I'm trying to authenticate my app users with their credentials used at the website
I managed to authenticate users via Xamarin.Auth to login via Google, Twitter... etc but could not figure out how to authenticate them via ASP.Net Identity provider.
any ideas or examples ?
Your problem is not a new one, and is one that will be easily fixed in the near future (see note below).
When you're authenticating with a provider like Google or Facebook, you're receiving a token that you can then use to send to the API. Unfortunately Asp.Net Identity does not do this out of the box. You can either configure your API to use JwtBearer tokens, or check out the Identity4 project along with their samples. Note that if you're using Asp.Net Identity you'll probably want a cross between Quickstart 6 and Quickstart 8 so that all of the necessary persistent stores are in your database.
NOTE: You might also want to follow the Templating Team's PR #700 which is adding token based auth in the new templates which will soon allow you to rapidly create new Api's with Token Based Authentication for your mobile apps.
Related
I've been developing a Cordova app using Azure's Mobile App Service product. It offers external sign-in through Facebook, but it doesn't offer a ready-made solution for storing the user into a SQL database where I can also add custom profile columns.
If I was making this app 5+ years ago, I would have used ASP.NET Identity to authenticate the web api, allow account creation with username/passwords as well as offering Facebook sign-in, and I'd be able to create custom profile items, all in a searchable database.
It's 2020 and I'm confused about what is the recommended modern method to achieve the same result. I've read a lot about Azure AD B2C and it seems to tick all the boxes, but I'm worried it might not be as searchable as a SQL user store, and possibly appear to the user as a tacked-on product which isn't as native as the existing app.
I'd appreciate any advice or recommendations about which method I should use for creating my authenticated user store.
If you want to use a custom database, then set up an OAuth provider (e.g. https://aspnetboilerplate.com/Pages/Documents/Zero/Identity-Server#:~:text=Identity%20Server%201%20Introduction.%20Identity%20Server%20is%20an,now%20ready%20to%20get%20requests%20from%20clients.%20) and use that as the authentication scheme. You can then use any OAuth client library to do the authentication, and set that up as a custom auth scheme in your Azure Mobile Apps service.
We are building several websites/products, if a user has an account on one site they will also be allowed access to all other sites.
Let's say we have the following setup:
Clients
site1.com
site2.com
Single Sign On Portal
sso.company.com
APIs
api1.company.com
api2.company.com
The Single Sign On Portal supports multiple OAuth providers, such as Google, Microsoft, Facebook, etc and this is all working great built on top of the default ASP.NET Web Forms template in VS 2015 using OWIN and Idenity.
The SSO site is logging the user in an using a cookie for authentication, which works fine while still on the SSO site. Now we need to return a token that the client site can use to know that the user is authenticated
Now the challange here is how do we exchange the cookie to a token that we can return to the client(s) to use in the Authorization header in request sent to our APIs?
Should we generate a token our selves or is there some built in functionality we can use for this purpose?
I've seen most people generate a token themselves and then multiple accounts can be linked to that same user in your account (i.e. a user could log into both FB and Google). Most of the SSO providers have a way to get an identity token or one time use code for your server to use and get user info like FacebookId. The key is ensuring that identity token came from FB and not a third party.
Auth0 is a pretty good service if you want a managed route. Even if you don't use them, they have a lot of good resources on oauth. (I have no affiliation with them other than that we used them before.) we also have a little more info on auth: https://www.moesif.com/blog/technical/restful-apis/Authorization-on-RESTful-APIs/
I'm building a mobile application (that might also later become a web application). The server side is a ASP.NET MVC + Web API application and I'm thinking about ways how I could implement the service's user management and authentication.
How should I implement the registration/login screen in the app? Offer native app forms, that will send just API requests to the service or is it preferable to show a web browser component and display the website's login page and then extract a token after the user logs in? I see the first option is more user friendly, but the second one will let me change the login / registration page (like for example adding external authentication providers) without breaking older versions of the app.
My second question is regarding the external authentication providers. ASP.NET Identity has good support for them and it is quite possible to let users register using Facebook or some other OAuth2 provider. Does it make sense to add support for external authentication providers when I plan to expose the app's API publicly? Are there any reasons why that is not a good idea?
Your first option is best if you believe your users will trust you to manage their passwords. You make a secure call to your service, have the service produce a bearer token as the result. That would be an anonymous call. I used the answer from this question to get me going down that path:
Get IPrincipal from OAuth Bearer Token in OWIN
If your users are less likely to trust you with their credentials, then the web view and external provider is a good alternative. You would need to work with providers that support the "Implicit Grant Flow" since don't want to share the apps clientid and client secret on the mobile device. This approach involves using a web view to login in, and then capturing the token on the client uri fragment on the response. I think it is on a location header, but don't have a working example in front of me. Something like:
https://your.domain.com/#access_token = 8473987927394723943294
you would pass that token with each api call afterwards .
Good luck!
I am relatively new to uisng ADFS (in ASP.NET) which is what my company wants to use and just have a few basic questions about that:
Am I correct there is no explicit "Authorize" call you can do like with ASP.NET Membership Providers? Unless you on a domain it presents you with a login screen and once you enter credentials it does validation and returns back a token with claims information.
Can you configure some forms to allow anonymous access like you can do with Forms Authentication?
Thanks.
Yes, you can setup pages in your app that don't require authentication. It works exactly like you'd do with Forms Auth.
On #1: in a claims based model, your app relies on an external system to authenticate users and receives evidence that the user is valid in the form of a token. You can completely automate this (using WIF and config files), or you can explicitly trigger the authentication process. In any case, your app won't be responsible for validating legitimate users anymore. It is a responsibility that it delegates to the STS (e.g. ADFS). That's why apps are called "relying parties".
I'd suggest you read the first couple chapters of the A Guide to Claims based Identity for a better understanding of the underlying principles.
I am going to be using Web API for an upcoming project and was asked to integrate an existing STS provider into the equation as my authentication mechanism. Therefore my Web API would be the RP (relying party). I don't need any support to provide the actual token (like creation of STS Provider), just need to incorporate claims based authentication to the configured STS provider and use it in my Web API REST based service.
Does anyone know if this is possible, and some examples on how to implement this? I see full examples with creating a STS provider, but like I said it already exists. I just need to trust it and use for authentication purposes.
Depends which protocols your existing STS supports. You need to find that out.
Basically you need to do this:
request a token from your STS (from within your client app)
send the token to the Web API
validate the token inside Web API
The thing you need to find out is if 1. works with your custom STS - then we can talk about 2 and 3 ;)