I was trying to implement the Facebook Authentication Login in a web-app but there's something I couldn't figure out. I know for some experienced developers out there this is a pretty dumb question but, can anyone explain me this code snippet?:
public class FacebookAuthProvider : FacebookAuthenticationProvider
{
public override Task Authenticated(FacebookAuthenticatedContext context)
{
context.Identity.AddClaim(new Claim("ExternalAccessToken", context.AccessToken));
return Task.FromResult<object>(null);
}
}
As far as I know context refers to the data in an HTTP Request, right? If that so, when we're doing context.AccessToken the guide says that that's set by Facebook. How's that even possible? What's the flow there?
It says and I quote:
As I’mentioned earlier this token is for the external provider and
issued by Google or Facebook, after we’ve received it we need to
assign it to custom claim named “ExternalAccessToken” so it will be
available in the request context for later use.
I didn't get that.
Can anybody explain, please?
Thanks in advance.
As I said, I know it's a dumb question but I'm the type of person who wanna know how everything works behind the scenes.
-- EDIT --
So, Facebook makes the request and sends along an AccessToken.
Then we store it on that same request context as a claim.
Is that what's happening? If so, then, when is that request context destroyed? (When the request is done, duh) Yea but, when does that request finish? Isn't it after sending the token?
When you authenticate agains an external provider e.g. facebook you redirect your client to the "facebook login page" (not really the login page). There the user enters his credentials and facebook validates them. Then facebook redirects back to your page with an authorization code which you can exchange for an access token.
All of this is done by the Authentication middleware of asp.net when you configure an external authorization provider. I do not know the middleware to well but I assume the Context is transient (per request) but that shouldn't matter to much.
This image is taken from here where you can read up more on the OAuth 2.0 auth code grant.
Related
So at work I was given the task of designing a database API, now security assessment has stated that the system must use Authentication and Authorization.
On top of that Authentication Happens through their NetScalar that forces the user to login with company credentials and in turn gives the user a token. This token will then be sent to my API in the header of each request.
Now here comes the issue. The token only contains a username, I however want to do a
[Authorize(Roles = "Admin")]
Check on my controllers. Now as the user has already been authenticated with his password and username I know that he has is a valid user however I would like to assign a role to him.
Now I'm open for suggestions on how to do this but the simplest way of fixing this that I could think of was to at each request query my DB for the users role and add it to the token claims.
However I don't know how to do this and also I have no idea if this is a good solution.
I would appreciate any help with adding the claims (in code) or other solution (also code would be much appreciated).
Thank you!
Given a backend wrote in nodejs that returns a page that should either link to login (if the user is not logged in) or a link to logout (if the users is already logged in).
Considering I'm using firebase as authentication tool, how can I know in the first request, when the user is accessing the website, if is he authenticated to then
set the ejs template to respond with the correct link ?
Is there some header, or token that can I use ?
The only solution I found was use ajax after the server response, but I don't like this solution because apparently there is a delay in the link renderization.
As far as I know there is no way to know if the user is authentication on the initial request. From a quick inspection no data is sent along with that request. That kinda makes sense, given that upon this request it is not even known if you're using authentication to being with.
Update
I actually just ran into this blog post from one of the Firebase engineers, which seems promising: Introducing session cookies for server-side web apps. I haven't fully read it yet, but the title sounds like it may be exactly what you want.
I am working with the functionality to integrate ADFS login page with my application.
Flow
User will try to visit page. Here system will try to authenticate user.
System will redirect user to ADFS login page.
User will enter login information. If user is authenticated then user will be redirected back to the application with authorized token information.
I am facing difficulties to read the token information when the page is redirected back.
I tried
I am able to redirect page to ADFS login page and also can redirect back to my system if the user is authenticated using below url format:
https://adfs-domain-name/adfs/ls
Please find the below code snippet which I am using after getting back the page to read token information.
ClaimsPrincipal claimsPrincipal = Thread.CurrentPrincipal as ClaimsPrincipal;
bool IsAuthenticated = claimsPrincipal.Identity.IsAuthenticated;
int ClaimCount = claimsPrincipal.Claims.Count();
Here I am getting IsAuthenticated as false and ClaimCount as 0 result.
Is there anything incorrect in my code or way to connect ADFS login page ?
Can anyone help me to fix this ?
Please let me know if you have any concern or query or if I am missing something.
In short, I would recommend following this tutorial:
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/development/enabling-openid-connect-with-ad-fs-2016
I followed the steps in there and got it to work (using OAuth2 / OpenID connect). There are some other interesting resources on that site, too.
Some more pointers:
1) For using OAuth2 the login URL on the ADFS server should be something like:
https://adfs.contoso.com/adfs/oauth2/authorize?[parameters]
The URL parameters are nicely documented here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code
2) You can then use the ADAL libraries for the frontend and backend code. In essence, the frontend code will put together the aforementioned login URL and keep the token in the browser's session storage to be sent with each request. The backend library will verify and decode the tokens (into ClaimsPrincipal) for you. You can find the appropriate library components here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-libraries
Ah, yeah, I know these components and docs describe Azure AD (ADFS in the cloud), but what they run there is essentially the same as ADFS 4.0 on Windows Server 2016.
I will not post any of my code, because this is more just a question to know if it's possible.
I've been googling a lot, but didn't find any concrete solutions. I hope someone can help me here.
The facts:
I have a login form
I need to authenticate the credentials over a web-service
I need to send both username and password, to get back a token if logged in successfully.
The problems:
With a custom provider I'm always stuck with the fact that they only have direct access to the userename, like: loadUserByUsername. I need to access the password there as well, to be able to send this to my web-service.
I have only 1 web-service which sends only back a token if provided username and password are correct.
Question:
How can I access and send both username and password to my web-service?
Thanks!
Generally speaking one would authenticate using an API token to a web service.
That API token is usually issued via an auto-generation script when the user account is created (either by an admin or by a registration form). This token is then passed by the API call to the web-service in a header which then uses it to authenticate the user.
As far as Symfony goes, by far the easiest way of doing this is with Guard. A new component built by Ryan Weaver from KNP.
KNPUniversity has a great tutorial on it (for free).
Note that this is only one option of many, and the 'best' way is probably mainly opinion based and directly related to the use case in question. But it might help you get on the right track.
If the token you want to create should be a JSON Web Token (JWT), a very conventient bundle is LexikJWTAuthenticationBundle, which does almost all of the work automatically. If you just follow the documentation, you will have it quickly up and running. You can combine it with FOSUserBundle, with a custom User entity or whatever.
I want to implement oauth2 in my website.
I have the server configured.
In current scenario there is a login page, where user puts her credentials which in turn is submitted to my login controller. Now I want to authenticate user using oauth2. Since the server and client are part of same application I am wondering how to go ahead.
I want to authenticate the user via oauth and return the dashboard along with the bearer token so that next call can me made from here.
Please suggest how to go ahead. If there is a better way to do i am more than happy to adapt it.
Thanks
Configure authorization server with spring-security-oauth. All the necessary endpoints will be mapped automatically (including /oauth/token)
Make a simple webpage with login form
Make POST request to /oauth/token with the username and password. In addition you have to send field called grant_type which will be filled with 'password' value.
As a response you will receive the access token. This means that you are authenticated.
P.S. Please pay attention that Oauth is the authorization standard, not the authentication one!