I am currently working with a client and have been tasked to create a second app for the same client. The app will be web based (asp.net core) and since I have already completed one app for them using asp.net MVC with Identity framework (Boiler plate with some extensions) I would like for this new app in core to also use that identity instance, as some of the users will be accessing both apps. I know this is out there, but I have not found any answers or tutorials on how to accomplish this? Any help is greatly appreciated. Thank you!
You can use the same Identity database for handling authentication and authorization.
Add an ApplicationId field to AspNetUsers table, derive from UserStore and re-implement the Find based methods so the queries take into account the ApplicationId
Every new application will have new applicationId in this case.
Also, you can separate the Identity database, so you decouple the authorization process which allows you segregate your application dependencies, add new applications easily in the future and scale as needed.
You can then use bearer token and web APIs. Once the user logins, you will pass the username & ApplicationId for the application that the user is requesting access, then your security service would return a bearer token if authorized and 401 error if not.
Related
So, we have a frontend application in Angular in which a user can login to Azure Ad using MSAL. The login retrieves an accessToken for the backend api with the groups in which the user is employed in it. Because their are only three groups available, the token size is not exceeded. We want to call the api which is written in ASP.NET Core and we configured that the access token is provided in the header of the request. Now we first want to create an AuthenticationScheme and three different policies based on the groups. How can we achieve that? We are not that experienced in ASP.NET Core and don't know how to retrieve the group information from the header.
Our first approach was like this: options.AddPolicy("Administrator", builder => builder.RequireAuthenticatedUser().RequireClaim("groups", "AzureAdGroups:AdminId")); but it didn't succeed.
Follow these steps:
Configure groups optional claims so they appear in your tokens.
Configure your WebAPI for JwtBearer authentication and authorization.
Apply your policies to your controllers.
I'm trying to authenticate my app users with their credentials used at the website
I managed to authenticate users via Xamarin.Auth to login via Google, Twitter... etc but could not figure out how to authenticate them via ASP.Net Identity provider.
any ideas or examples ?
Your problem is not a new one, and is one that will be easily fixed in the near future (see note below).
When you're authenticating with a provider like Google or Facebook, you're receiving a token that you can then use to send to the API. Unfortunately Asp.Net Identity does not do this out of the box. You can either configure your API to use JwtBearer tokens, or check out the Identity4 project along with their samples. Note that if you're using Asp.Net Identity you'll probably want a cross between Quickstart 6 and Quickstart 8 so that all of the necessary persistent stores are in your database.
NOTE: You might also want to follow the Templating Team's PR #700 which is adding token based auth in the new templates which will soon allow you to rapidly create new Api's with Token Based Authentication for your mobile apps.
I have a ASP.NET Web Forms site where users will login using Azure Active Directory. As a client it calls Asp.Net Core Web Api site, that will return some information depending on customer roles.
The approach is similar to https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect-aspnetcore sample.
Each application in the sample has it's own Azure Active Directory application. My application has quite a few application roles and maintain them in both applications can be annoying and error-prone. I want client and service to use the same AAD application to avoid maintain the same roles in 2 AAD applications.
I haven't seen such architecture in examples, is any problem with such approach?
I tried to implement it and received a "promising" error, that "scenario is supported".
AADSTS90009: Application is requesting a token for itself. This
scenario is supported only if resource is specified using the GUID
based App Identifier.
Unfortunately I don't understand how to specify resource "using the GUID based App Identifier". In the request I already using GUID
resource=https%3A%2F%2FMyDomain.onmicrosoft.com%2Fe0a25761-XXXX-XXXX-XXXX-2aefc7e3134d
Advice to change some GUID on MS Forums thread https://social.msdn.microsoft.com/Forums/azure/en-US/3de0c14d-808f-47c3-bdd6-c29758045de9/azure-ad-authentication-issue-aadsts90009?forum=WindowsAzureAD#cf3986f5-3422-44d1-bcb7-3a4201f68fa2(I asked for clarifications there) also is not clear.
So my question is: Can I share the same AAD application between client and Service, and, if yes, how to do it?
Based on my test, the normal Azure AD tenant doesn't support to mix the client and server apps well.
Here is my trying for your reference:
1 .Grant the permission to the app itself by modifying the manifest like below:
"requiredResourceAccess": [
{
"resourceAppId": "{AppID}",
"resourceAccess": [
{
"id": "{customOauth2PermissionsId}",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"type": "Scope"
}
]
}
],
2 .Then we can acquire the token using OAuth2 code grant flow
https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id={appId}&redirect_uri={redirectURL}&resource={appId}
POST:https://login.microsoftonline.com/common/oauth2/token
However, I was not able to find the custom specific permission when pasred the access_token. If you want the Azure AD normal tenant to support this scenario, you can submit the feedback from here.
I tried to add a new App ID URI for AAD application (identifierURIs[]) that is supported according to https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-application-manifest .
Manifest allowed to specify multiple identifierURIs, but portals(both new and classic) show only the first of URIs. New portal highlights App ID URI entry box as changed and prompts to save it(effectively removing the second URI).
However I realized that I don't need both AAD applications to have roles. I can have 2 separate AAD applications and keep roles only in one of them. Web Site client will authenticate user, but do not check for roles itself. Instead it will call Web API site that should have AAD application with all application roles declared and assigned to users/user groups. Web API can provide roles/permissions to the client according to client's requests.
I write a webapp with mvc5 and Identity for authentication. It's work fine.
Now I need to authenticate same client (ios app, windows phone app, and android app) with users that are registered. Think to use a specific webapi where user can register, modify, autheticate ours user. So when they are autenticated the use can access other webapi for get data. Is this correct procedure? How I can use Identity into webapi?
Thanks
You want to look into oAuth and JWT tokens. There is already a library built for this which works really well called Thinktecure. When you are authenticating from a mobile app you really want to go the route of stateless authentication and just pass a token with the necessary claims to identify the user. There is plenty of documentation on the site as well as a sample repo (below).
https://github.com/IdentityServer/IdentityServer3.Samples/
I am relatively new to uisng ADFS (in ASP.NET) which is what my company wants to use and just have a few basic questions about that:
Am I correct there is no explicit "Authorize" call you can do like with ASP.NET Membership Providers? Unless you on a domain it presents you with a login screen and once you enter credentials it does validation and returns back a token with claims information.
Can you configure some forms to allow anonymous access like you can do with Forms Authentication?
Thanks.
Yes, you can setup pages in your app that don't require authentication. It works exactly like you'd do with Forms Auth.
On #1: in a claims based model, your app relies on an external system to authenticate users and receives evidence that the user is valid in the form of a token. You can completely automate this (using WIF and config files), or you can explicitly trigger the authentication process. In any case, your app won't be responsible for validating legitimate users anymore. It is a responsibility that it delegates to the STS (e.g. ADFS). That's why apps are called "relying parties".
I'd suggest you read the first couple chapters of the A Guide to Claims based Identity for a better understanding of the underlying principles.