Asp.net Web Api stop using ARRAffinity cookie - asp.net

My API uses bearer token for authentication and the controller use Authorize attribute.
Whenever I query the API using postman. It for some reason sends a ARRAffinity cookie with every request along with the bearer token.
However, when I call the same API endpoint with fiddler without he cookie. It fails with a 401 Randomly. YES Randomly some requests would get 200 success and some would fail with 401.
However, when I pass the ARRAffinity cookie via fidler. It works without any failure.
Is there a way to stop Web Api or azure from generating the ARRAffinity cookie. I just want to use bearer and not the cookie.

Is there a way to stop Web Api or azure from generating the ARRAffinity cookie.
We can easily turn ARR Affinity off in the azure portal. detail steps are as blow:
Step 1: Navigate to your Web Api in the Azure portal.
Step 2: Select Application settings in the Settings blade.
Step 3: Off ARR Affinity.
Step 4: Select Save.
For more information please refer to document

Related

What is the purpose served by the context_uri query param in the OIDC/oAuth2 authorization request sent by Firebase to federated identity providers

I have been trying to use Asgardeo as a federated identity provider in Firebase. I followed Firebase's documentation and managed to develop a sample application to perform authentication. However, during authentication, I noticed that the authorization request contains a query param called context_uri that is set to the origin of the application. Asgardeo blocks this request since this query param contains a URL. I tried the same flow with other federated identity providers such as Facebook and could still see the context_uri in the request. I searched OIDC and oAuth2 resources and realized that context_uri is not a standard query param. So, what purpose does it serve? Can this be removed from the authorization request?
Here is the authorization request that was blocked:
https://dev.api.asgardeo.io/t/<tenant>/oauth2/authorize?response_type=code&client_id=<client-id>&redirect_uri=<redirect-uri>&state=<state>&scope=openid%20email%20profile&nonce=8<nonce>&context_uri=<app-origin>
I tried to use Asgardeo as a federated IdP in Firebase but the authorization request was blocked because of the context_uri query param.

ASP.Net Web API Authentication using OAuth

We have planned to implement authentication in our API using OAUTH. For this purpose I read so many articles on web to explore it. After read these articles what I am understanding is
Send credentials to authorization server and after successful
authentication it will send you the access token.
Use this access token for further calling of your api methods.
To authenticate our api user needs to pass the following parameters.
Authorization Token
Employee ID
What I am thinking is to pass these values via request headers. Problem is that these request headers can easily be viewed in browser console and someone can misused it easily. Please suggest Is this the right way to authenticate api or we used something else for this purpose?

Apigee: Add login with an existing OAuth 2.0 id-provider

I have an admin-console for an existing service that I want to provide access to by adding login, using our company's OAuth 2.0 service. I want to use Apigee here, so that the web-app with the admin-console does not have to implement the login-logic.
My idea was to use AuthorizationCode flow and let Apigee manage the tokens and I looked into https://github.com/apigee/api-platform-samples/tree/master/sample-proxies/oauth-login-app, but I really can't see how our existing OAuth service fits in.
Is there a sample like that? Perhaps using Google's or Facebook's OAuth service to authenticate the user?
First, Apigee needs to be a proxy into the admin-console. This means that all traffic to the admin-console has to go through Apigee. Otherwise, you won't be able to enforce authentication.
Second, there are a couple different options for integrating with the external oauth 2.0 service. Apigee has the ability to store an external access token and use it as its own, or Apigee can generate a token and store the external access token as a custom attribute.
High level thoughts on how the Apigee proxy could look like:
ProxyEndpoint - endpoint exposed to clients connecting to admin console
TargetEndpoint (not shown in that oauth login-app example) - endpoint for the actual admin console
The flows that execute in the Apigee proxy before sending the request to admin-console will need to implement logic that checks an authentication token. If it's valid, let the request pass onto the TargetEndpoint (admin-console). If the request isn't valid, step through logic that goes calls the external oauth 2.0 server's auth code flow. This will require the following:
Apigee needs to be registered with external oauth 2.0 server.
Logic needs to be built in this proxy to support the redirection based flow of authorization code grant_type (obtaining auth code, receiving the auth code, obtaining token --> all while being redirection based and transparent to user).
In addition to #2, Apigee will need to store the external token as custom attribute and expose the apigee token, or store the external token for verification purposes later on. http://apigee.com/docs/api-services/content/authorize-requests-using-oauth-20 (see Delegating token management). After the token is stored, you'd need to respond with another 302 redirect to the initial uri + token so the request can pass through to admin-console as an authenticated request.
#2 isn't exactly straight-forward and there won't be an example proxy that shows this implementation. If the oauth 2.0 service supported a password grant, it may simplify the implementation, but allows the credentials to pass through apigee and not directly with the authorization server.

security with asp.net mvc 4 web api

I've created my first mvc 4 project using the web api template. I've configured CORS to restrict other sites from accessing my api directly into other websites. I use ajax to retrieve the data supplied by the api into a web page and that works well.
The address to my web api is http://www.xyz.com/webapi/ one of the actions is http://www.xyz.com/webapi/api/sales How can I prevent anyone from accessing /webapi and /webapi/api/sales and using the data (screen scraping) for their own use. I do not want any other service browser accessing the web api, just the ajax query that is present on another website that I've set up.
Thanks in advance!
Approach 1 - Get a Bearer Token
You could implement this - Individual Accounts in ASP.NET Web API
Here in this tutorial, the controllers are marked with [Authorize] and the following steps are followed.
Register a User
Authenticate and Get a Bearer Token
Send an Authorized Request
Approach 2 - Use a private API Key
You could use an api key with each of your web api calls and check on server side if the api key is valid if not return 401, Unauthorized. This api key could be saved in your web.config file.

ASP.NET Web API 2: How do I log in with external authentication services?

According to this post http://www.asp.net/web-api/overview/security/external-authentication-services...
I'm able to log in with a local authentication service (with the new ASP.NET identity framework)
but I can't find a walkthrough to properly call (from a mobile app or Postman) the default web API generated in the Visual Studio 2013 SPA template.
Can anyone help me?
I had the same problem today and found the following solution:
At first get all available providers
GET /api/Account/ExternalLogins?returnUrl=%2F&generateState=true
The response message is a list in json format
[{"name":"Facebook",
"url":"/api/Account/ExternalLogin?provider=Facebook&response_type=token&client_id=self&redirect_uri=http%3A%2F%2Flocalhost%3A15359%2F&state=QotufgXRptkAfJvcthIOWBnGZydgVkZWsx8YrQepeDk1",
"state":"QotufgXRptkAfJvcthIOWBnGZydgVkZWsx8YrQepeDk1"}]
Now send a GET request to the url of the provider you want to use. You will be redirected to the login page of the external provider. Fill in your credentials and the you will be redirected back to your site. Now parse the access_token from the url.
http://localhost:15359/#access_token=[..]&token_type=bearer&expires_in=[..]&state=QotufgXRptkAfJvcthIOWBnGZydgVkZWsx8YrQepeDk1
If the user already has a local account, the .AspNet.Cookies cookie is set and you are done. If not, only the .AspNet.ExternalCookie cookie is set and you have to register a local account.
There is an api to find out if the user is registered:
GET /api/Account/UserInfo
The response is
{"userName":"xxx","hasRegistered":false,"loginProvider":"Facebook"}
To create a local account for the user, call
POST /api/Account/RegisterExternal
Authorization: Bearer VPcd1RQ4X... (access_token from url)
Content-Type: application/json
{"UserName":"myusername"}
Now send the same request with the provider url as before
GET /api/Account/ExternalLogin?provider=Facebook&response_type=token&client_id=self&redirect_uri=http%3A%2F%2Flocalhost%3A15359%2F&state=QotufgXRptkAfJvcthIOWBnGZydgVkZWsx8YrQepeDk1
But this time the user already has an account and gets authenticated. You can verify this by calling /api/Account/UserInfo again.
Now extract the access_token from the url. You have to add the Authorization: Bearer [access_token] header to every request you make.
I found another post showing pretty details how this external authentication works. The client is WPF and server uses ASP.NET Identity.
For those trying to use Web Api 2 External Login with Facebook in Android App this post is explaining only the first part of what we have to do. Here is a very explanatory link of the whole picture:
[Authenticated access to WebAPI via Facebook token from Android App

Resources