I am confused with AspNetCore Identity,OpenId Connect and IdentityServer4. What is the relationship between them,and what is the suitable occasion for each of them?
OpenID Connect is a specification (an authentication protocol).
IdentityServer4 is an implementation of an OpenID Connect provider (server-side)
ASP.NET Core Identity is a user-management library (over a database). It can be used by an ASP.NET Core application to create users, verify password etc.
OpenID Connect providers using IdentityServer4 are ASP.NET Core applications, so they can use ASP.NET Core Identity to authenticate users on the login page.
Related
I've REST services (Web API) and admin panel (MVC) in one project on ASP.NET Core 2.1. I want to secure my API with JWT token, and my MVC pages with cookies. Can I combinate these two authentication ways. How to configure my Startup.cs, Authorize attribute and sign in functionality.
I suppose you should use an OAuth 2.0 framework. please check IdentityServer4 it enables many features in your applications.
IdentityServer is middleware that adds the spec compliant OpenID
Connect and OAuth 2.0 endpoints to an arbitrary ASP.NET Core
application.
Typically, you build (or re-use) an application that contains a login
and logout page (and maybe consent - depending on your needs), and the
IdentityServer middleware adds the necessary protocol heads to it, so
that client applications can talk to it using those standard
protocols.
What I know about IdentityServer and OpenID connect is:
The IdentityServer is a free, open source OpenID Connect and OAuth 2.0 framework for ASP.NET Core. That incorporates all the protocol implementations and extensibility points needed to integrate token-based authentication, single-sign-on and API access control in your applications.
Further more OpenID Connect is a simple identity layer built on top of the OAuth 2.0 protocol. OAuth 2.0 defines mechanisms to obtain and use access tokens to access protected resources, but they do not define standard methods to provide identity information. OpenID Connect implements authentication as an extension to the OAuth 2.0 authorization process. It provides information about the end user in the form of an id_token that verifies the identity of the user and provides basic profile information about the user.
What I want to know is what is Azure Active Directory and How it is works? Did we use Azure AD with openid connect? or it is optional with openid connect? and If I've an webapi which is based on ASP.Net core 2.0 with identityserver 4. Did we deploy on azure without implement Azure AD? I m confused because I've an webapi project and a client project based on angular. when I deploy my client project as a new web app on azure its running fine. But when I deploy my web api on azure its not working. Means after deploying my web api when I do post request to get a token or when I want to register a user through my azure web api link it shows me 500 error in postman.
After facing this problem I post it on Here Stackoverflow but didn't find any helpful answers. So I again start searching and found that if we want to use openid connect with azure we must implement Azure AD. Here is the Reference. So in this question I want to know the difference between openid connect and Azure AD? and second question is. Is this possible to use openid connect without using Azure AD? Please explain your answer briefly. Thanks
A bit of introduction from my end about the Application:
We are having ASP.NET web application with SQL server membership provider for user authentcation. In addition to this our application supports SSO from client's application(for ex: siteminder).
One of our client is changing their SSO infrastructure from siteminder to Azure(Active Directory Federation service) as I am pretty new to Azure ADFS so I am not aware of what all things are required and the procedure to connect to our ASP.NET web Application. Though I have certain queries too:
will there be any infrastructure change from our end? means do we need ADFS server at our end to communicate to the client's ADFS server OR is it possible that we connect directly to client's ADFS server from our ASP.NET web application?
will there be any software upgradation required? currently we are using Visual Studio 2013(update 2), .NET Framework 4.5
Note: Application needs form authentication for internal users
There is no such thing as Azure ADFS.
There is Azure AD and ADFS. They are completely different products.
ADFS only authenticates against AD. It cannot authenticate against a SQL server membership provider. If you need this, use identityserver to authenticate against the DB and federate this with ADFS.
You can either federate your ADFS with theirs or connect your application to their ADFS. Both are valid.
To do this, your application needs to support WS-Federation (WIF), SAML 2.0 or OpenID Connect (ADFS 4.0).
I've been assigned to find a way of implementing SSO in our products. We have several Winform applications and one asp.net 4.0 web app (not MVC).
All the products are built using .Net 4.0, the web app is ASP.NET 4.0.
Some of the Winforms are commmunicating with our API via web services (asmx) and some uses our API directly. The web app is using the same API as well. We offer a set of web services (asmx) that uses the same API to external clients.
Currently we have our own authentication implementation (user, password, roles) in our systems and we would like to replace that with SSO. Or can these two authentication regimes co-exist somehow? The Winforms are used in intranets and the web app is used both in intranets and we also hosts the web apps for clients (accesible from the Internet).
The users are created in our system, but at the same time we import users from Active Directory using our own tool. Active Directory is really the primary user source.
I have read about Windows Identity Foundation and I wonder if I can use that to implement SSO. But what I don't understand is how to use WIF in the winform applications when they use the API directly.
What I would like to achieve is to remove all user administration from our system and use Active Directory as the user source. I guess that means using ADFS 2.0 to create claims, etc.
I can use .Net Framework 4.5 in this implementation (I know that WIF is now a first class citizen in .Net Framework 4.5).
Do you have any advices how to do this? Is WIF the best alternative to achieve SSO across winforms applications and web apps?
There is a way to get the WIF authentication cookie from within the WinForms application.
To do it, you just host the WebBrowser control and point it to the login page of your web application. Assuming the web application is federated with the ADFS2, the web browser control will automatically follow the flow - it will redirect to ADFS and stop there to show the prompt for user credentials (ADFS2 in Forms Authentication mode) or just authenticate using NTLM/Kerberos (ADFS2 in Windows authentication mode). Then the web browser will redirect back to your application.
This is where you hook your code. You just add a handler to the web browser's navigation event and you check when it comes back to your application AFTER ADFS2.0 authenticates the user. You can then call the InternetGetCookie method in the WinForms app to get all the authentication cookies issued by your application and you can close the window which hosts the web browser.
At this point, you have all authentication cookies issued by WIF (the SessionAuthenticationModule) for your application. You can now call your application web services and inject cookies into http calls. The web server will correctly recognize users as authenticated which means that all you have to do is to add proper authorization to your web services (the PrincipalPermission on your web methods should do).
An alternative approach would be to expose WCF services from your web application and guard them with WS-Federation active authentication. The downside of this approach is (in my opinion) that if your identity provider (ADFS) is further federated with yet another identity provider which DOES NOT necessarily implement WS-Trust/WS-Federation then the active authentication will probably fail (because the other identity provider does not implement it) while the passive scenario will still work (a bunch of redirects will sooner ot later end with a page which requires user to provide the credentials but the flow of authentication protocols between consecutive identity providers does not matter).
What are the authentication options for having a ASP.NET web application communicating with a WCF service?
The scenario:
User enters their username and password in an ASP.NET form.
ASP.NET needs to pass this to WCF to authenticate the user.
If authenticated, the user can perform actions on the website. Each action would require sending data to different WCF operations. WCF needs to know who the user is on each call.
The easiest solution would be to store the username/password in the ASP.NET session state. However, this is insecure because the password is stored in memory on the server.
I would rather not use a certificate to authenticate the ASP.NET "client" to the service because there's a possibility that this WCF could be consumed by another client in addition to ASP.NET.
The best suggestion I've seen so far is to use Windows Identity Foundation (WIF). It appears that this requires an STS. According to MSDN, Microsoft does not seem to recommend setting up an STS through Visual Studio. There's no guarantee that an STS would be available in the deployment environment as some environments may use Active Directory and other environments may have a custom user store. Is it possible to setup a custom STS to authenticate against a custom user store? I'm having trouble finding documentation on doing this.
Are there any other options besides using WIF? What about a custom WCF authentication service that returns a token that can be used for authenticating against a primary WCF service?
The standard way of doing this is by using WIF with Microsoft's STS viz. Active Directory Federation Services v2.0 (ADFS).
There are a number of custom STS available e.g. Identity Server. This use a SQL DB as an attribute store. It's open source so could be adapted to whatever you require.
You can create your own custom attribute store: AD FS 2.0 Attribute Store Overview.
TechNet WIF / WCF: WIF and WCF.