I currently have a MVC application that is using Forms Authentication. I realize that you cannot self host a MVC application. Business requirements dictate that my application has to be self hosted. I was thinking of creating either a WCF or Web API application that is self hosted, where I can expose various endpoints. However, the problem I am facing has to do with authentication. In my MVC, I used Forms Auth, and allowed the user to use a form to enter credentials. How can I do something similar in WCF or Web API. I know how to render the HTML for the login page, etc, but the part that I am not familiar with is how to code up the smarts that anyone who tries to access one of my endpoints needs to be redirected to another service, so that I can do my thing to authenticate them.
I guess I'm trying to do something similar to the Forms Authentication redirect, but, within the context of WCF or Web API. I started looking into message interceptors and route filters, but, still need to do some research.
Any ideas to point me in the right direction ?
Forms Authentication Control Flow is explained here. This is what you need to implement using a DelegatingHandler for ASP.NET Web API.
Related
I am developing a solution using .NET ASP Core. It's current version is monolithic, and I want to switch it to a service architecture consisting of an HTTP API which is used by the iOS/Android apps and web site. Here is a visual:
I am using .NET ASP Core on the website and service layers. I have almost finished implementing the changes, but I'm hung up on how to handle authentication on the area of the website that allows administrators to edit the content of the system. The monolithic version uses Identity Core (custom implementation, not using Entity) which works great. I could move the identity authentication code into the service, but I'm not sure how to then handle the authentication on the web site (the apps are public content only, no auth needed). How do I pass the username/password from the website to the service? How do I then track the session between the end user and service layer? Or is another option like OAUTH make more sense? I'd prefer a solution that doesn't require me to implement duplicate roles/policies on the website and service.
Any suggestions welcome, I have no experience with a setup like this so I'm not really even sure where to begin. Thanks!
OpenID Connect or OAuth makes sense because all of the claims/roles you already have will be encapsulated into the token. I presently use IdentityServer4 and it works just fine for your exact situation.
Since you are already using Identity database implementation doesn't matter as long as you have a back end. In the end the calls to the site are till http in nature, all very well documented.
http://www.identityserver.io
We are starting a project which will consist in:
Web project (ASP.NET MVC)
IOS app
and both will consume data from a .NET WEB API service.
The WEB API service will expose a POST Method with the url "user/create". But i don't know how can i avoid another apps for making post to this url? I know i need a security protocol, but i wanted to know which one you recommend me, and if you have, an article where is it explained.
Thanks
web api 2 provides oauth authentication. You will need to get a token from the token end point of web api and pass that token in subsequent requests.
You should find lot of online resources if you search for web api 2 oauth.
We did something similar recently using OWIN OAuth 2.0 Authorization Server
Reference this ASP.NET page for details. Sample code is included as well for several different implementations.
For our purposes, we used the Client Credentials Grant section about half-way down the page. Our implementation involved server-server OAuth (Web API to MVC), but I bet it's pretty similar to have iOS connect. The only thing I would caution is to somehow encrypt the login credentials on the iOS side, and I'm sure there is a way to do that.
So you want the WebAPI to only be used by the MVC page? The best architectural method is to separate the two rather than leave both in one project. Why? Because the MVC app is a experience layer for humans. The WebAPI is an experience layer for the MVC app. Move it back where it can't be accessed.
You can add on tokens, etc, but the MVC app sits on the server, but is accessed on the client computer. The wider the scope of the application (ie, intranet or internet or something in between?), the more difficult the problem and the harder it is for your users to access the application. Moving the WebAPI internal and leaving the MVC app exposed guarantees external users cannot use the API.
The main reason WebAPI and MVC exist together in a single project (still a mistake in most instances, IMO) is you are exposing both to the same audience. If that is not your intent, don't do it.
I'm currently playing around with asp.net / MVC5 so I had an idea I wanted to create a WPF login so I can use the login the wpf app with my asp.net info. I assume I have to Create a login form onto WPF and send it to you MVC website, the server verifies them and if the credentials are correctly it emits an authentication cookie which is sent back to the client. The client stores this cookie for further authentication.
So this means you will need to send a POST request to the MVC website that verifies the username and password, then the server returns a cookie which is stored by the client in a CookieContainer.
How ever I am rather stuck on how I would go ahead and do this.
As #Goobering pointed out in the comment above, this is too big of a question to be answered on a stack overflow post. You're looking for tutorials. More importantly, is this WPF app only going to reach out to the MVC webiste for authentication and/or authorization, or are you going to get other data as well?
My suggestion is that you make a WCF authorization web service that is hosted on the same website as your MVC. Integrating identity into WCF would be easy, and then integrating WCF into WPF apps is even simpler. This would also support getting any other data you need from the MVC website. Here are some links:
http://www.codemag.com/article/0611051
https://msdn.microsoft.com/en-us/library/ee748498.aspx
http://www.codeproject.com/Articles/802435/Authentication-and-Authorization-with-ASP-NET-Iden
Validating a user in WCF using ASP.net Identity 2.0 Framework
Good old Microsoft documentation at it's finest. Does anyone know of any resources that explains how to deploy Web Api with Asp.net Web Forms application. I have the web api in a separate class library and I call using jquery. I don't want anonymous users to be able to access this service only the application. Do I want to use self hosted? How do I lock the service down? Awesome examples showing how to use, tons of videos but nothing on deployment.
You don't have the right architecture for what you are describing, but what you have is right.
If you are calling web services from the client side (using jquery) then your web service must be public facing.
What you are describing is a web or WCF service in a service oriented architecture. That service would most likely live on a different server and be on an internal network, etc. Even if it's on the same server your requirement is that it is not publicly accessible - thus none of your jquery would work since that request is being initiated by the user and users can only make requests to public facing services.
The comments about using forms authentication to protect your service calls are right. jQuery will include the forms authentication cookie for you when it makes AJAX calls so you shouldn't have to change much on the client side.
I have an ASP.NET web application I built for a client that uses default the ASP.NET forms authentication. They are now requesting a desktop (WinForms) app that works "with" the web application. I have created the webservices to access the data they want from the web app and put it into the desktop app. That works great.. but there needs to be the same level of security and data access based on roles that is already stored in the asp.net application.
So now it's time to make authentication work across both applications.
I would like to take advantage of the asp.net authentication by prompting a login when a user first opens the WinForms application and the calls possibly a web service to authenticate the user, get the users role, and profile.
I'm sure this has done and or asked about.. I'm just not finding the question/answer in SO.
First: Use WCF for your web services. It's a better framework than the old ASMX services.
Second: WCF can utilize the same RoleProvider and MembershipProvider classes that your ASP.NET application utilizes. It's a simple configuration switch. Use them both and your web service requires the same credentials as the web application.
And... that's pretty much it.
For more info, see:
Implementing a Role Provider
Implementing a Membership Provider
How to: Use the ASP.NET Membership Provider
To add to Randolpho's answer: another feature users might like is the ability to save their credentials rather than entering them every time they start your application. You can use the Credential Management API for this as described in this answer.