or asked about.. I'm just not finding the question/answer in SO.
First: Use WCF for your web services. It's a better framework than the old ASMX services.
Second: WCF can utilize the same RoleProvider and MembershipProvider classes that your ASP.NET application utilizes. It's a simple configuration switch. Use them both and your web service requires the same credentials as the web application.
And... that's pretty much it.
For more info, see:
Implementing a Role Provider
Implementing a Membership Provider
How to: Use the ASP.NET Membership Provider
To add to Randolpho's answer: another feature users might like is the ability to save their credentials rather than entering them every time they start your application. You can use the Credential Management API for this as described in this answer.