Identity management framework in ASP.NET - asp.net

A new application is being built with an Angular Client and a ASP.Net Web API back end. The back end will be consumed by the Angular Client only in the short term (1 year), but will be consumed externally (mobile and 3rd parties) in the long run.
What are the pros and cons of using ASP.NET Identity vs IdentityServer4 initially in securing the API? How difficult will it be to switch over to IdentityServer from ASP.NET Identity down the road and is it worth the effort of using IdentityServer from the beginning.

ASP.NET Identity is a user store, with some helper libraries that enable cookie authentication on top of it. Using ASP.NET Identity to protect HTTP APIs is not what it was designed for.
IdentityServer 4 is an OAuth & OpenID Connect authorization server. Using IdentityServer to protect HTTP APIs is exactly what it was designed for.

Related

Combining cookie and token authentication in ASP.NET Core

I've REST services (Web API) and admin panel (MVC) in one project on ASP.NET Core 2.1. I want to secure my API with JWT token, and my MVC pages with cookies. Can I combinate these two authentication ways. How to configure my Startup.cs, Authorize attribute and sign in functionality.
I suppose you should use an OAuth 2.0 framework. please check IdentityServer4 it enables many features in your applications.
IdentityServer is middleware that adds the spec compliant OpenID
Connect and OAuth 2.0 endpoints to an arbitrary ASP.NET Core
application.
Typically, you build (or re-use) an application that contains a login
and logout page (and maybe consent - depending on your needs), and the
IdentityServer middleware adds the necessary protocol heads to it, so
that client applications can talk to it using those standard
protocols.

What is the recomended method for adding Authorization/Authentication to an MVC application that uses Web API

In most cases, I have used AD to lock down applications through IIS. In this case, I need to create an MVC Application that will have some Web API controllers and authentication/and authorization (roles). I was looking to try to use a stack overflow suggestion that I have found to several other posts.
https://identityserver.github.io/Documentation/docs/overview/mvcGettingStarted.html
Most of the answers that I have seen in Stack Overflow reference the above link
ex). Implementing Authentication and role based authorization in ASP.NET MVC web API service and MVC client architecture
The question that I have for the community that has experience with adding Authentication/Authorization to a combined Web Api/MVC project is if the identity server approach listed above is the best solution for this scenario and if there are other resources that I should look at also?
From your requirements (authenticate to use an MVC site and then be authorized to use a Web API) you'll need an OpenID Connect Provider such as Identity Server 3 (aka a Security Token Service (STS), an Authorization Server, etc). Basically something trusted by both the MVC site and the Web API.
The basic flow of things here is that your users will authenticate using OpenID Connect on your MVC site, after which they can get an access token to authorize access to the Web API using OAuth.
The mentioned tutorial is the best way to start. Near the end it takes you through how to access the API on behalf of the user.
ASP.NET Identity is a user/identity store. It is not add authentication or authorization to your application.

Membership handling for separate Web API backend and AngularJS front-end

I've a MS ASP.NET Web API 2 backend serving JSON for consuming by a very separate AngularJS-based front-end. I need membership handling (authentication/authorisation) preferably with JWT (Jason Web Token). I'm familiar with MS simple membership and Identity 2.1 to some extent but I'm struggling to interface with that from the AngularJS-based UI.
Identity 2 gives me all the functionality I need and I'd rather avoid using ASP.NET MVC - the Web API I use fronts a SQL database and the rest is AngularJS driven.

Single Sign On WinForms apps and asp.net wep app

I've been assigned to find a way of implementing SSO in our products. We have several Winform applications and one asp.net 4.0 web app (not MVC).
All the products are built using .Net 4.0, the web app is ASP.NET 4.0.
Some of the Winforms are commmunicating with our API via web services (asmx) and some uses our API directly. The web app is using the same API as well. We offer a set of web services (asmx) that uses the same API to external clients.
Currently we have our own authentication implementation (user, password, roles) in our systems and we would like to replace that with SSO. Or can these two authentication regimes co-exist somehow? The Winforms are used in intranets and the web app is used both in intranets and we also hosts the web apps for clients (accesible from the Internet).
The users are created in our system, but at the same time we import users from Active Directory using our own tool. Active Directory is really the primary user source.
I have read about Windows Identity Foundation and I wonder if I can use that to implement SSO. But what I don't understand is how to use WIF in the winform applications when they use the API directly.
What I would like to achieve is to remove all user administration from our system and use Active Directory as the user source. I guess that means using ADFS 2.0 to create claims, etc.
I can use .Net Framework 4.5 in this implementation (I know that WIF is now a first class citizen in .Net Framework 4.5).
Do you have any advices how to do this? Is WIF the best alternative to achieve SSO across winforms applications and web apps?
There is a way to get the WIF authentication cookie from within the WinForms application.
To do it, you just host the WebBrowser control and point it to the login page of your web application. Assuming the web application is federated with the ADFS2, the web browser control will automatically follow the flow - it will redirect to ADFS and stop there to show the prompt for user credentials (ADFS2 in Forms Authentication mode) or just authenticate using NTLM/Kerberos (ADFS2 in Windows authentication mode). Then the web browser will redirect back to your application.
This is where you hook your code. You just add a handler to the web browser's navigation event and you check when it comes back to your application AFTER ADFS2.0 authenticates the user. You can then call the InternetGetCookie method in the WinForms app to get all the authentication cookies issued by your application and you can close the window which hosts the web browser.
At this point, you have all authentication cookies issued by WIF (the SessionAuthenticationModule) for your application. You can now call your application web services and inject cookies into http calls. The web server will correctly recognize users as authenticated which means that all you have to do is to add proper authorization to your web services (the PrincipalPermission on your web methods should do).
An alternative approach would be to expose WCF services from your web application and guard them with WS-Federation active authentication. The downside of this approach is (in my opinion) that if your identity provider (ADFS) is further federated with yet another identity provider which DOES NOT necessarily implement WS-Trust/WS-Federation then the active authentication will probably fail (because the other identity provider does not implement it) while the passive scenario will still work (a bunch of redirects will sooner ot later end with a page which requires user to provide the credentials but the flow of authentication protocols between consecutive identity providers does not matter).

Common custom authentication for RIA, MVC and Web Service

I've got 3 different clients accessing my ASP.Net service layer. I'm in the process of moving the Silverlight client to RIA services and I'd like to consolidate my authentication code if possible. I use a custom table in my database to store user credentials and profile information.
Can an ASP.Net Membership Provider be used for RIA, MVC and Web Service applications? Or is there an easier way?
WCF: http://msdn.microsoft.com/en-us/library/ms731049.aspx
RIA: http://msdn.microsoft.com/en-us/library/ee707353(v=vs.91).aspx
ASP.Net MVC: http://www.asp.net/mvc/tutorials/authenticating-users-with-forms-authentication-cs
I got myself tied up in knots a bit trying to use the same auth mechanism for RIA and a WCF REST & SOAP endpoints; RIA is a WCF endpoint at the end of the day. However consuming a RIA service is more comparable to using an MVC app; call a login service after which the browser or Silverlight app automatically attach a cookie to all subsequent requests which will be authorised by the ASP.Net membership provider.
Conversely clients of the WCF SOAP and REST services there are better ways to authorise requests rather than force them to call a login service, extract the cookie and attach it to all future requests. The above link for WCF actually describes a mechanism where the username and password are set for every request. In practice a lot of public web API's require a single header with a secret key to be set.
My conclusion is that I'll use the same membership provider for ASP.Net MVC and RIA but a different mechanism for SOAP and REST WCF services.

Resources