Given user credentials (i.e. username, password), I'd like to authenticate the user from within our web-api applictation.
I'm considering using a class derived from Attribute and IAuthenticationFilter. The class will use HttpClient to connect to an AD FS server, submit user credentials and retrieve resulting tokens. Selected methods within ApiController(s) will be decorated with the above attribute.
Will the above work?
What is a uri format that needs to be sent to the ADFS server?
Does the http request sent to the server need a body/payload?
What is a response format from the server in case of success (with token)/failure?
I'd appreciate any examples and pointers to on-line docs.
Thanks.
OK - with 3.0 refer to this. You use OWIN and ADAL.
4.0 has full OpenID Connect / OAuth support. You use OWIN and ADAL. Refer here.
Related
I've been going through this tutorial which shows how to secure a single page application using several scenarios going from simple to our own Authorization Server that delegates authentication to a provider. The first scenario uses the Authorization Code Grant to log the user in.
Suppose we replace Facebook's OAuth Server with our own in this case and configure it to return a JWT token.
Which OAuth flow should the SPA use if it wants to use the JWT token to secure requests through an edge server that load balances between resources servers?
Also how should spring boot / spring security be configured if we want to use the JWT token to replace the replace the default JSESSION and CSRF support in spring? IIUC the JWT token can be used as a replacement to both of these features.
Update
Based on Manish's answer assuming we are using OAuth 2 implicit flow we:
Put the #EnableResourceServer annotation on the Resource Server
Use an OpenID Connect client to implement the implicity flow
So once this is done are POST request secure assuming each request includes the JWT token as a Bearer Header, or do we need to also configure CSRF?
It will depend on how much your application is sensitive to security but Implicit flow is recommended for pubic client (SPA).
Tutorial is based Authorization Code flow and if you will replace Facebook with your STS, it will still use Authorization Code flow because #EnableOAuth2Sso store the JWT token on server and send the cookie to browser and it also uses refresh token to get the new JWT token. It is a customize flow to implement the Authorization Code flow with public client (SPA) based on API gateway pattern.
To implement the implicit flow - Do not use the #EnableOAuth2Sso at server side, just expose the REST API and secure it with #EnableResourceServer. And you need to use the oidc-client to implement the implicit flow link is here https://github.com/IdentityModel/oidc-client-js
CSRF protection is only required if you will store JWT token or session identifier in the browser's cookie.
We have planned to implement authentication in our API using OAUTH. For this purpose I read so many articles on web to explore it. After read these articles what I am understanding is
Send credentials to authorization server and after successful
authentication it will send you the access token.
Use this access token for further calling of your api methods.
To authenticate our api user needs to pass the following parameters.
Authorization Token
Employee ID
What I am thinking is to pass these values via request headers. Problem is that these request headers can easily be viewed in browser console and someone can misused it easily. Please suggest Is this the right way to authenticate api or we used something else for this purpose?
I have an ASP.NET application which uses login cookies already. I need to provide a link in my application upon clicking which the user should be able to access their info in SalesForce.com using SSO. I'm planning to implement this link as an ASP page that constructs a SAML assertion with the corresponding username in SalesForce.com, posts the SAML assertion to SalesForce.com SAML Endpoint URL, receives the SAML response from SalesForce.com and redirects the user to the session URL contained in the response.
Has anyone tried this approach instead of using a dedicated SSO server (such as OpenAM) ? Are there any issues in this approach ?
You won't be able to do that, because it would require you to implement most of SAML IdP (identity provider) piece on your own.
SAML is a complex standard involving multiple interactions between IdP and SP (service provider), it is so much more than just sending an assertion.
To enable SAML you'll need to install IdP (like OpenAM), connect it to your user database and to convert your application to SP.
Wikipedia has more detail on SAML iteractions.
I am using ADFS 2.0 and WIF to authenticate and authorize my users to an ASP.Net MVC 4 application, WebAppA. WebAppA uses WebClient.DownloadString(url) to call another WebAppB and I would like to pass the delegated user's credentials to WebAppB to retrieve customized content for the user.
I see several examples of a web application calling a WCF service using CreateChannelActingAs, but this is not quite my situation.
Is there a way for WebAppA to retrieve the ActAs (or OnBehalfOf?) token for WebAppB and pass it with WebClient to WebAppB? I have seen a few possibilities, including the "bearer" Authorization header and inserting a cookie into the headers, but I don't quite understand these examples and it seems like something's missing, like how to use the BootstrapContext from WebAppA to retrieve and serialize the token for WebAppB.
Thanks for any help!
--Mark
Yes, you could have WebAppA call the STS and request an ActAs token for WebAppB, using the original token (the one intended for WebAppA) as the input, but this is normally used for web services (and it might be overkill). Looks like you are just GET'ing a page from WebAppB. Why not just use basic auth, SSL and pass a parameter of the user making the request? (in essence using a trusted subsystem approach).
I have one VS application named Dotnetpanel, which provides a lot of webservices.
I created another another VS application say TestModule in which I need to create the webservice client. But when I try to create a client and call the webservice in TestModule, an error occured"The request failed with HTTP status 401: Unauthorized." From one of articles I have read that
DotNetPanel API implemented as a set of SOAP Web Services.
Requirements:
WSE 3.0 or Basic Authentication
****Each API call should have user’s credentials provided****
Basic Authentication:
For interacting with DotNetPanel API you should use Basic Authentication. DotNetPanel recognizes “Authorization” header with the user credentials provided in the following format: username:password.
So my question is I have a user credentials which can pass to the TestModule and after that how can I call the DotnetPanel webservices from the TestModule with Basic Authentication.
Regards
Fenix
Sounds to me that you have to send those credentials as a parameter to the web service.
Try to call the web service url to see its methods. When calling to the web service directly from the browser, you have to be able to see a list of methods, then search for the method you're trying to use and click on it. You'll see the SOAP request and response definitions. You can take a look at what parameters is the web service expecting. I think if it asks you for credentials, there has to be a couple of param for that there.
Hope it helps.