I am currently prototyping OAuth2 authorization server options, and want to use IdentityServer4.
But it would require alot of work to put an ASP.NET Core App on top of the current .NET Framework stack (v4.5) that I am working on. This stack also relies heavily on the IoC container "Spring", so thats another issue.
I have tried looking at ASOS, but I run in to similar problems.
Isn't there a proper OAuth2 authorization server framework made for good old ASP.NET that is still being maintained?
Maybe some of you have some input to how you solved a similar situation?
Related
I was recently handed over the support of an already built logic app that accepts some json and performs some validations and send it to some endpoint. There's nothing wrong with the Logic app functionality, it works completely fine.
The problem is, penetration testing was done on the app and it presented us with security concern of X-aspnet-Version:4.0.30319.
I found this post here and it says:
That is not the actual .NET framework version. It is the version of
the CLR
My questions are, can the above quote be considered as the valid reference to address the issue? If not, can the logic app be somehow upgraded to use aspnet version 4.5 or higher?
And if I can change the version, can this have impacts on my current logic app's behavior?
Note: The app was made entirely through logic app designer and not a
single chunk of coding was implemented
No, the problem is with the test tool, not Logic Apps.
Just because it infers a problem doesn't mean there is a problem.
Explain to you 'security' testers that this is an Azure Logic App, not Windows/IIS. If you tell us the exact 'security concern' we can explain why it's irrelevant.
X-AspNet-Version: specifies the version of ASP.NET being used. Note that this value returns the core framework version. Typical examples include 1.1.4322, 2.0.50727 and 4.0.30319.
ASP.NET web sites send the ASP.NET version information in the web server HTTP Response Header as X-AspNet-Version value automatically to the client. So, you could not change it in logic app.
It's really strange question, but...
So, does any pure internal IdentityServer4 analogues in ASP.NET Core exist?
I have some Web Services via WebAPI. These services are strongly independent, but I want to restrict an access for part of it (I want to use JWTs).
I want to have one certification authority for all my apis, which could use ASP.NET Core Identity, of course, and grants of denys an access for specific api.
I don't want to use IdentityServer4 right now - maybe it's possible to solve this problem through an internal resourses of ASP.NET Core.
Thnxs.
Yes, ASP.NET Core provides out of the box tools for authentications and JWTs.
You will need to configure your Startup class and add the approperiate services/middlware.
Here's an article to get you started:
https://developer.okta.com/blog/2018/03/23/token-authentication-aspnetcore-complete-guide
If I'm not mistaken, IdentityServer actually wraps around these tools under the hood.
I have an ASP.NET C# WebForms application built using the following:
Mono
Apache
PostgreSql
NPGSQL
OS Linux
Because those platforms are used a custom user/role management system was written for the application login.
One of the features we need is to redirect a visitor if they try to access a page if they have not logged in to the application.
I have been researching the Forms Authentication
As expected almost everything I find is using the ASP.NET built-in tools that are prominently used in Windows environments. (Which is not necessarily the case I have in my application)
My question is can Forms Authentication be used in my scenario? Or is there another approach I could take to accomplish the same result.
PLEASE NOTE: Before marking this as a possible duplicate question notice my environment is not the normal ASP.NET stack.
Using [Sessions] is my solution.
This StackoverFlow question gives a really good explanation.
The latest version of ASP.NET includes the new authentication framework ASP.NET Identity, which should be the core building block for user management in all new and near future ASP.NET projects and websites.
I have seen that it can integrate with the WebAPI quite nicely, but haven't seen any example of integration as authentication for mobile client devices. For example - suppose I have a ASP.NET website with Identity implemented in use. Now I want to build client applications for Windows 8.1 and Windows Phone 8. I see two main issues that are limiting this.
Firstly - ASP.NET Identity apparently issues only short-lived auth. tokens, which is quite a bad user experience for mobile applications. I have seen some attempts to create a refresh token mechanism - http://leastprivilege.com/2013/11/15/adding-refresh-tokens-to-a-web-api-v2-authorization-server/ . This is quite a nice approach, but it would still be more interesting to see a really built in solution.
Second - and maybe more important - external authentication provider support. On the ASP.NET Identity website it is quite clear and easy to see a way to authenticate via WebAPI, but I haven't seen this in use with external authentication. How is it possible to get the authentication URLs for Facebook, Microsoft and Twitter and how can the authentication flow be completed from within the app?
Has anyone some experience with this? It would be great to find a complete walkthrough, I will gladly reward the correct solution with some bounty points :-) .
The problem is that security is complicated and that Microsoft's solutions only address the simple scenarios.
Also, you're consing terminology (which increases everyone's confusion, including your own). ASP.NET Identity manages users' credentials stored in a database. It's unrelated to the type of application that needs to validate credentials (mobile, api, browser, desktop, etc).
Katana middleware is what allows an application to authenticate the caller. There's cookie middleware for browser applications, external middleware for google, facebook, WS-Fed, etc, and then there's OAuth2 for API applications. Each work differently based upon the nature of the application. Some of them interact as well, depending on the requirements of the application.
I don't mean to pick on you -- this is more of a complaint about Microsoft's lack of education/documentation in the frameworks they provide. And I suppose this is an answer to your question -- Microsoft doesn't have what you're asking for. They have bits and pieces, but you're left to connect the dots.
Some links that might help:
http://www.asp.net/identity
http://www.asp.net/web-api/overview/security
http://www.asp.net/vnext/overview/authentication
http://brockallen.com/category/owin-katana/
http://leastprivilege.com/category/katana/
http://leastprivilege.com/category/webapi/
HTH
I'm currently developing a web application that will use Facebook as a authentication service. Does it make sense to implement it as an ASP.NET Forms Authentication custom membership provider? While I made my research, I didn't come across any concrete significant advantage of using the Forms Authentication. However, it instinctively seems to me as a good thing to do, because aside from creating a completely custom implementation of authentication using Facebook, I didn't find any extensibility point inside ASP.NET where I could plug in the Facebook auth behavior.
Can you then tell me whether the Forms Authentication is a good idea or not. And if not, is there any other way than completely custom code (I'd like to avoid managing the session cookies, loading the current user, etc. manually).
I'm using ASP.NET MVC 3, Entity Framework and I'd like to avoid the Facebook C# SDK (the extensive use of dynamic types is a bit of a turnoff for me :-) ).
Thanks for any advice.
A simple answer is to use .NET 4.5 oAuth templates, they are incredibly easy to link Facebook up to forms authentication.
http://www.asp.net/vnext/overview/videos/oauth-in-the-default-aspnet-45-templates
However you may struggle to find a decent server if you are planning on releasing immediately. In a couple of months plenty of servers will support .NET 4.5.
The OAuth templates work for both v4.0 and v4.5 so you can publish them onto a server today itself :)