I've been developing a Cordova app using Azure's Mobile App Service product. It offers external sign-in through Facebook, but it doesn't offer a ready-made solution for storing the user into a SQL database where I can also add custom profile columns.
If I was making this app 5+ years ago, I would have used ASP.NET Identity to authenticate the web api, allow account creation with username/passwords as well as offering Facebook sign-in, and I'd be able to create custom profile items, all in a searchable database.
It's 2020 and I'm confused about what is the recommended modern method to achieve the same result. I've read a lot about Azure AD B2C and it seems to tick all the boxes, but I'm worried it might not be as searchable as a SQL user store, and possibly appear to the user as a tacked-on product which isn't as native as the existing app.
I'd appreciate any advice or recommendations about which method I should use for creating my authenticated user store.
If you want to use a custom database, then set up an OAuth provider (e.g. https://aspnetboilerplate.com/Pages/Documents/Zero/Identity-Server#:~:text=Identity%20Server%201%20Introduction.%20Identity%20Server%20is%20an,now%20ready%20to%20get%20requests%20from%20clients.%20) and use that as the authentication scheme. You can then use any OAuth client library to do the authentication, and set that up as a custom auth scheme in your Azure Mobile Apps service.
Related
I'm building a multi tenant Service Fabric Application, that allows a tenant to specify a login type - Identity(asp.net)/Azure AD.
I have an Authentication service that checks to which tenant the user is linked to and then proceeds to check if the username:password for the user is valid, if valid it returns a JWT token to the gateway API/web API that then allows access to the rest of the services on the cluster.
This is further secured by roles to limit actions and data access etc.
Question 1
What would be a secure way to save the app id and secret given by that tenant if they use azure AD?
In my DB and encrypt the info, it would have to be decrypted to connect to the AD(Trying to keep in dynamic).
Question 2
I'm implementing my own sliding refresh tokens to obtain a new JWT after it expires, is there a better/standard approach?
Question 3
Is there a better/standard way to handle this multi-tenant sign in process.
Question 4
Is there a way to have optional claims set on the JWT Subject that would allow access to shared services but prevent access to tenant specific services if the claim value is incorrect?
Edit
Ideally the Roles should not be part of the tenants AD/B2C because they role are dynamic and managed from within the application.
Instead of building your own STS logic, have a look at IdentityServer, a popular and great OSS tool.
For example, have a look here for a multi-tenant example using asp.net core.
It supports adding custom claims to the token, by implementing a Profile Service. Services can be configured to use claims for authorization.
This blog post may also be useful.
I will very strongly advise you ride upon the Azure tenant model and let Azure AD manage all credentials and authentication. In today's world its a very bad idea to store and manage user credentials when there are plenty of Identity Providers available.
Recommended reading:
How to build a multi-tenant app with Azure AD
How to secure a Web API with Azure AD.
Libraries like MSAL.NET will automatically manage token caches and refreshes.
Use roles and groups in Azure AD
Claims in tokens issued can be customized to some extent.
disclaimer: I work for Microsoft
I'm trying to authenticate my app users with their credentials used at the website
I managed to authenticate users via Xamarin.Auth to login via Google, Twitter... etc but could not figure out how to authenticate them via ASP.Net Identity provider.
any ideas or examples ?
Your problem is not a new one, and is one that will be easily fixed in the near future (see note below).
When you're authenticating with a provider like Google or Facebook, you're receiving a token that you can then use to send to the API. Unfortunately Asp.Net Identity does not do this out of the box. You can either configure your API to use JwtBearer tokens, or check out the Identity4 project along with their samples. Note that if you're using Asp.Net Identity you'll probably want a cross between Quickstart 6 and Quickstart 8 so that all of the necessary persistent stores are in your database.
NOTE: You might also want to follow the Templating Team's PR #700 which is adding token based auth in the new templates which will soon allow you to rapidly create new Api's with Token Based Authentication for your mobile apps.
What is the best method of securing a REST Web API with the following requirements. The system has an Angular JS frontend with the REST APIs implemented in ASP.net.
There are two "roles" in the system, users will have one of the
roles. One role should allows access to some APIs (call it "VIEW"),
the other role allows access to other APIs
All users are in Active Directory, so if I have a username, I can check what role they are in- Some clients are on Windows boxes, the others are on Linux
I would like to persist the session so I don't have to look up AD for every API call
I would like single sign on. On the Windows machines, I don't require them to enter user and pass as I already can retrieve their username using Windows Authentication.
I believe that Oauth would be my best option.
There are two "roles" in the system, users will have one of the roles.
One role should allows access to some APIs (call it "VIEW"), the other
role allows access to other APIs
For role based authentication, you can use [Authorize("Role" = "Manager")]. The token will be provided by the identity server and will contain the claim as Role.
All users are in Active Directory, so if I have a username, I can
check what role they are in- Some clients are on Windows boxes, the
others are on Linux
If you have ADFS then you can have an Identity server that trusts the ADFS. The ADFS will provide a token which will have the claim for role and your Identity Server will do the claims transformation and will return the same Role claim back to angular app.
I would like to persist the session so I don't have to look up AD for
every API call
For this while requesting the token, you can ask for offline scope so the Identity server will provide the Refresh Token with Access Token so you don't need to ask for AD again and again.
I would like single sign on. On the Windows machines, I don't require
them to enter user and pass as I already can retrieve their username
using Windows Authentication.
For this one, you can have your Identity sever trust the WSFederation for windows Authentication.
So basically you need to setup Identity server that will provide you with the token and the REST API will use that token to verify claims to return the correct information back to the user.
I am not sure what you expect exactly. Anyway, first I'm gonna reformulate your question with requirements:
you accounts and role are in active directory
you want to manage roles based on an active directory group
you want anybody whatever the system (windows, linux, mac, mobile...) to connect on your application using the same authentication
you want to avoid your AD to be hit constantly (not at any call for example)
if the user is connected on an application that uses the authentication system, he doesn't have to do it so again on another application that uses the same authentication system
If these requirements are yours. I believe the only standard (and clean) solution is to use OAuth. I'm not gonna go in detailed description of OAuth, but this authentication protocol is the most standard one on the net (facebook, google, twitter...). Of course as you don't want to use facebook, google or twitter accounts in your business applications but your active directory accounts you'll have to install/setup/develop your OAuth identity provider using accounts of your active active directory server. Your choice will depend on how well you know ADFS protocol and its different flows (code, implicit, assersion) You have two solutions for it:
Use ADFS: install ADFS; it provides a OAuth portal that will work out of the box with asp.net mvc. This uses the code flow of OAuth that is the only OAuth flow supported by ADFS. For roles and its related AD groups, you'll have to map role claims with AD groups. (it's in the setup of adfs, you'll find many tutos on the net). You'll find lot of tutos as well about how to use ADFS with asp.net mvc/asp.net webapi. I mention .net here, but every technology has an implementation for OAuth authentication (nodeJs/express, php, java...).
Use thinktecture identity server (.net technology). This will provide all the foundation to implement a custom identity server with the least effort: http://www.thinktecture.com/identityserver / https://github.com/IdentityServer/IdentityServer3. It contains an addin to plug its accounts to active directory. With this, you can use implicit and assertion flows.
Use oauth2orize (for nodeJs): https://www.npmjs.com/package/oauth2orize. This will permit you to make the same than thinktecture identity server but in nodeJs. Apparently you'll have to make all the wirering with ad manually. With this, you can use implicit flows (not sure about assertion flows).
At application side, most of frameworks can authenticate easily using OAuth with a lot of existing frameworks. For example, even if you make a single page application, you can use adal.js or oidc.js for angular if you use angular. As I mentioned above, all this is taken in charge by asp.net mvc/webapi out of the box but I know it's the case for other server technologies. If you have more questions, don't hesitate as I'm not sure of what you expect exactly.
I've been reading a lot about OpenID and OAuth but having trouble making just a few connections about how they would work in a service-based architecture.
Here's my scenario:
I'm writing new ASP.NET Web API services (RESTful/JSON)
These services will be used by client applications (current desktop website, new mobile website, and possibly a PHP website or JavaScript-only client in the future)
Our desktop website currently uses ASP.NET Membership Provider (webforms)
The new set of API services we are creating should handle everything, including Authentication and Authorization.
My questions are:
Since we have explicit control over the client applications accessing our API (i.e. this isn't a public API but rather one for integrating approved partners) do we necessarily need OAuth?
Would OpenID replace our .NET Membership functionality, or complement it?
Given that we would need to authenticate users with the legacy system using Membership Provider, do we need to use some sort of .NET Membership OpenID Provider, or do we just authenticate as usual and grant the user a Membership Token like we currently do?
I guess, in summary:
I'm writing some new services
They should be usable by ANY approved client application, for users of that client application
We need to continue to support our .NET Membership data
Sorry these are basic questions but I'm sure they're easily answered. Thank you!
Look at ThinkTecture's Identity Server
https://github.com/thinktecture/Thinktecture.IdentityServer.v2
It uses repository patterns for user stores, and uses the default membership provider as the user store - you would be able to easily plug-in your legacy membership provider.
OpenID connect would work on top of your membership provider, and you'd enable the option to only allow registered relying parties - meaning that only your approved clients (applications) would have access.
This seems like a perfect fit - hope this helps.
Matt
I have a windows azure application already running.(testing phase). Currently I use ACS authentication. users can log on with their windows live-ID. and this is all. no authorisation for now. I need to authorise users with different roles. plus I need also users to log on with different Identity providers like gmail and facebook. I have the idea to store profile information in a table (eg. Idp as partition key and User ID(which I get from the provider)as RowKey.)
Now I have have no idea how to give different roles and how to start? can any body give me a clear tutorial or just an idea how to begin with?
tnx
I suggest you take a look at the BlobShare application. This isn't a tutorial, but it's a complete application showing a few interesting concepts you could use:
The BlobShare Sample is a simple file sharing application that
demonstrates the storage services of the Windows Azure Platform,
together with the authentication and authorization capabilities of
Access Control Service (ACS).
http://blobshare.codeplex.com/