Currently I'm developing some infrastructure and I've implemented my own RESTful authentication mechanism.
Now I've in mind that maybe I shouldn't go this way and use an industry standard so interoperability with my project could be trivial and easier to understand in terms of authentication and authorization.
After checking some articles googling everywhere and reading some Q&A here in Stackoverflow, I don't find how to be an OpenID provider - I'm not talking about authenticate users using Google, Windows Live, Facebook Connect and so, I want to develop an OpenID-enabled system so if some want to register into my services, they'll do in my own domain -.
Actually my question is: can anyone become an OpenID provider and is DotNetOpenAuth a library to develop this protocol in your own infrastructure?
Thank you.
Developing an OpenID Provider as a means of Single-Sign-On (SSO) within an organizations ring of web sites is a very valid scenario. DotNetOpenAuth comes with a pair of sample web sites (a Provider and a Relying Party) that demonstrate a single-sign-on relationship. They're called OpenIdWebRingSsoProvider and OpenIdWebRingSsoRelyingParty.
Please do not attempt to implement OpenID by yourself any more than you'd implement SSL by yourself. Getting OpenID security and interoperability just right takes a very long time and a deep level of domain knowledge. DotNetOpenAuth in particular gives you programmatic access to do just about anything you'd want to with OpenID, and since it's free, it's hard to go wrong.
Disclosure: I am a developer behind DotNetOpenAuth.
Actually my question is: can anyone become an OpenID provider and is DotNetOpenAuth a library to develop this protocol in your own infrastructure?
How to become an OpenID Provider
DotNetOpenAuth has some hiccups but all-in-all is a good tool to use it under .NET
if you're think you can do it, you can follow this:
Lastly, and most challenging, is implementing custom support for OpenID in your software and account management tools. While this approach of course affords the greatest degree of control over the user experience, it is also the most risky and only for developers experienced with web security. Start by reviewing the specs and documentation.
But my question would always be:
Why one more provider? Facebook, Google, MyOpenID, ... already have it, and with them, plenty of users have (even without them knowing) an OpenID login...
StackExchange is an OpenID provider since a while ago, but... there's so much users cross StackExchange platform. Are you developing such a big community so it will be reasonable to create and implement your own provider?
I see the answers are couple of years old. If you are looking for the latest solution to build an OpenID provider using Microsoft technology stack, IdentityServer is the open source option. One can use this and build an Open ID connect Identity provider.
Documentation on how to use and build : https://identityserver4.readthedocs.io/en/latest/
IdentityServer4 is an OpenID Connect and OAuth 2.0 framework for ASP.NET Core 2.
It enables the following features in your applications:
Authentication as a Service
Centralized login logic and workflow for all of your applications (web, native, mobile, services). IdentityServer is an officially certified implementation of OpenID Connect.
Single Sign-on / Sign-out
Single sign-on (and out) over multiple application types.
Access Control for APIs
Issue access tokens for APIs for various types of clients, e.g. server to server, web applications, SPAs and native/mobile apps.
Federation Gateway
Support for external identity providers like Azure Active Directory, Google, Facebook etc. This shields your applications from the details of how to connect to these external providers.
Focus on Customization
The most important part - many aspects of IdentityServer can be customized to fit your needs. Since IdentityServer is a framework and not a boxed product or a SaaS, you can write code to adapt the system the way it makes sense for your scenarios.
Mature Open Source
IdentityServer uses the permissive Apache 2 license that allows building commercial products on top of it. It is also part of the .NET Foundation which provides governance and legal backing.
Related
my .NET application is a WPF desktop application responsible for sending e-mail with classic SASL mechanism and/or older one (POP-before-SMTP).
A end-user can select any SASL authentication mechanism on the GUI configuration of this application.
As a developper , I was wondering what where the gain(s) and cost of implementing the oAuth2.0 authentication mechanism availability?
What does the end-user benefit from having this authentication mechanism option available?
The end-user can provide itself with a Gmail account
The biggest advantage is that they don't need to create yet another account and another password they now have to remember / protect. OAuth2 is also a pretty well defined standard used by all major providers : Google, Microsoft etc.
From a developer point of view, there are libraries which can take away the pain of coding the mechanism yourself however I do advice to at least read and understand how it works down to the finest detail.
I have my own article on OAuth2, you're welcome to check it put and should be able to describe in detail ho to create your own implementation using standard libraries: https://eidand.com/2015/03/28/authorization-system-with-owin-web-api-json-web-tokens/
I have begun to work with Microsoft Azure Access Control Services. I would like to create a custom identity provider which would authenticate against our back end CRM system. In the past, I had created a prototype Secure Token Service website which allowed me to do this. However, that was a few years ago. I found
https://blogs.msdn.microsoft.com/mcsuksoldev/2012/11/02/azure-access-control-services-creating-a-custom-identity-provider/
which describes how to create a custom identity provider using WIF to be used within Azure but the site is dated from 2012. I had also looked at IdentityServer3 which I thought may be a replacement for WIF.
Do I use the WIF Secure Token Service approach? Is this obsolete? Is Identity Server the new way to accomplish the same thing?
Thanks.
First of all : Windows azure ACS will probably be discontinued (https://blogs.technet.microsoft.com/ad/2015/02/12/the-future-of-azure-acs-is-azure-active-directory/). We had a contact with Microsoft on this and they said it would be deprecated "two years from now" (not official). This being said, to integrate your custom STS in windows azure ACS is "easy". ACS just needs a pointer to your metadata document. Normally if you have an STS that follows the WS-Federation standards it lives at https://yourSTS/FederationMetadata/2007-06/FederationMetadata.xml. If your meta data is correct, ACS will expose you STS as another identity provider (just like Google, Yahoo etc..). It will do so by offering a "choice screen" that allows an end user to choose the identity provider of her choice. You identity provider will then show up among them. If the end user clicks the link for you identity provider the browser will be redirected to your STS (passive login). If she logs in, a token will be issued to ACS. ACS will them "transform" you security token and issue a new one to the final relying party.
Bon, answer is that you have to expose a meta data document and import it in acs https://yournamespace.accesscontrol.windows.net/v2/mgmt/web/IdentityProvider.
ACS is being discontinued but who knows when.
ACS was originally introduced to provide social logins but has been used for many things e.g. changing token types from SAML 1.1 to SAML 2.0 and vice versa.
The "new" way to integrate social logins in Azure is Azure B2C but that is a completely different type of Azure tenant and has no SaaS integration.
Refer: Azure B2C : Differences with Azure Active Directory (AAD) and Azure B2C : Differences with Access Control Services (ACS).
Identity Server 3 is open source, can do pretty much everything ACS can do plus you can add your own social logins and SAML 2.0 protocol and OpenID Connect / OAuth.
Another good option is Auth0 but that is commercial (and no I don't work for them :-) ).
Regarding WIF, it is still supported but no new features are being added. Rather migrate to OWIN.
Thank you all for your comments and suggestions. Well, a few years ago I had purchased the book - Programming Windows Identity Foundation by Vittorio Bertocci which I used to begin prototyping an SSO solution using the WS-Federation approach which uses a Security Token Service. That project was put on hold and I had not begun to look at this until recently. I purchased Vittorio's new book a few months ago - Modern Authentication with Azure Active Directory for Web Applications. I had only browsed the book but decided to take a it home with me this past weekend and read it thoroughly. The book describes the history of pre-claims authentication techniques to SAML to WS-Federation to OAuth to OpenID Connect. It has a great deal of code examples as well as detailed architectural information. This has cleared up the confusion of the different protocols and I now know in which direction to go.
I am hoping someone can clear up how these things can work together.
I want to be my own identity provider, so in my web api I have an OAuth token provider. I want users to register with me and then be authenticated using my token provider. The idea in the future is that more of my mobile apps and web apps will be accessible using the OAuth login sharing the user's identity.
So, if I use azure mobile services how do I implement the normal asp.net identity stuff?
And, how would a normal web app be able to use the data stored in azure mobile services? Would I have two dbcontexts one for mobile and one for web?
I've been reading and watching a lot of stuff on azure but nothing seems to show how I can do this. Most of it has to do with using external providers like facebook, ms, twitter, etc. I want to be one of those external providers, just not sure how to do it and allow my websites to still use the .net identity data.
If you could point me to or post some example / tutorial / blogs that would be great.
This is a supported scenario, although it isn't documented very well at the moment.
The Mobile Services .NET runtime is built on the ASP.NET Katana authentication middleware. The mobile service abstracts these middleware using the LoginProvider base class. The authentication model was recently made extensible for situations such as yours. In order to have Mobile Services recognize and use your identity provider, you would have to create your own LoginProvider.
There are currently two examples of this:
Adding a Katana middleware as an identity provider - part of this post.
Creating a custom username/password setup - tutorial here.
You could certainly use these techniques to wrap the standard ASP.NET identity functionality.
As to your question about accessing the data, there are a variety of approaches. Your web app could treat Mobile Services as a backend and pass through requests. This is basically treating the web app as an additional client platform, peer to your mobile apps. Another option is to, as you said, create multiple DBContexts. While you might get slightly better performance, this comes with a code maintainability tradeoff. It also wouldn't scale well if you build multiple web apps on the same data backend.
does dotnetopenauth allows or has the ability to run own identity server?
We are interested in building a id provider such as stack exchange, google, or fb.
As well as authentication, we are interested in allowing users to register and then using same creds, accessing corps any resource without login again and again.
what s the best place to start? any source code to research for such impl?
Yes, indeed it does!
Best place to start would be the samples included on GitHub.
OpenID Provider
This example will show you the basics for setting up an OpenID provider.
OAUTH
An example of protecting an API with OAUTH - including an example implementation of an Authorisation Server
Have a look, it's a deep dive but worth it if you are serious about being an ID provider - a decision which should not be taken lightly. If you need help then search/post back here on StackOverflow, post on the Google Groups or talk in the JabbR room
It should be possible to use SAML to authenticate users for any type of application (according to the spec), but the examples I have seen are cookie-based ASP.NET web-sites.
Does anyone know of an example authenticating users for, say, a Win Forms app (not using cookies)?
Not quite sure what it is you are looking for. If you are looking for SAML based authentication, you can use some combination of Windows Identity Framework and WCF and AD FS. SAML is just the "language" of authentication, but unless you already have an identity provider, you need to start there first.
You can use this article to give you an idea of what the basic infrastructure looks like, and I frequently use the site leastprivilege.com for a deeper reference.
But, if the scope of your application is purely within the desktop (ie, never communicates with any services) you really don't need anything like SAML to achieve your goal. Usage of tokens like SAML are for communicating with web services where the endpoints trust the identity provider.
SAML is a wee complicated beastie. I'm not sure I'd try to roll my own SAML SSO solution.
When we implemented SAML SSO, we used PingFederate from. It's expensive, but good. There's also some open source SAML SSO stuff about, but I can't really speak to it.
PingFederate is pretty dead simple to configure and use, although if you don't speak SAML, the learning curve will be steep until you understand the concepts, the flow and the lingo used.