I have been doing a bit of searching around on oauth2 and think it may be a good fit for some WCF rest services I am building out that will be consumed by some WPF apps and MVC web apps. The idea would be that the user is initially asked to login with their username / password and receives an access token which gives them access to the aforementioned resource(s).
Searching around here on SO I have not found much information on oauth2 except for a few consumer related questions to facebook etc.
I'm wondering if anybody can provide some tips on implementing oauth2 (or knows of any good resources). I am interested in both the provider (authenticating and issuing access tokens) as well as the client/consumer end.
.NET OAuth2 Libraries
The only OAuth2 library I found is from dotnetopenauth which also seems to be heavily into openid. At this stage I'd rather a library that is a little lighter and just emcompasses oauth2
Are there any other oauth2 libraries available yet?
There's OAuth .NET
Related
I'm rather new to Web development so bear with me.
I've developed a backend server in C# (non-web app) that exposes some features via a REST API implemented in Web API (OWIN and Katana).
I've developed a Xamarin android app the consumes that API.
Now I want to enable the consumption of the API only for users who have authentication using Google.
I know OAuth is the way to do it and I've been reading a lot about it but I'm still kind of confused about the roles here and who should do what.
What should my server do or implement? what should my client do or implement?
An important feature of OAuth2 to be aware of is the two different authentication flow types:
implicit auth flow
explicit auth flow
I've personally found the Instagram API documentation to explain this pretty well:
https://instagram.com/developer/authentication/
Explicit auth flow is a little more tricky because it involves extra coordination on the part of your custom API. Implicit auth flow is a little easier, because your app will simply look for a URL fragment that comes back from the OAuth provider. That URL fragment contains a token that you can use for subsequent calls to the API that you want to talk to, Google in your case.
But in your case, it sounds like you want to use Google as the identity provider for your custom API, correct? In that case, I think you'll need to use explicit auth flow. Again, check out the Instagram docs. I find them to be particularly good at explaining OAuth2.
EDIT:
And be aware of the Xamarin.Auth component, which is designed for easing OAuth scenarios. You can find it in the Xamarin Component Store or on Github.
I'm looking for the easiest way to authenticate against google oAuth 2.0 implementation for the purpose of accessing the google Drive API. These are the constraints:
It has to be .NET 2.0 compatible
Can not use the google libraries
I'll be using a service account to do work on behalf of specific users
I've looked at DotNetOpenAuth, but the version for the .NET 2.0 runtime doesn't seem to support oAuth 2.0 (google has deprecated oAuth v1, which DNOA supports, of course).
Google's documentation is confusing, at best (witholding explitives here).
Not sure if this will help but the since you mentioned direct JSON, XML, etc. Google has a UI that simulates and generates requests as well as provides some limited documentation that might get you started on creating such code:
https://developers.google.com/apis-explorer/#p/
https://developers.google.com/oauthplayground/
The following provides some additional info on the login:
https://developers.google.com/accounts/docs/OAuth2Login
Far from exhaustive but it's a start if that's your angle.
I have a REST service implemented by ASP.Net WebApi, a WPF client application that consume this service.
Every user have a UserName/Password in stored in Azure Table storage. Now I want to implement an OAuth authorization server "Resource Owner Password Flow".
Now my question is: How can I implement an OAuth 2.0 "authorization server" in .net?
I found that DotNetOpenAuth and thinktecture can help, but I'm not sure about any of them.
The DotNetOpenAuth has a WPF example among many other helpful examples. The only disadvantage of the library is the lack of comprehensive documentation, however samples are great and easy to follow.
I'm looking for an OAuth2 client API I can use in C#, and I came across Googles: http://code.google.com/p/google-api-dotnet-client/wiki/OAuth2
It talks about how to use it to integrate with OAuth for various Google services, but can this library also be used for non-Google OAuth services?
You probably can use for example OAuth2Authenticator.ApplyAuthenticationToRequest() but it will be tricky and not worth the effort. I would rather suggest taking a look at DotNetOpenAuth which supports OAuth2 (and is used by StackOverflow).
Currently I'm developing some infrastructure and I've implemented my own RESTful authentication mechanism.
Now I've in mind that maybe I shouldn't go this way and use an industry standard so interoperability with my project could be trivial and easier to understand in terms of authentication and authorization.
After checking some articles googling everywhere and reading some Q&A here in Stackoverflow, I don't find how to be an OpenID provider - I'm not talking about authenticate users using Google, Windows Live, Facebook Connect and so, I want to develop an OpenID-enabled system so if some want to register into my services, they'll do in my own domain -.
Actually my question is: can anyone become an OpenID provider and is DotNetOpenAuth a library to develop this protocol in your own infrastructure?
Thank you.
Developing an OpenID Provider as a means of Single-Sign-On (SSO) within an organizations ring of web sites is a very valid scenario. DotNetOpenAuth comes with a pair of sample web sites (a Provider and a Relying Party) that demonstrate a single-sign-on relationship. They're called OpenIdWebRingSsoProvider and OpenIdWebRingSsoRelyingParty.
Please do not attempt to implement OpenID by yourself any more than you'd implement SSL by yourself. Getting OpenID security and interoperability just right takes a very long time and a deep level of domain knowledge. DotNetOpenAuth in particular gives you programmatic access to do just about anything you'd want to with OpenID, and since it's free, it's hard to go wrong.
Disclosure: I am a developer behind DotNetOpenAuth.
Actually my question is: can anyone become an OpenID provider and is DotNetOpenAuth a library to develop this protocol in your own infrastructure?
How to become an OpenID Provider
DotNetOpenAuth has some hiccups but all-in-all is a good tool to use it under .NET
if you're think you can do it, you can follow this:
Lastly, and most challenging, is implementing custom support for OpenID in your software and account management tools. While this approach of course affords the greatest degree of control over the user experience, it is also the most risky and only for developers experienced with web security. Start by reviewing the specs and documentation.
But my question would always be:
Why one more provider? Facebook, Google, MyOpenID, ... already have it, and with them, plenty of users have (even without them knowing) an OpenID login...
StackExchange is an OpenID provider since a while ago, but... there's so much users cross StackExchange platform. Are you developing such a big community so it will be reasonable to create and implement your own provider?
I see the answers are couple of years old. If you are looking for the latest solution to build an OpenID provider using Microsoft technology stack, IdentityServer is the open source option. One can use this and build an Open ID connect Identity provider.
Documentation on how to use and build : https://identityserver4.readthedocs.io/en/latest/
IdentityServer4 is an OpenID Connect and OAuth 2.0 framework for ASP.NET Core 2.
It enables the following features in your applications:
Authentication as a Service
Centralized login logic and workflow for all of your applications (web, native, mobile, services). IdentityServer is an officially certified implementation of OpenID Connect.
Single Sign-on / Sign-out
Single sign-on (and out) over multiple application types.
Access Control for APIs
Issue access tokens for APIs for various types of clients, e.g. server to server, web applications, SPAs and native/mobile apps.
Federation Gateway
Support for external identity providers like Azure Active Directory, Google, Facebook etc. This shields your applications from the details of how to connect to these external providers.
Focus on Customization
The most important part - many aspects of IdentityServer can be customized to fit your needs. Since IdentityServer is a framework and not a boxed product or a SaaS, you can write code to adapt the system the way it makes sense for your scenarios.
Mature Open Source
IdentityServer uses the permissive Apache 2 license that allows building commercial products on top of it. It is also part of the .NET Foundation which provides governance and legal backing.