This webservice is written in C#, and I want to use an OpenID to authenticate.
This authentication request will be called by a WPF, and an asp.net applicantion.
the webservice will then try to authenticate in OpenID server, and in this case I use OpenID-LDAP software.
The big problem is how to use OpenID without showing the web page to login (the webservice is who is going to inform user and password)?
Open ID will, by design, not work here ... because it works by delegating the authentication to another party (when it shows the open ID provider's website to let the user log in). What you probably want to do is authenticate the user once in your WPF app, and then set up some sort of authentication token between your app and the webservice.
Related
I have a react-native app, a web api written in asp.net C# and a web app where i used forms authentication from asp.net. It checks the username and password stored in my db and sets cookie.
What is the type of authentication i should follow?
Can i use same forms authentication even in react-native. If yes then whats the approach.
I want all the api calls to be made by authenticated users only. if not authenticated, then send back to login screen.
You should follow a token based authentication, you can read more here
The form authentication in react native as well as in standard native mobile or web application works the following way:
User types in his credentials in the application form
Your application takes his input data and sends it to a server to check the validity
If the credentials are valid, the server sends a unique TOKEN which you have to save in memory for additional ussage. This also means the user has successfully authenticated.
In every next http request, you have to pass the TOKEN a server sent before. In every request, server will check TOKEN validity, if it's valid, server will send data. Otherwise not.
You have to setup your application state where you store user information. For example, once your server returns a TOKEN informing, you change your user's state to { loggedIn: true } Based on that value, you can navigate user to the corresponding screens such as Login or in app dashboard.
You can also check https://auth0.com/
I don't have much experience with CA sitemider so please bear with me, if I am asking silly question.
I am creating a excel add-in which uses win-forms for the interface. I have added a Web reference of a web-service which I need to call to perform operation. The web-service supports the SAML authentication. So my requirement is, I need to validation the user from the Active Directory using CA sitemider and get the token (like access token or auth token) and then pass it to the webservice.
I'm not sure how can I implement this? What should I do to get that token and also do I need to use the web browser control in winform to implement the siteminder authentication flow?
Check the System.IdentityModel namespace for this , you can implement via Windows Identity foundation. The namespace has validators for SAML1/2 tokens. To request a valid SAML token and pass it to your webservice you might need to configure an interface which can get you the token first.
How Siteminder sends the token is same as other Identity providers, the user has to be a valid user of IDP (Siteminder in this case), once the request goes to Siteminder, it shows its login page and once user logs in the server returns a SAML token (try using 'SAML parser' extension of firefox to see how the token looks when its returned). You can extract the token in your interface after request is sent back to your end from Siteminder, then validate it (if needed) and send it to your webservice.
I'm implementing some WebApi to upload/convert/return videos.
Another developer will implement a PhoneGap application that will call my WebApi to upload/convert/show videos to users.
The PhoneGap application uses OpenId to allow users to login using google and facebook.
My problem is that I want to make sure the client that is calling my WebApi has been logged in on the PhoneGap app using google or facebook.
I know that all I need is the client to send me a token in the request header that I can "extract" on the web api to validate the user. My question is how can my WebApi know what is the token that has been generated by openId (google/fb) on the PhoneGap app?
Well I am also searching into this and what I have got so far i will share with you in following steps:-
1) Whenever user call my login page I will create the token in response header to make sure that request is coming from legitimate user. just like antiforgery token in mvc.
2) Then upon successful login i will create the authentication cookie and set the current user context value this will Authorize the user and generate another token as mentioned above.
3)Then after this i will use normal Authorise, Roles attribute provided by WEBApi.
Let me know what you think? I am more than happy to contribute.
Another approach is when user login create a hashed token and add it to response header and create custom attribute which grab that token and check it against the database. The problem with this approach is that you will be hammering ur database all the time.
I am looking for single sign on for my application which is built on javascript (no server side language).
Requirement:
Agent log in to Windows (user integrated to Active directory)
Open my web page
Based on who logged in to windows, my application goes to AD and pull some user
specify data (eg email, phone)
How shall I go about it?
As per my understanding I will require ADFS for this.
So:
User goes to my web page
My web page calls some Web services or web application (which is build on c#)
That will authenticate against AD FS and get claim
Either get phone number and email in claim or get username and query AD for phone and email
Return the data to my web page (build on javascript)
It seems there something wrong in my understanding!!
Please suggest more appropriate solution based on my requirement
Frankly, I can't think of a way to make it work without a server side processing. This is because the ws-federation protocol ADFS uses is not just about returning claims.
It is about returing a SAML token. The token contains claims but what is most important about it is that it is signed using the XMLDsig. How are you going to validate the token is a first big question. But there are surely external libraries that allow that.
But then, such authentication can easily be bypassed by modifying scripts in the browser. This is because the ws-federation stops where you get the token and then it is up to you to exchange the token for the actual identity. And this won't work when processed only at the client side.
ADFS 3 does not support the OAuth2 implicit profile, which would be an option, but still you would need to verify the token on the server to avoid session fixation.
You can setup something like AuthorizationServer that supports Oauth2/OpenID Connect implicit profile
http://leastprivilege.com/2013/09/19/adding-oauth2-to-adfs-and-thus-bridging-the-gap-between-modern-applications-and-enterprise-back-ends/
Another option is to use something like Auth0 (Disclaimer: I work for Auth0) which also supports OAuth2/OpenID Connect implciit profile. In that case you wouldn't need ADFS, there is a connector/agent that you install on your network that does not require opening firewalls or anything and it supports implicit profile that is suited to JavaScript apps. This is an example of a single page app tutorial (if you create an account it will tailor the doc with your credentials):
https://docs.auth0.com/singlepageapp-tutorial
We have a client application running on each users computer that has a link to the associated web application.
A recent requirement is that if the user is logged in on the client application that they should be able to click the link and be automatically logged in on the web application.
Our web application is encrypted using SSL. Our client application is in Silverlight.
Is there a way to achieve this securely?
Our first naive thought was simply to embed the username and password in the url for the site, but obviously this is not secure because it is visible in the history and via the back button.
Attempt two involved simply converting the password segment into Base64 as to obscure it from view and trust in the SSL to encrypt it.
I'm still not happy. Ideally we would want to use some sort of time based token that expires within minutes of being used.
Where do we start?
If this becomes overly complicated (special hardware) or requires the user to do anything other than click the link-button then the feature will be dropped.
Perhaps you could make an authenticated web service call from the client application to the web application to obtain a token when the user clicks on the link, and then append the token to the querystring? Then the user is logged into the web application using the token, which is then immediately invalidated (valid for one-time use only).