Is it real to implement IdentityServer with pkce flow using WebApi interface - asp.net-core-webapi

I have project with Angular-WebApi architecture, I need to add IS to authorize users, but I don't need mvc with redirect, I would like to send user creds from Angular App to IS API, get JWT, and use this JWT, to get data from Resource API. I can't find any examples of it.

You can use angular-auth-oidc-client for your angular app
you can refer here for sample how to do it - https://github.com/damienbod/angular-auth-oidc-client
for Idp sample, Identityserver4 did provide sample for configuration under JavaScriptClient project. You can refer here, https://github.com/IdentityServer/IdentityServer4/tree/master/samples/Quickstarts/4_JavaScriptClient
You can also refer to my project which use angular, IS4 and resource server
https://github.com/firdausng/testnt

but I don't need mvc with redirect, I would like to send user creds from Angular App to IS API, get JWT, and use this JWT, to get data from Resource API.
Normally user will be redirect to Identity Server and enter credential in login page , in Angular application , you can use Authorization Code Flow with PKCE .
But if you want to collect user's credential in Angular and send credential to IDS , you can use the Resource Owner Password Flow with Identity Server . But that is not recommended because The ROPC flow requires a high degree of trust and user exposure and you should only use this flow when other, more secure, flows can't be used.

Related

Authorize request going from Resource App to Identity App

I have 2 ASP .Net projects each with its own database:
Identity App: acts as an authorization server with its own database that contains user info. Uses identity 4: Oauth 2.0 and OpenId (code flow)
Resource App: Api that returns access to multiple resources. (database doesn't include anything about users)
Our front end communicates with the resource app mainly and uses the identity app for authorization. Now we are developing the functionality to add a user from the front end and to get all the users.
My questions:
Should the frontend communicate directly with the Identity App to get the users?
If not, how can I get the user info through the resource app?
I tried the following flow for adding a user but it didn't work:
Frontend posts user to resource API (Note: the user is already
authenticated using the authorization server)
I use the authorization header in that request to build a rest sharp request
to the authorization server
The authorization server isn't recognizing the bearer token
I'd recommend storing the majority of user data in the resource app's database.
Over time this will contain lots of fields that are nothing to do with OAuth, such as app specific preferences.
Meanwhile you also need to store a few fields related to login in the identity app: name, password etc.
My write up may help you to understand the separation and achieve your goals: https://authguidance.com/2017/10/02/user-data/

OAuth2 with SPA and API

I want to implement Single Sign On in Angular 5 SPA which uses ASP.NET Core API. I have OAuth2 server provided by the company.
What I want to achieve is to allow access to the application only to authorized users, who have to pass through SSO process. I want to display content of the SPA only to authorized users and allow to access API resources only by them (users with correct access_tokens), too.
I do not know what should be the correct approach for this requirement. I was considering:
Implicit grant flow - from my SPA myspa.com:4200 I am invoking mycompanyauthserver.com/Authorize to obtain authorization code.
With that and client_id in Angular app I am invoking mycompanyauthserver.com/Token to obtain access token. I save it in localstorage. Now, I can send this access token with request to my API (myapi.com:5000), but how to check in API if this token is correct? I do not have endpoint on OAuth server to do it. Also, how to check on SPA if access code is correct and not manipulated by user?
Another approach I see is to invoke from SPA some endpoint in my API which will invoke mycompanyauthserver.com/Authorize and then mycompanyauthserver.com/Token and then API will have access_token and return it to SPA. Then, I can easily check while sending request from SPA to API if the access_code is the same. Is the right approach or am I missing something?
Does your SPA really run on localhost:4200? This would make it a native application, where you could possibly make use of other grant types like Auth code with PKCE. Or is localhost:4200 just a local/dev version of your SPA?
If your app is a SPA, and will be served html and javascript from an external web resource, then yes the implicit grant is optimised for this scenario.
But even so, if your external web resource (which serves up the SPA) can also provide and register a redirect endpoint which can interact with mycompanyauthserver.com/Token endpoint, then you can use the authorisation code grant and return the access_token from your server-side redirection endpoint back to your browser - similar to what you suggest in your option 2.
I'm not sure there's a correct approach.
I've seen SPAs use both approaches. Option 2 involves more server-side code to manage tokens. Option 1 simplifies getting a token but won't give you a long-lived/refresh token. Take your pick :)

API method to register new user in identityserver3

I have an API proxy that do the rest of my business login, identityserver for authorization and Android Client.
I using implicit flow with the android client.
I request an access token from idsrv then make a request including this token to contact with the api and every things works correctly.
Now i want an API or any way to register new user instead of the default web page so i can use this APIs to create new users from my proxy or from my android app.
What is the better way to do that?
This is, by design, out of the scope of IdentityServer. You can build your own API that can update the user database for user provisioning.

Headless authentication with Azure AD (user/pass combination)

I'm following the guide and example provided by Microsoft here and I'm able to get the demo working, with the authentication happening in a console app, then making a request to a Web API with the correct token.
I'm looking to use this but the code in the console app would need to move to a Web App. Essentially: external server tries to access secure Web API, providing Azure AD username/password in the Authentication header of a HTTPS request. I pick up these credentials in the first insecure Web API, and attempt to authenticate the credentials against AD, obtaining the token. From here, I would then call the [Authorize]-protected Web API by making a request with the AD token.
At this point I'm using the same code from the example linked above, simply moving the code in the Console app up into the first insecure Web API controller, but I'm having no luck. I read on CloudIdentity that "You can only use those flows from a native client. A confidential client, such as a web site, cannot use direct user credentials.". Is this true? If so, is there another way to achieve my aim? I need to use the credentials as it may be likely that more services would use the API in the future, so each of these would need their own credentials to use that could be managed within Azure.
EDIT: In reading more around this, should I actually be aiming to use Client authentication, creating an "Application" within the Azure AD, and providing the client ID to each external service looking to call the API, to then authenticate with that, rather than credentials?
Yes, your edit is correct. The Resource Owner Password Credentials grant is meant to authenticate users, not applications. Typical use would be from an application that prompts you for username and password and then retrieves a token from Azure AD.
You can use the Client Credentials grant to get a token from Azure AD from a confidential client to call an API without user context. This flow requires that you register the application in Azure AD and generate a key (which will be used as the client secret). You can then use the ADAL library to ge a token from AAD as shown here.

How do I give only my client access to my API?

I'm developing a REST web API that will be used by mobile app clients. I don't want any other client to be able to access the API. Should I just require a password/token that will be used by the mobile apps? Isn't there a way for people to find that password by decompiling my app?
Yes, you cannot create an app with a secret embedded and expect the secret to stay secret.
If you ship the app with the secret (token, user/pass, private key, etc), that information is available in the binary, and someone motivated could extract it.
The normal practice is to install the app, then let the user of the application log in, and store a unique credential for future requests.
You could use OWIN OAUTH where a user of the client is required to authenticate and a Bearer authorization token is returned to the client that must be passed in to all secure requests on the WebAPI (a secure request on the WebAPI uses the Authorize attribute)
Take a look at this link http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/#comments

Resources