I've been looking at implementing a Identity Microservice (as per the eShopOnContainers sample ... https://github.com/dotnet-architecture/eShopOnContainers) and I was wondering if it was possible to implement the Identity Microservice in such a way that you could use any Identity Provider you wanted, including Active Directory B2C?
Perhaps I'm over-thinking this but what I'm asking is, is it possible to have the Identity Microservice loosely coupled to AD B2C? Are there any examples (in GitHub for example) that demonstrate this?
Thanks in advance.
(Moving from comments to Answer)
Using Azure AD B2C you can have N number of Identity Providers Where the microservices is an architectural style that structures an application as a collection of loosely coupled services. In this use case once a user is authenticates to an idenitity provider the dozens of microservices needs to be authenticated. Please check out this blog for microservices authentication with Azure AD B2C
After much reading and research, I ended up using AD B2C directly to authenticate my client apps as well as my API endpoints exposed through Azure API Manager. My microservices use other forms of authentication as they are only accessible from API Manager (not publicly visible). I was able to use Custom Policies to implement my own logic when a user signs up/signs in.
Identity Server 4 looks like a great option if you want to have a finer level of control and configuration ... and I may end up using this solution in the future.
But for now, AD B2C meets all my needs so I'm happy to use it as if it was a microservice on its own.
Related
We configured Azure web app infrastructure such way that consist
customer web portal and WebApp API site
Scenario: when a user accessing a customer web portal where all requests communicate from Web API like (GET, POST, DELETE, PUT).
Here actually the problem is Web API portal is publicly available for now (but I don't know about for what extent Web API visible to users publicly still requires or not?).
In our case Customer ----API call should be in internal communication only there no third-party vendors supply.
Is there any methods secure the cus--API.
We tried to secure cus---API azure network restrictions in Web API network settings but that not helps us (we got stuck the complete cus--API communication is blocked)
As I mentioned Web API hide from the internet then we applied Azure AD authentication for Web API.
In this case, we got results were negative
we have no prior knowledge from code level securing and communication token generation
Finally, we looking for suggestions, and suggest me what are security checks to WEB APP-API COMMUNICATING WITH CUSTOMER PORTAL. WHAT ARE SECURITY CHECKS THAT NEED FIGURE OUT?
Another big problem is really WEBAPP-API put publicly if yes then what are the ways to tighten security.
Please share ideas and suggestion it would be greatly helpful to us.
Thank you
I'm trying to authenticate users of bot framework V4 with Azure AD B2C sef ices with different social media providers. I'm stuck with it.
I have looked and try many of the DOTNETCore samples provided to use Azure ADB2C authentication. Some of them work ok (the ones with fabrikam are quite ok).
Would any one have some experience on that or any suggestions on how to proceed ?
One thing that is not clear to me is : can I just create some controllers from with my Bot Framework project with the proper Azure AD B2C settings (tenant, poloicies, appid, key, etc ... ) ? or do I necessarily have to create a Web App or a WebApi to which post the authentication requests ?
Here are the samples I have already tried with no much success from github :
- active-directory-aspnetcore-webapp-openidconnect-v2-master
- active-directory-b2c-dotnetcore-webapi-master
- active-directory-b2c-dotnetcore-webapp-master
and I'm a bit lost on what should be the right approach.
Any advice would be much appreciated.
Thanks.
you can take this one and adapt:
https://github.com/Microsoft/BotBuilder/tree/master/CSharp/Samples/SimpleFacebookAuthBot
The difference is that this sample is specific for Facebook, so it will generate an oauth string that will send the user straight to facebook's page. In your scenario you will need to generate an oauth URL that will take the user to AAD B2C's auth page (basically following these guidelines:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-reference-oidc/.
Also you can refer this latest thread for further reference.
Hope it helps.
I want to create an Oauth 2.0 server tied to a sql database using OWIN where we can create applications and get client ids and client secrets for those applications. And access a simple resource using those ids and secrets. (just like we get client id and client secret from google developer site by creating new application). If someone has a sample code or project It will be very help full. I've tried number of examples but still I couldn't find a way to create it. Thanks!
Rolling your own from scratch is not a simple undertaking. I would recommend that you take a look at IdentityServer3. The principal contributors are Dominick Baier and Brock Allen. They are the go-to guys for implementing OAuth 2 in .Net. IdentityServer3 is very comprehensive and very flexible.
It runs as OWIN middleware and they have a number of samples that should help you get started.
I have a web role project in ASP.NET made for Azure deployment and need to have authentication.
I have to choose between Office 365 and On-Premise Active Directory.
Looks like both needs to be integrated to Azure Active Directory using Access Control Service.
What are the pros and cons of both?
Also if there are any other possibilities.
As astaykov mentions in his comment on your question you are not restricted to involving Access Control Services in this scenario. Not sure why he didn't submit that comment as an answer.
If you truly must go against your Office 365 or On Premise AD then what you are really saying asking is what is the difference between the two. I'll list some thoughts, but first if you want to implement these then here are some links:
Offerings from MS on Identity: http://msdn.microsoft.com/en-us/security/aa570351.aspx
Using ADFS V2 in your Azure Deployment:
http://channel9.msdn.com/shows/Identity/WIF-Workshop-9-WIF-and-Windows-Azure/ This is a little older material and I couldn't find much on using WIF to connect directo ADFS V2 that was more current. You do NOT have to invovle ACS in this at all. Sadly, this was misunderstood a lot when ACS was released.
Using Office 365/Windows Azure AD: http://msdn.microsoft.com/library/windowsazure/dn151790.aspx
Note: I have connected Web sites running in Azure to ADFSV2 directly, but I've not had a chance to work with the WAAD/Office 365 stuff yet.
If you choose to go with exposing your AD on premise then you would likely do this by exposing it using ADFS V2. This is what opens up the endpoint for the code running WIndows Identify Foundation (WIF) objects to reach out and deal with authentication. The upshot of this is that you don't have to worry about Office 365 logins or a WAAD separately and might be an interesting choice if you don't have those services for ANY OTHER reason but this one scenario. The down side is that you are exposing a proxy to your AD on an endpoint at your own location. If you lose connectivity to the internet then no one attempting to use the apps in the cloud would be able to authenticate. This is also the option I might look at if the users of the app in the cloud will ONLY EVER access it while behind your firewall (such as being at an office or even over VPN). This is because you can set it up so that your app uses a ADFS endpoint that is NOT exposed to the internet, but if they are behind your firewall it would still work. This pretty much ensures that only people already behind your firewall can use your app.
If you choose to use Office 365/WAAD integration then the upside is that you can sync with your onpremise AD to give single sign on to resources on your network as well as to the apps in the cloud. You also make access to your cloud apps more resilient because they have no need to depend on your exposed ADFS V2 endpoint. If you use Office 365/WAAD for any other reason (such as your employess use Office 365 for email, collaboration, etc.) then this is the option I would look at first.
You should look at ACS if you want to integrate with other identify providers such as Google, Facebook or even other companies. Technically you wouldn't have to use ACS at that time either, but it will certainly save you a ton of work to use ACS and not write the integration code on your own for each provider.
I'm a newbie with ASP.NET Web API and I heard so much about it that, it's the new industry standard and all, I've decided to build a regular hotel management system with it. I created some models and generated controls and created database using code-first migration. It all was tough at the beginning but now I've got hold of the essence. It's Awesome.
Now I'm stuck at the user management level. According to Web API spec there are options to manage access to resources like basic, Forms, integrated Win and OAuth. And also something about 2-legged and 3-legged which I understand are all authentication options which involves another data source or app (may be not the right terms) that will handle the authentication on behalf of the Web API I build.
Since my application is simple (for now), I was thinking is it possible to allow the Web API to include the necessary authentication, for example authenticating (user) and authorizing (role) before giving access to the data, thus seliminating the "LEGGED" dependance but at the same time it is open to allow 2-LEGGED and 3-LEGGED implementation in the future if I wish to.
From what I've seen and read the Web API is not ideal for a system like what I'm developing. Hope I'm wrong coz I find it awesome in terms of a service that can be consumed by other systems.
In my mind the big picture for the system is to allow customersI and third parties to access
hotel information via web and smart phones to check room availability and book rooms
restaurant information ...
hotel events, spa..etc
Please advice, to achieve this, how do I go about implementing authentication and authorization?