We Keep Coding

RESTful API Design - same path diffrent roles

I´m currently working on a RESTful API, which has to give access to two diffrent Roles: Admin and User. (I'm wokring with Azure AD App Roles)
My Problem is that I don't understand how I can design the controller logic.
For example I want both (admin and user) to access the endpoint /books, but the admin is allowed to see all books and the user is only allowed to see his books.
What is the best practice to give both the allowed access? I thought of splitting it into two enpoints like this:
/books -> with annotation [Authorize(Roles="Admin")]
/user/{id}/books -> with annotation [Authorize(Roles="User")]
Thanks for helping!
Best regards

I think this sample may be of some help. And if you need sample written by other languages, you can refer to this document to find a suitable one.
And on your case, I think the most important thing is to find out the way to execute the right query and make the query result return to correct user.
So if you set a specific url for each user(I don't think this a good idea to expose user id in the request link), or you hide the user role/id into the token which contained in request header, you all need to write logic code to check which query method need to run. For example, hit domain:port/books with an access token, then your filter catch this request and decode the token to know the user id and user role, and maybe can save them in the session, then your controller may check the value stored in session and choose a right query to get the books information.

Simple OAuth2 authentication - Request an access token

I have been struggling with this now for a while. So if someone could help me it would be great.
I am trying to get a simple access token from the TwitchTV API. I am referring to this link: https://dev.twitch.tv/docs/authentication/#getting-tokens
GET https://id.twitch.tv/oauth2/authorize
?client_id=<your client ID>
&redirect_uri=<your registered redirect URI>
&response_type=<type>
&scope =<space-separated list of scopes>
So thats where I begin to struggle already. How exactly do I make such requests in an ASP.NET MVC application? I see that I have an Startup.Auth.cs class where I can configure OAuth Authentications. But how does such authentication have to look like?
It then says in the documentation:
If the user authorizes your application, the user is sent to your
redirect URI, with an ID token and optionally an access token (if that
was requested):
https://<your registered redirect URI>#id_token=<an id
token>&access_token=<an access token>
Now how do I access this token? Can someone please give me a small Code example of how I should start with this API? I really dont have any experience with such technology. How do I have to configure my Startup.Auth.cs and how does my Action have to look like, that starts the authentication?
Please refer to the link above in your answer. Thank you!

You can create a redirect URI as callback URL.
when a user logged in in your app the callback will be triggered containing the Access Token and other information.
here is the sample snippet in PHP (https://yourhost.com/outhcallback.php)
<?php
$acccesstoken=$_REQUEST["access_token"];
$id_token=$_REQUEST["id_token"];
store_to_session(accesstoken);
?>
now you have the token. if this token you require in server-side store to the session and if require in client-side store to local storage.

C# Web API 2 & Angular - Microsoft Account Authentication

I've asked the question below a couple weeks ago and I didn't get a working answer. Or maybe just not suitable for my case.
C# Microsoft Authentication Get logged user from controller
So I thought maybe I wasn't asking the right question. What i'm trying to do is create an app which has a C# Web API 2 backend and an Angular 2 frontend. Now, I want that my authentication be using people's Microsoft Account which means this will be an external authentication.
What's the best way of doing this? It would be very much appreciated if you can give a link on a blog or article that explain what I'm looking for. On my link above I've used msal.js and so far it was working fine for me until I had to get the logged user's details. It was possible from Angular's side but I want to do it in Web API so it is more secured.
Thanks in advance!

If you are using OpenId, you have claims that are returned when user is authorized. I am assuming you are using Azure B2C for authorization in which case you can select clams that will be returned as part of token.
For example, if you want to fetch user id:
var userId = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier")?.Value;
Email:
string userName = ClaimsPrincipal.Current.Claims.Where(x => x.Type == "emails").FirstOrDefault()?.Value;
It depends what claims your authorization has returned, easiest way would be to put breakpoint on
ClaimsPrincipal.Current
and inspect it, it should return list of claims.

From your code in the previous post, it looks like you need to read from the ClaimsPrincipal instead. ClaimsPrincipal is the implementation of IPrincipal when you use OAuthBearerTokens, so of course you can get the username from CurrentPrincipal.Current.Identity
From this documentation
https://msdn.microsoft.com/en-us/library/system.security.claims.claimsprincipal(v=vs.110).aspx
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-api-dotnet
public IEnumerable<Models.Task> Get()
{
var user = ClaimsPrincipal.Current;
...
}

i do with this example
https://github.com/Azure-Samples/active-directory-b2c-javascript-angular2.4-spa
and it work well

Check domain name of email Id for google oauth

I am trying to authenticate my app using google oauth. I want to allow only a particular set of people having a specific "#eg.com" to be able to obtain access.
I tried including the
hd="eg.com"
in my url.
But it is accepting even "#gmail.com" or "#company.com" domains.
Is there a way to do this, so that users like "users#eg.com" only gain access tokens and stuff?
Edit:
I am using a webview in my app to perform the authorization

You can (and should!) validate your id_token with a call to the google api. Call https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123 and check the various fields of the response. If you request the "profile" permission you will also get the email field. You can then check this email against your domain, and deny the access if it does not fit.
For detailed documentation see:
https://developers.google.com/identity/sign-in/web/backend-auth#calling-the-tokeninfo-endpoint

i think you will have to implement that in your application
just don't store the tokens and show some error message if the domain part is not the one allowed.
you can get the domain part in c# using
string s = "users#eg.com";
string[] words = s.Split('#');
words[0] would be users and words[1] would be eg.com
Alternatively you can use MailAddress

User name in Url asp.net

Im about to start my new project, and got architecture problem. I want each user to have their own link to their personal profile.
Like this: Localhost/user/MyRandomUserName
so when i am accutally gonna click on link, i gonna have to find MyRandomUser in db, and replace string with actual Guid of user.
Website wil have possibility to log on with facebook and gmail accounts (to make it easier to access webpage), so there will be possibility of duplicates of same names.
Problem is, how smart is it to put user name as an "id" in url?
I can see youtube something similar, but how does it work?

Website will have possibility to log on with facebook and gmail accounts
You will have id for gmail, facebook for login which should be unique and you will ask user to give a unique name for your site which be served as url and if he does not then or you can show GUID instead of name.

You can use asp.net routing. Read this article for more details:
http://msdn.microsoft.com/en-us/library/cc668201(v=vs.100).aspx
You can extend user profile with unique id that is not userId and then use it.