I'm digging into building an identity server using IdentityServer4, and I have some business logic that i want to implement on password change, and on password persist.
On the asp.net core page built into the IdentityServer that I've made using the startups, I can achieve it on the controllers provided, ok.
But, I wanted to be able to change the password check for a token grant to a windows client or mobile client for example,these clients won't do the login from the asp.net page.
How can I acheive this?
Related
We have a TYPO3 CMS to manage user base and as a portal for various user-specific information. We also have a separate ASP.net C# application used for charting visualization with many of the same users with a separate admin backend . Looking to get rid of login portion ASP.net application and use TYPO3 session authentication. Idea is for the user to be able to click a link within their Typo3 frontend and get directed to the ASP.net application which can then authenticate with the Typo3 session and act in accordance. Just wondering if my best bet is to write something in the ASP.net app to get the TYPO3 session cookie (is that possible?) or if I have to do something clunky like oauth2/other service
I would write a TYPO3 authentication service that contacts your ASP.NET app via one of known protocols (REST?) or even custom protocol and checks authentication. If it is successful, the normal TYPO3 authentication process goes on.
It is not enough to simply set a cookie during the authentication. There are other things that has to be done for the user to be "set up" as logged in.
As part of a project we have integrated keycloak with our .net core application, but we have a legacy system which is a asp.net web application, It have its own login screen whenever a user logs in it should fetch the username and password and validate against Keycloak.
The approach we are trying to do is.
1.Fetch all users from Keycloak on a specific realm
2.Parse the json and find whether the specifc username and password exist in that json array.
Is this way of giving authentication is correct?
Need some suggestion!!!
Take a look at their basic authentication example...
https://github.com/keycloak/keycloak/tree/master/examples/basic-auth
As stated in the comments. Returning JSON with all of the username and passwords is NOT secure, hashed/salted/or not, it doesn't matter.
I'm building a mobile application (that might also later become a web application). The server side is a ASP.NET MVC + Web API application and I'm thinking about ways how I could implement the service's user management and authentication.
How should I implement the registration/login screen in the app? Offer native app forms, that will send just API requests to the service or is it preferable to show a web browser component and display the website's login page and then extract a token after the user logs in? I see the first option is more user friendly, but the second one will let me change the login / registration page (like for example adding external authentication providers) without breaking older versions of the app.
My second question is regarding the external authentication providers. ASP.NET Identity has good support for them and it is quite possible to let users register using Facebook or some other OAuth2 provider. Does it make sense to add support for external authentication providers when I plan to expose the app's API publicly? Are there any reasons why that is not a good idea?
Your first option is best if you believe your users will trust you to manage their passwords. You make a secure call to your service, have the service produce a bearer token as the result. That would be an anonymous call. I used the answer from this question to get me going down that path:
Get IPrincipal from OAuth Bearer Token in OWIN
If your users are less likely to trust you with their credentials, then the web view and external provider is a good alternative. You would need to work with providers that support the "Implicit Grant Flow" since don't want to share the apps clientid and client secret on the mobile device. This approach involves using a web view to login in, and then capturing the token on the client uri fragment on the response. I think it is on a location header, but don't have a working example in front of me. Something like:
https://your.domain.com/#access_token = 8473987927394723943294
you would pass that token with each api call afterwards .
Good luck!
We are planning to start developing our new site with ASP.Net, MVC and AngularJS. I will also have a WebApi that i would like to use oAuth authentication with, because it is easy to to pass in token, plus may want to allow users to login with Google, Facebook etc in the future.
Questions
If i want to use oAuth on my WebApi (which is a separate application), what authentication method should i be using for my asp.net MVC website? oAuth? Forms? Both? And how do you implement this? On my API i wrote a simple oAuth provider that asks for a username and password and returns a token string.
Should my WebApi have a single sign on login page to interact with the website? Or should the login page be on the website? Should the login page use client side calls or server side calls?
What is actually within the oAuth token and how does it link to my website? Do I have to do something on the server once they login via Facebook/Google? Can I use this token on my server to determine which user is logged in?
Our website has many databases, all the same, but depending which user is logging in, depends on which database they can view data from. Is this easy to cope with using standard method/objects in ASP.Net MVC? Or is this going to force me in writing my own code?
Any advice would be appreciated as well!
If are you planning to use MVC 5 You could use Asp.Net Identity.
Take a look here: http://www.asp.net/mvc/overview/security/create-an-aspnet-mvc-5-app-with-facebook-and-google-oauth2-and-openid-sign-on
I hope this could help you.
Diego
Your best bet :
This topic shows how to secure a web API using OAuth2 to authenticate
against a membership database for both local and social login
http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api
I want to create a webservice that allows user to connect to Facebook. In my webservice, there is a method named "connect" which requires 2 parameters: the username and password (of the Facebook account).
I have to use this username and password to connect to Facebook from the webservice. After that, I want to allow the user to post on their walls...Is is it possible to connect to Facebook using a webservice?
I tried a lot, and I can login to Facebook account, but I can't get the sessionkey and userid.
How can I integrate Facebook in an ASP.NET webservice?
Please help me to resolve this issue.
Facebook Connect Authentication for ASP.NET is a component that allows ASP.NET web developers to identify and validate users accessing their website or web services using Facebook Connect.
It is written in C#, targeted at .NET 2.0.
http://fbconnectauth.codeplex.com/
You can also use this Tutorial to authenticate the users in ASP.NET application
http://devtacular.com/articles/bkonrad/how-to-retrieve-user-data-from-facebook-connect-in-aspnet/