I'm trying to use Google Authentication in a VS2015 solution with 2 Asp.Net projects:
an MVC App and
an MVC WebApi.
Logging in with a local username and password works fine. I get back a token after logging in with api/Token from the API and can use this on subsequent httpclient calls to api/xxxxxx methods decorated with [Authorize].
Now I want to add the option to log in with a Google account. I have have managed to get the call to Google working on the front end and get back an Owin.ExternalLoginInfo object, but of course calls to the api/methods fail with
unauthorized.
Can someone tell if it's possible to push that ExternalLoginInfo back to the API and have it be used for authentication in the backend?
Related
I am developing an angular +.net core web app(not to be confused with .net core MVC web app).
My UI client uses angular, my backend web api's use .net core 6. I am using external IDP to authenticate my angular app for that I am using AddOpenIdConnect. All though I am not using MVC for my other APIs(using web api type controller) but I pulled in couple of MVC controller(Home and Account) from the sample app present in external IDP's sample project(as I could not find a way how to achieve it with my APIs).
On login button press in my angular app I call this method of Account controller which redirects me to external IDP. After successful authentication I am being redirected to my angular app's landing page (http://localhost:4200/admin) which solves my purpose as far as SSO is concerned. Also in OnTokenValidated event I am getting the access token as well.
Now the problem I have with this approach is:
How can I return this token to my angular app(which is an independent SPA) so that it can be used as authguard for the angular app and for safe guarding other api end points?
I am thinking of making another end point which angular app would call after successful redirection which would return the claims and access token to UI. I tried fetching it from HTTPContext in the end point that I made but it is coming out to be null and User.IsAuthenticated as false.
How can I secure my web api end points with this same access token? I am thinking of using the access token returned to UI after redirection for authentication and then it can be sent back to backend apis in header for authentication. How can I achieve that?
All the example and sample code(even on IDP's website) use .net core MVC. Did I make a mistake by making it a web api project?
I have created a new web api project with individual user account authentication.
I followed this post and everything worked as expected
http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api
Now, I have a token end point
localhost:54452/Token
Lets, say I create new asp.net mvc application. I want to use this token end point for authentication. How do I tell my controllers to use this token end point? How do I tell my controllers to pass the bearer access token on each request or how does these two work together.
asp.net mvc and asp.net web api are two different projects with different port numbers
Thanks,
Syed
I would create a wrapper class that uses HttpClient to issue HTTP requests to the Web API. Then use this wrapper class when you're communicating with the Web API. It will then handle adding the token to the HTTP request header.
I've created my first mvc 4 project using the web api template. I've configured CORS to restrict other sites from accessing my api directly into other websites. I use ajax to retrieve the data supplied by the api into a web page and that works well.
The address to my web api is http://www.xyz.com/webapi/ one of the actions is http://www.xyz.com/webapi/api/sales How can I prevent anyone from accessing /webapi and /webapi/api/sales and using the data (screen scraping) for their own use. I do not want any other service browser accessing the web api, just the ajax query that is present on another website that I've set up.
Thanks in advance!
Approach 1 - Get a Bearer Token
You could implement this - Individual Accounts in ASP.NET Web API
Here in this tutorial, the controllers are marked with [Authorize] and the following steps are followed.
Register a User
Authenticate and Get a Bearer Token
Send an Authorized Request
Approach 2 - Use a private API Key
You could use an api key with each of your web api calls and check on server side if the api key is valid if not return 401, Unauthorized. This api key could be saved in your web.config file.
I am working on locking down various sections of an internal application's web api controller actions. Currently, we are using Windows Authentication and a custom role provider. When making ajax calls to the API, I would like to prevent the credentials prompt from showing up when the current user is not authorized to access the given api method. We have a custom authorization filter for our MVC controller actions (NOT WEBAPI), but am not having much luck in preventing that prompt from showing up when making AJAX calls to a webapi action.
Is it possible to just deny/grant access via an authorize attribute and prevent that annoying login prompt from showing up?
I am trying to do something like this:
I have a MVC4 Web App and a Web-API service (hosted on two separate roles in azure)
Another role runs CustomSTS1.
The MVC Web App trusts the CustomSTS1
Now the customer logs into the site he is redirected to the STS login page.
Once logged in, he is redirected back to the MVC Web Site.
From this web site, the customer performs actions, which in turn invoke the web-API Service.
I have the SAML token in the web app, which I pass to the WebAPI service.
Now when I try to validate the SAML token at the Web API side, I get a
Message=ID1032: At least one 'audienceUri' must be specified in the SamlSecurityTokenRequirement when the AudienceUriMode is set to 'Always' or 'BearerKeyOnly'. Either add the valid URI values to the AudienceUris property of SamlSecurityTokenRequirement, or turn off checking by specifying an AudienceUriMode of 'Never' on the SamlSecurityTokenRequirement.
This is without the Web API service trusting the CustomSTS1
Once I setup the trust,
I am always given a HTTP 401: UNAUTHORIZED, whenever I try to make a HTTP Get request to the WEB API Service.
Now, My Question is, (I know that my current approach is definitely wrong)
How do I setup the Trust relationship with the CustomSTS1, such that the WebAPI service is able to do an ActAS on behalf of the user logged into the MVC site?
OR
Is this architecture wrong?
And is there another way to achieve this?
That approach is wrong conceptually. The MVC application should negotiate a new token for the Web API in the STS using ActAs. That's how it traditionally works for SOAP Services. However, Web APIs are moving away from SAML as it is a complex format that relies on different WS-* specs. OAuth 2.0 is becoming the standard in that area if you want to support SSO at that level.
Another approach is to establish an implicit trust between the MVC app and the Web API, so all the calls to the Web API from the MVC app are done through a more standard Http auth mechanism like Basic Auth using an specific set of credentials that only the MVC app knows. The info about the logged user in the MVC app is passed as additional information.
Regards,
Pablo.