Can Web Authentication Broker be used with a non oAuth authentication ?
I have created an Asp.Net MVC2 website with a login page that I want to use through Web Authentication Broker to retrieve and persist the authentication cookie.
Here is the code :
WebAuthenticationResult WebAuthenticationResult = await WebAuthenticationBroker.AuthenticateAsync(
WebAuthenticationOptions.None,
new Uri("https://localhost:44301/Account/LogOn"),
new Uri("https://localhost:44301/"));
When loaded the WAB returns the following message "Can't connect to the service" and when looking to the event viewer there is a navigation error event.
Is something wrong with my code or there is no way to connect to a cookie based login page ?
Web Authentication Broker is meant for WinRT applications.
In your case you have several options.
Use DotNetOpenAuth directly
Upgrade to MVC4 and use the support provided via ASP.NET 4.5's addition of the oAuth functionality included in the default templates. See Using oAuth Providers with MVC
It's super easy to integrate into your MVC app.
Related
I have three application Web API, MVC Application(Web App), Java Native App(Mobile App). I need to authenticate my web app and mobile app from web api. So which authentication is best for this scenario?
Please help me, I have experience of developing on MVC Application but with Web API it is new for me and for same android which is also new to me?
I would suggest the following read: https://learn.microsoft.com/en-us/dotnet/architecture/microservices/secure-net-microservices-web-applications/
It will provide you with different authentication and authorization options. You might opt to use social identity server like Google or Facebook, or go with your own identity provider. In both cases the protocols you need to know about are:
Check out what openid connect is: https://openid.net/connect/
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
Check out what oauth 2.0 is: https://oauth.net/2/
OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.
For web app SPA use the implicit grant
For native apps, great read here: https://www.oauth.com/oauth2-servers/oauth-native-apps/
The current industry best practice is to use the Authorization Flow while omitting the client secret, and to use an external user agent to complete the flow.
Last but not least, if you want to create your own identity provider you can use the open source identity server for both openid connect and oauth2: https://learn.microsoft.com/en-us/dotnet/architecture/cloud-native/identity-server
I suggest for you to use web tokens and to implement it in your Web API project, i encourage you to see these series of videos to do that, It's describe how to implement JWT in Asp.net Core Web API project:
ASP.NET Core Authentication with JWT (JSON Web Token)
ASP.NET Core Authentication with Custom Handler
Role-based Authorization in ASP.Net Core (With Custom Authentication Handler)
Policy-based Authorization in ASP.Net Core (with Custom Authorization Handler)
JWT Refresh Token in ASP.Net Core (a deep dive)
That series will help you to build JWT in your Web API, And if you want to implement OAuth 2.0 and OpenID you can read the guideline for the protocol and you'll implement by your own, It's not default to implement.
[EDIT]
you can use Microsoft.AspNetCore.Authentication.OpenIdConnect for OpenID after seeing that series, and this Article will be helpful .NET Core 2.x native OpenID Connect example
I'm trying to develop many projects under one solution on asp.net and I want to be authenticated just on the first project (Demarrage) then having authenticated immedialtly in the others projects. I'm using Windows authentication.Project Overview Link
As far as I know, if you enable the IIS windows auth and use IE or Chrome to access the web application. The browser will auto store the windows credenticial and use it to login in. That means you just need to login in once and it could access other web application.
If you want to enable a SSO for both windows auth and other auth mode. I suggest you could consider using identity server. The Identity server is an OpenID Connect and OAuth 2.0 framework. It could Single sign-on (and out) over multiple application types and it support windows auth.
Details about how to use it with windows auth, you could refer to below article:
http://docs.identityserver.io/en/latest/topics/windows.html
We currently have an ASP.NET Core MVC app in combination with IdentityServer4 for authentication. The user authenticates via IdentityServer (with the HybridAndClientCredentials flow) to ADFS before it has access to the MVC application.
The SignInScheme on the MVC client is set to the values "Cookies".
We would like to extend our MVC app to host multiple Angular apps. Sometimes even more than 1 Angular app per MVC view.
The angular apps will call seperate ASP.NET Core Web API's on behalf of the user.
My question is how does the angular apps know that the user is already authenticated in the MVC application, retrieve the access token and call the API's on the user behalf?
I have been playing around with solution Scott Brady came up with but there seems no integration between the MVC app & Angular app. The Angular app will try to authenticate to identityserver and expect a callback on a particular page.
I am looking for a solution how to share the accesstokens between the MVC app and the angular apps but I am stuck. Any help is much appreciated.
If they have to sign in via the server-side hybrid flow already then the simplest way would be an endpoint in your MVC app that is cookie-secured that the client side app can call to get the access token.
Another approach is to use oidc-client-js and have the client side Angular app obtain its own token.
You could abstract this away from the client side app itself so it's easy to change the mechanism later if you need to. As it happens we use a combination of server side and client side flows and it works fine.
I have the following setup.
2 mobile apps communicating with an asp.net web api 2 project and they use Token Authentication. Each mobile client stores the token client side, never username and password.
I then have my web portal hosted on an asp.net mvc 5project which uses standard cookie authentication.
Now in some cases my mobile apps needs to load webpages from the mvc 5web portal. For example our payment gateway page. But the client needs to be authenticated in order to load this page.
At the moment when we show the user a web wrap of out web portal. It asks them to login again. This is very bad UX.
How can I authenticate the client on the MVC site, using my web api Token
I'm imagining a function like this in the MVC site:
pubic Action LogInWithToken(String token)
{
var user = GetUserFromToken(token);
var isAllowed = AuthenticateUserFromToken(user,token);
if(!isAllowed) return 401;
return CreateCookieForUser(user);
}
Is the Web Api 2 application hosted in the same machine as the MVC 5 application?
If they are, you can manually deserialize the token to get the id of the user. See Extract User details from web api auth token in MVC.
From there, you can sign in the user in CookieAuthentication automatically.
If they are hosted in different machines, however, you would have to specify the same machine key in the projects' Web.Config files.
I develop a native android application that done it's authentication, authorization, getting resources using WebApi backend.
After many discussions about what is the best and secure way to implement authentication and authorization using .NET technologies we decided to use Thinktecture's IdentityServer3.
Before i was follow this series to implement a token based authentication using Asp.NET Identity system, every thing was OK but after investigations i decide to decouple the authentication server and using Thinktecture's Identity Server.
So now i have a separated web apps hosted on azure one for resources and other for authentication using IdentityServer3 and one native Android client .
My Android client application having an authentication using Facebook/Google, and i already implemented this before on android using Parse or separatly based on Facebook Android SDK & Google services
Also Users having roles.
Now i want to know if there is a correct approach for doing that from the authentication server perspective and also client android application perspective as there are many discussions about the configurations of identityserver3 with native apps also should i use a webview activity in android to handle connection with authentication server or using native java code with HTTP library like retrofit to send request and get response.
Also with Facebook, i already implemented authentication directly from android app using Facebook Android SDK and i can get the AuthToken and the approach that i think about is like shown in this question:
Authenticate user to Facebook from Android application.
Get the FB auth token to the android app.
Forward the authentication token & facebook UID from Android to web
server.
On web server, make Facebook API call with the submitted token.
If the Facebook API call from web server returns valid authentication, and the user id is equal to the one submitted by Android application, your server can trust the id (& you can be sure that the Android authentication real)
Or should i depend only on backend identityserver to handle Facebook authentication?
you can use the hybrid flow (if you need access tokens and refresh tokens)
, also You could use the implicit flow
just have alook at this topic
and about how can you do it,
Either, you can do it by doing a combination of web views and hybrid/implicit flow, or do the redirect style to the IdSvr login page. Using resource owner password flow