Identity server 4.o with JWT using .pfx certificate example code - .net-core

Could you share the sample code of identityserver4.0 in getting JWT token using pfx certificate. How to set apisources in in IdentityServer? How to call from api

Your question is not very clear by saying "Getting JWT token using pfx certificate". What are you trying to solve? If you mean how to sign requests with pfx certificate take a look at this link. Might be an overkill, otherwise I am not sure what are you really trying to achieve here. Look at Identity API project from this solution, it will give you an idea how to utilize IdentityServer4 not just for signing using pfx but in general how it is utilized.

Related

Does changing certificate invalidate all secret generated with IdentityServer4.Models.Secret Sha256() method?

I'm currently building my web application with identity server 4. I dynamically create clients with a secret generated with Sha256() method of identityserver 4.
However, i'm worrying that when i will renew or change my certificate all those secret will be invalidate which will pose a serious problem.
Are SHA256 linked with the certificat ? Or only Token will be invalidate?
Thanks!
No, the signing credential used for token signing and validation has nothing to do with the hashing of secrets.

REST API Basic Authentication security

I'm writing an application that use woocommerce REST API with Basic authentication. In each request I should add a username and password in base64 encoding. However, each authentication header can i preview in the browser, decode and execute requests from another place which I would not like, of course.
Did I configure apps incorrectly?
I do not understand how it would be safe, since everyone can get the keys from the header.
How to configure this connection correctly?
Maybe should I use JWT auth?
woocommerce-rest-api IS NOT frondend rest api. To be able to use this on the front should be properly adapted ACL. This help me understand

What is a simple way to secure api requests between uwp and asp core

I have a uwp application and an ASP Core server application. I want to perform Get and Post requests to the ASP server and I want to perform authorization on the server side.
According to the team, they don't want you to use Basic authentication nor seems there be a way to perform digest Authentication. I don't want my client app to show the user any ui: it should be able to perform a secure request by itself.
So: what is the most easy and secure protocol to use to perform api requests from UWP to an ASP Core server?
what is the most easy and secure protocol to use to perform api requests from UWP to an ASP Core server?
I'd like to say this is a open question and I will give some suggestions and hope it can help you. Basic authentication and digest authentication you mentioned are defined in rfc2617. Since you don't want to use them, besides HTTP Basic/Digest you may have other choices like OAuth, HMAC and Azure API Management.
Since you don't want the user to input username and password, to request an access token for authentication may meet your requirements. So I recommend you to use OAuth authentication which is popular. More details about OAuth2.0 please reference this. But it requires OAuth server, it may not be a easiest way.
Another way you can apply HMAC authentication to secure Web Api. HMAC authentication uses a secret key for each consumer. For more details about HMAC authentication please reference this thread. For more details about HMAC in uwp please reference MACs, hashes, and signatures.
You can also use third party tools from Azure. Azure API management can help secure and optimize your APIs. Details please reference the Publishing and securing access to REST APIs in uwp.

Integrating RSA SecurID with Active Directory Federation Services

I'm attempting to create a custom AD FS 2.0 Sign In Page that will allow me to authenticate a user with an RSA SecurID token. I have read through the AD FS 2.0 Step-by-Step Guide: Integration with RSA SecurID in the Extranet, but that doesn't really solve the same problem. It details a scenario that secures the adfs/ls virtual directory with RSA, but once the user provides a valid username and passcode they are simply directed to the AD FS sign in page where they would need to enter their AD credentials to be authenticated.
I also looked at the RSA SecurID Web SDK, but it seems to primarily deal with provisioning and retrieval of tokencodes.
Finally, I've look at the RSA Authentication Agent for Web for IIS but it appears to only provide mechanisms to add, modify, or delete data within the authentication browser cookie.
Given the existing AD FS extensibility points, I believe I need to create a custom Forms Sign In Page. Instead of using the existing username/password authentication against active directory, I want to prompt for username and passcode and validate again the RSA Authentication Server. Once validated I then need to have AD FS accept those credentials as a valid active directory user, generate the appropriate SAML ticket and redirect back to the application provider federation service to continue the federated authentication flow.
That's where I'm stuck. I can't seem to find any mechanism to validate an RSA Tokencode in code (C#). If I could do that, I believe my next step would be to implement a custom ASP.Net Forms Authentication module, but I'm not entirely sure that's the right way to go.
Mike
Seems nobody has an answer for this yet. I have the same issue and at this point it looks like it will be custom .net development using the SDK
http://www.emc.com/security/rsa-securid/rsa-securid-software-authenticators/web-sdk.htm
Have found nothing from Microsoft in sample code or the like. RSA just tell you to go and do custom development yourself.
There is apparently also a RSA Java SDK (authapi.jar) although this is not available on any of the public sites. I will be contacting RSA support to see if I can obtain the Java SDK.

ASP.Net secure Ajax authentication

I want to make my ASP.Net site authentication seamless using Ajax call.
So I consider using client side authentication service of microsoft that should be used via HTTPS because it sends username and password in plain-text format.
And the problem is that I can't use SSL in my site.
So I found a way to hash data before passing to web service that is described here
but the problem is there is a salt in DB that should passed to client for creating hashed password (that equals to DB saved password). and this is not safe.
Is there a better way for doing that?
I found a way.
We will use RSA for encrypting username ans password.
in summery I'll have a web service that creates RSA keypair and save it (this key will be regenerated every day to be more secure).
I will have a textbox or hidden field that calls this service and get the public key.
the for encrypt username and password with jCryption library client side and pass this to my authentication service using ajax call.
so the server will decrypt them with private key and the authenticate user.
I found a way.
Check this out: Secure AJAX Authentication without SSL
Just in case you were looking for an ASP.NET version of jCryption for bi-directional communication, which you mentioned you tried, you can find one on GitHub here: jCryptionNET

Resources