I have a legacy web application in which was secured by username and password, from a database. I have another SPA application which is secured by Auth0. I want to add a link to the legacy web application for users to access the SPA application without asking additional authentication from Auth0. Is it possible to load the SPA application with a pre-authorized JWT token?
Related
We have a blazor webassembly hosted application (SPA) and we need to implement authentication using Azure Active Directory.
The Documentation explains how to do that using JWT bearer tokens.
The problem is that we need cookie authentication, not JWT.
Ideally we would have the following authentication process :
When the user hits the application url, (s)he is redirected to the login/consent page.
Once credentials entered, an authentication cookie is generated.
The cookie would then be accessible to the SPA and subsequent queries to the host/server would all be authenticated.
Is there a way to achieve that and how ?
Notes:
I'm no OAuth/OpenId guru
The real problem we're trying to solve behind is that we need to share the authentication context between two applications (this blazor application and another .NET Framework legacy application). The Legacy application already uses cookie authentication. We need the authentication process to be "transparent", so that when a user is authenticated in one of them, (s)he doesn't need to authenticate again in the second.
I have two main projects in my solution, one is a .NET 5 Core MVC web application that is used as our front-end application with Identity for authentication and authorization, and it is currently directly connected to a Database layer(different project) that is responsible for CRUD operations using Entity Framework.
The other project is a .NET 5 Web API application. And we would like to move our controllers' logic from the MVC app to the Web API app, so that only the API project will have access to the database layer.
I'm not really experienced with authorization techniques apart from some basic stuff, so I'm stuck with an issue right now. How can I move the Identity authorization to the Web API project? I understand that on the MVC app, a Cookie is used to handle the authorizations but as I've seen the recommended approach for most Web API apps, is to use a JWT to authorize requests. However, in my scenario, since I would like to authorize the user(from the browser) on each request, would a Cookie authorization be possible ? Or should I store a JWT token on the browser and pass it along on each request?
Thank you
Why do you need to move the MVC controller to the Web API Project? If the controllers are separate than that is even better!
Here in short how JWT based authentication works:
The JWT token has tow components - an Auth token and a Refresh token.
The Auth token is used to authorize the requests and the Refresh token is used to renew the Auth token when it expires.
The Auth token also contains some user claims like Name, Id, Email etc.
You make the user re-login when both the Auth and Refresh token expires.
For Web API JWT authentication is best.
Use your MVC controllers to render and handle the page flows and the Web API controllers to return data from the Database. For your current structure you can do the followings:
Have the MVC Auth controller consume an API from the Web API project and then maintain the Identity cookie as is now. The API will return a token if username and password works.
The Web API project will parse and validate the token. All you have to do is to check if Web API is returning a 401 or not. 401 would be when the token is invalid or expired
In your MVC project, switch from Asp.net Identity cookie to store the JWT token on the client side (From MVC project). And pass it along all requests to the Web API controllers.
I have an ASP.NET MVC5 Web application that uses the Identity framework for authentication and authorization. Here is the screenshot of identity-related tables:
Now we are to develop a mobile app. The mobile app will be using the same database as the ASP.NET MVC5 Web App but not directly. It will be using an ASP.NET Core Web API written on top of the same database.
The issue is persisting user logins in mobile application so that a user does not have to login everytime. They just login once and use this app. I am looking for something where the user will get authenticated through API and a user token will be returned in the mobile app to prevent their session to expire as long as the token is there. But I am confused and not sure where to store this token and related info such as expiration time etc.
Which library/framework should be used in such a scenario?
You can use IdentityServer that is recommended Oauth2 library by Microsoft
it can also integrate with AspNetCore Authentication System
I have a web SPA that currently connects to a Rails backend, authentication handled via auth0. We have a new server that has some endpoints that the SPA needs to connect to. What is an elegant way of authenticating against both servers considering I have auth0 implemented in the SPA and the legacy server already? Is there some way to pass the authenticated token back to the new server from the legacy server? Or do I just authenticate against both servers when logging in as a user on the SPA? The user db sits in a separate db, shared by both servers.
If the credentials are stored in your database, then use an Auth0 Custom DB Connection to authenticate against Auth0 from your SPA. Auth0 has quickstart samples for all the popular SPA frameworks / libraries (angular 1.x, 2+, React.js etc). You authenticate against Auth0 (not the legacy or new server). As a result, you receive a (JWT) ID Token and a (JWT) Access Token. It is the Access Token you send from your SPA to each of of your Servers for the purpose of making Authorized requests. Your Server (legacy and new) should be secured to verify the JWT Access Token as valid and optionally check the scope attributes match the request endpoint. That's all that is required. The Auth0 documentation covers all this, and there are samples too that demonstrate how to set this up.
I'm planning on making a restful web service using ASP.NET Web Api. A number of ASP.NET MVC web applications and possibly native apps will consume the service. The service will use ASP.NET Identity to authorise requests/users. I can see how I would use the service with native apps by passing a token with each request.
My issue is with any ASP.NET MVC apps that consume the service, how will I mark a user as logged in after making a request to the service?
Here's what I'd like, is it possible?
User isn't logged in, redirected to log in page
User submits form which calls MVC controller in the app
The controller makes a call to the web service
The web service returns the id, name and roles of the user (JSON maybe?)
This is where I'm stuck: The ASP.NET MVC web application then marks the user as logged in for the whole MVC web app. The role will be used in any authorize attributes on any controllers/actions. The ASP.NET MVC web app will also be able to remember the user via a cookie and log them in automatically in the future.
To set the cookie you just need:
FormsAuthentication.SetAuthCookie(USERNAME, true /*rememberMe*/);
This solve your authentication issue. Authorization - determining what a user can and cannot do - is another story. You need to cache the roles a user is in somewhere and check them as needed.