Pass parameter from application to custom B2C policy claim - blazor-webassembly

I have a Timer, that manages Blazor application session time. After it expires, application redirects me to login page.
The login page is implemented via B2C custom policies and as far as I know it is configurable with claims.
Is it possible to somehow pass a parameter from application to claim in order to then customize UI of the login page?
I am using MsalAuthentication for authentication in my app.

Related

Integrating SSO with an Application with Native Authentication

I have been tasked with integrating single-sign-on for an existing application, so I've been working on a couple of demos. The first one was the standard demo for Spring Security and I got that working. Now I'm trying to do a proof-of-concept demo where I created a toy version of the application in question with only two screens: one for login, and one to display some information about the user that logged in. I want to integrate SSO with this application so that the user has two ways to be authenticated: either by entering credentials directly in the login screen or by a SSO SAML request...
So I copied over SAML libraries and configurations from the standard SSO demo into my proof-of-concept application, and I seem to have SSO working, albeit a bit too well, in that I'm no longer able to get to my login screen, i.e., I still want that to be the default behaviour for someone entering the base URL for the application. How do I have to configure my application to achieve this?
The way I solved the problem was by changing the Spring Security configuration so that instead of using the generic /** to require SSO authentication for most pages of the application, it nows only requires such authentication for a single HTML page, sso.htm. This "page" is really translated by the application as a request to a controller that handles the application-specific processing for an SSO request. The initial page for the application, redirect.jsp, now contains some logic to pick which page a user should be redirected to, based on whether he or she got to that page directly (i.e., by typing in the default URL for the application) or via a SAML message from a trusted identity provider.
Note: For this to work, the initial page cannot be designated in the Spring Security configuration as either a secured or unsecured page. If it were secured, then this page could only be accessed after an SSO authentication, so a user would be thwarted from doing a non-SSO login. If unsecured, then the security context would not be accessible from that page, so the page logic would be unable to determine if the user in question has SAML credentials and an SSO authentication request for the application could never be fulfilled.
Once the user has been authenticated, either by credentials entered in the login screen or by an SSO request, from that point on, the application's continuing authentication of that user to view its pages is the same, i.e., no further SSO authentication is done. But when the user logs off from the application (or is logged off due to a session timeout), a check is made then to see if SSO authentication was done for this user. If so, then in addition to being logged out from the application, a local SSO logout is also done for the user, i.e., the SSO authentication session for the application is terminated, but the user remains logged in with his or her identity provider. So such a user could log back into the application in question, either directly via the application's login screen or by having the identity provider issue a new SAML message.
Hope this helps someone else...

API method to register new user in identityserver3

I have an API proxy that do the rest of my business login, identityserver for authorization and Android Client.
I using implicit flow with the android client.
I request an access token from idsrv then make a request including this token to contact with the api and every things works correctly.
Now i want an API or any way to register new user instead of the default web page so i can use this APIs to create new users from my proxy or from my android app.
What is the better way to do that?
This is, by design, out of the scope of IdentityServer. You can build your own API that can update the user database for user provisioning.

SPA Get Data per User

I have built a SPA application with Hot Towel (durandal) and I have problems to understand the authentication.
When I am loading data from my database how can I filter this data to the current logged in userid ?
thanks for help,
Best Reguards
If your SPA is calling asp.net of any kind on the back end you can still use Forms Auth cookies to secure your ajax endpoints and identify the user making the request. Depending on how SPA like you need it you can just use a standard aspx or mvc login page, then from there redirect the user to your SPA start page that calls your main.js and starts your SPA. All ajax calls you make to that site will have the Forms Auth cookie set and you can use it to verify the user making the request. Here is a link to standard forms auth. If you want handle the login process in durandal as well that can still be done, you just need to make your ajax endpoints for logging in and out to allow anonymous and then handle setting the forms auth cookie in them.
On the server-side, referencing User.Identity in the controller will get you the properties of the currently authenticated user. The question is, what form of authentication does your application use (Windows, Forms, Basic, Anonymous, etc.)?

ASP.NET MVC 4 Web API Authorization

I am working on locking down various sections of an internal application's web api controller actions. Currently, we are using Windows Authentication and a custom role provider. When making ajax calls to the API, I would like to prevent the credentials prompt from showing up when the current user is not authorized to access the given api method. We have a custom authorization filter for our MVC controller actions (NOT WEBAPI), but am not having much luck in preventing that prompt from showing up when making AJAX calls to a webapi action.
Is it possible to just deny/grant access via an authorize attribute and prevent that annoying login prompt from showing up?

How do I create an Authentication Cookie in a custom MembershipProvider?

I'm trying to create a custom MembershipProvider and I was wondering how I would add my user information to the Authentication Cookie that ASP.NET uses. My goal is to get my authentication to work for both the website and the WCF service with ASP.NET Compabatibility mode enabled.
You are using MembershipProvider in your application, so all you have to do is just use the inbuilt login control and set it's provider property to the type of your MembershipProvider. FormsAuthentication will take care of creating authentication cookies for your users.
You need to specify URL of your default page [where your users will go after successful login] and the URL of the login page which hosts the Login control. FormsAuthentication will check if user is authenticated, if it founds user not logged and your asp.net page demands authentication, then FormsAuthentication will redirect the user to the Login page specified in web.config's FormsAuthentication section.
That is how you leverage Providers in ASP.NET 2.0+, you need not do things explicitly, everything is configurable.
Here are some links for your reference, which will guide you through what you need.
http://msdn.microsoft.com/en-us/library/879kf95c.aspx
http://quickstarts.asp.net/QuickStartv20/aspnet/doc/ctrlref/login/login.aspx
http://www.asp.net/learn/videos/video-7420.aspx
http://www.asp.net/learn/videos/video-148.aspx
http://www.asp.net/learn/videos/video-47.aspx

Resources