Our project is using SignalR over ASP.NET OWIN (full framework), and clients are mobile apps based on Xamarin. Authentication is done based on JWT. It is needed that we protect SignalR hubs against anonymous access, then find out user name of the connection.
Is it possible to SignalR to work with JWT? If yes, how?
SignalR's own protection is based on cookies not JWT. Also we can't afford to use query strings to pass the token due to deployment that is not HTTPS.
Related
Seems like SignalR only accepts Bearer/JWT tokens. Is there support for SAML?
If you implement SAML in your webapp, the webapp will issue a cookie based on successful authentication. SignalR will piggyback on that:
In a browser-based app, cookie authentication allows your existing
user credentials to automatically flow to SignalR connections. When
using the browser client, no additional configuration is needed. If
the user is logged in to your app, the SignalR connection
automatically inherits this authentication.
I have a uwp application and an ASP Core server application. I want to perform Get and Post requests to the ASP server and I want to perform authorization on the server side.
According to the team, they don't want you to use Basic authentication nor seems there be a way to perform digest Authentication. I don't want my client app to show the user any ui: it should be able to perform a secure request by itself.
So: what is the most easy and secure protocol to use to perform api requests from UWP to an ASP Core server?
what is the most easy and secure protocol to use to perform api requests from UWP to an ASP Core server?
I'd like to say this is a open question and I will give some suggestions and hope it can help you. Basic authentication and digest authentication you mentioned are defined in rfc2617. Since you don't want to use them, besides HTTP Basic/Digest you may have other choices like OAuth, HMAC and Azure API Management.
Since you don't want the user to input username and password, to request an access token for authentication may meet your requirements. So I recommend you to use OAuth authentication which is popular. More details about OAuth2.0 please reference this. But it requires OAuth server, it may not be a easiest way.
Another way you can apply HMAC authentication to secure Web Api. HMAC authentication uses a secret key for each consumer. For more details about HMAC authentication please reference this thread. For more details about HMAC in uwp please reference MACs, hashes, and signatures.
You can also use third party tools from Azure. Azure API management can help secure and optimize your APIs. Details please reference the Publishing and securing access to REST APIs in uwp.
There is an existing mvc 3 application that is using asp.net Membership authentication (subclass of System.Web.Security.MembershipProvider). This application was only accessed using web browser.
Now, there is a need for the application to support a Mobile App, and I have already introduced WebApi 2 Controllers into the project for handling the Mobile App requests.
The problem is that I don't have a clear thought of how to Authenticate the Mobile App users.
It seems that I have to provide Token type authenticating mechanism where the Mobile App has to submit the Token (issued after authenticating) with each request. But I am not sure how to implement it (like what frameworks/packages to use), and get it working side by side with the existing MembershipProvider
So, how do I provide a way to authenticate Web Api requests, and also retain existing asp.net MembershipProvider for MVC Controller requests.
Also, if this could be done better in some other way ?
It doesn't have to be "token" that authenticate mobile users.
The notion of tokens used to authenticate webapi requests got a lot of attention because of the OAuth2 protocol that has been adopted to the .NET world by the DotnetOpenAuth and then the OWIN. OAuth2 supports multiple "flows" and what is interesting is that beside "passive" flows (where browser redirects to an external login page) there are also "active" flows (designed for active clients like mobile apps).
Thus, switching to OAuth2 means that you are using a coherent authentication protocol supporting all major scenarios.
One of the possible approaches for you (and you seem to be interested) is to adopt the token approach to authenticate webapi requests. This is possible but this means that you have two different authentication approaches side-by-side, the cookie-based forms authentication for passive clients and token-based authentication for active clients.
I would say this kind of smells.
I would rather think of a uniform approach.
Either move towards OAuth2 completely, which means you adopt DotnetOpenAuth/OWIN for both passive and active clients.
Or you stick with Forms Authentication and just enable it for your active clients.
The latter is rather simple. Instead of carrying tokens, your active clients carry forms authentication cookie. To issue such cookies, you just expose an anonymous webapi method that expects a login and password and appends a forms cookie to the response.
Assuming you clients support cookies, forms cookie issued by the server are used in consecutive requests and all you have to do is to have the Authorize attribute over your web api methods. The forms module will pick up the cookie and populate the IPrincipal for the lifetime of requests just like it does for regular requests.
To summarize:
Moving towards token-based authentication:
Pros:
in future you could easily handle more complicated authentication scenarios (like for example using external authentication providers)
token-based OAuth2 is commonly used nowadays so you can more easily integrate with other applications
Cons:
migration could cost: you first have to gain the knowledge, do some R&D and then migrate
Sticking with forms authentication:
Pros:
you already have it and you just enable it for active clients
Cons:
forms authentication is not really "an authentication protocol". This means there is no obvious way to easily integrate with external authentication providers/consumers
I'm struggling to decide how best to add authentication and authorisation to my SignalR service.
At the moment it is hosted in Owin alongside a WebApi2 web service. I use OAuth2 bearer tokens to authenticate with those, and it works perfectly. However, I wonder if they're suitable for SignalR?
My client is JavaScript based, and SignalR uses WebSockets if available. This means I can't use the Authorization header. I figured out that I can supply the token using the qs property before I connect. But of course an OAuth2 access token will expire (and relatively shortly in my implementation). I assume that updating the qs property won't make a difference once connected (particularly with web sockets).
I suppose my question is what is the best way to supply a security token, ticket, or any kind of authorization information to SignalR? Preferably a way that can be consistent on both my WebApi and SignalR, but I am looking to know how I should be doing it.
Thanks
It's been sometime now - but we used to look for the auth cookie in the signalR request to ensure that only a signed in user can subscribe to signalr notifications.
It didn't handle the case where the token expired - since the cookie was checked only on connect. This wasn't a problem for us.
I'm using Asp.net c# language programming.
What is the best way for authenticating web methods in a web service?
Is it right having authentication for every web method and verify user name and password for each web method?
Is there a way to authenticate just once not for every web method? something like using sessions and etc?
You might want to look into this one:
http://weblogs.asp.net/cibrax/archive/2006/03/14/implementing-a-secure-token-service-with-wcf.aspx
Edit
If you are bound to only use asmx for some reason, then I would also suggest looking into WSE from MSFT.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=018A09FD-3A74-43C5-8EC1-8D789091255D
You can pass around a token from your client into the web method. The token is encrypted with public/private keys.
For more info here:
http://msdn.microsoft.com/en-us/library/ms996931.aspx
First of all, you should be using WCF for web service development unless you're stuck at .NET 2.0.
Secondly, you can use Windows authentication or Basic authentication over https, but those restrict you to users who are Windows users. If you have a separate set of users, then you will need to do your own authentication.
You can use SOAP Headers so that you don't need a username and password in every web method.