I'm making a web service by using Asp.net Framework.
I'm struggling with jwt authentication.
I wonder if there is any AuthenticationHandler in ASP.NET Framework as ASP.Net core or not - where I can get token from request header, validate and set to HttpContext.
I want to authenticate every single request as header is available.
In AuthorizeAttribute, I only get the information from HttpContext.User and validate the availability of account in my system without parsing token there.
Finally, my question is : How can I write AuthenticationHandler to validate every API Request ?
Thank you,
Related
I have two main projects in my solution, one is a .NET 5 Core MVC web application that is used as our front-end application with Identity for authentication and authorization, and it is currently directly connected to a Database layer(different project) that is responsible for CRUD operations using Entity Framework.
The other project is a .NET 5 Web API application. And we would like to move our controllers' logic from the MVC app to the Web API app, so that only the API project will have access to the database layer.
I'm not really experienced with authorization techniques apart from some basic stuff, so I'm stuck with an issue right now. How can I move the Identity authorization to the Web API project? I understand that on the MVC app, a Cookie is used to handle the authorizations but as I've seen the recommended approach for most Web API apps, is to use a JWT to authorize requests. However, in my scenario, since I would like to authorize the user(from the browser) on each request, would a Cookie authorization be possible ? Or should I store a JWT token on the browser and pass it along on each request?
Thank you
Why do you need to move the MVC controller to the Web API Project? If the controllers are separate than that is even better!
Here in short how JWT based authentication works:
The JWT token has tow components - an Auth token and a Refresh token.
The Auth token is used to authorize the requests and the Refresh token is used to renew the Auth token when it expires.
The Auth token also contains some user claims like Name, Id, Email etc.
You make the user re-login when both the Auth and Refresh token expires.
For Web API JWT authentication is best.
Use your MVC controllers to render and handle the page flows and the Web API controllers to return data from the Database. For your current structure you can do the followings:
Have the MVC Auth controller consume an API from the Web API project and then maintain the Identity cookie as is now. The API will return a token if username and password works.
The Web API project will parse and validate the token. All you have to do is to check if Web API is returning a 401 or not. 401 would be when the token is invalid or expired
In your MVC project, switch from Asp.net Identity cookie to store the JWT token on the client side (From MVC project). And pass it along all requests to the Web API controllers.
I've been looking for ways of how to consume a web api with an oauth2 authorization using ASP.Net MVC. Any suggestions?
I have already tried sending a request to the web api and recieve a response. But I'm having a hard time when it involves Oauth2 authorization because i don't know how to send headers like the clientsecret and clientid and also on how to send a raw json data to the web api. I've already tried testing my api on postman and it's working properly.I wanted to know now how can i make an ASP.Net MVC application that can POST and GET to that web api with Oauth2 authorization.
There is answer for client_credential oauth2 gran type
How to write OAuth2 Web API Client in Asp.net MVC
and I think that's commonly used between services. However, if it's not your case then you need to take a look OAuth2 grant type and understand how those are working and different from each other.
If you want to know what to set in http header regardless of what language/framework you use, you need to set "Authorization" http header with "Bearer " value.
In order to get your access token from oauth2 provider, you need to send a request to oauth2 provider with grant type you'd like to use along with your clientId and secrets.
It will be look like below if you use client credential grant type.
https://oauth.example.com/token?grant_type=client_credentials&client_id=CLIENT_ID&client_secret=CLIENT_SECRET
I have created a new web api project with individual user account authentication.
I followed this post and everything worked as expected
http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api
Now, I have a token end point
localhost:54452/Token
Lets, say I create new asp.net mvc application. I want to use this token end point for authentication. How do I tell my controllers to use this token end point? How do I tell my controllers to pass the bearer access token on each request or how does these two work together.
asp.net mvc and asp.net web api are two different projects with different port numbers
Thanks,
Syed
I would create a wrapper class that uses HttpClient to issue HTTP requests to the Web API. Then use this wrapper class when you're communicating with the Web API. It will then handle adding the token to the HTTP request header.
I am successfully using bearer token authentication for asp.net web API as is demonstrated in the default single page application template. But now I want to use the same web API from a different site (a different url).
When I make a request to web API AuthorizeEndpoint(by default /api/Account/ExternalLogin) from different site, I get error: invalid_request. I guess the problem is in the redirect_uri value, since changing that to value of site running on same domain as web api resolves the problem.
ValidateClientRedirectUri method in application OAuthAuthorizationServerProvider doesn't get fired. So based on my search in Katana source the error origin is in OAuthAuthorizationServerHandler.InvokeAuthorizeEndpointAsync.
Does anyone else have the same problems or am I doing something wrong?
The Katana OAuth middleware is not designed to be cross application - it is mainly for "embedding" an OAuth authorization server into the business resource.
If you want a proper (free) authorization server - have a look here:
https://github.com/thinktecture/Thinktecture.AuthorizationServer/wiki
The bearer token appears to be a hash into an claims hash, which is local to your application.
We are using a jwt token with a separate validate handler. Works cross application.
Still looking for a better way but for now it works.
We are starting with a new application build with Asp.net. It should connect to a webservice which is already available to retrieve data to present to the user. We've created a repository which communicates with the webservice.
The webservice needs authorization with the same user credentials which the user uses to logon to the web application. The user is authorized with Forms Authentication with cookie support.
The problem is that we cannot retrieve the password from the user on new requests when the user is once authorized and automatically logged on. This password is needed to logon to the webservice from the repository classes.
Any ideas on how to implement this the best and safest way ?
You can try using Client Application Services to get and set the cookie. Or you can manually get and set the cookie using the sample code on this post. The example shows both methods and is geared specifically to passing a forms authentication cookie from an MVC application to an OData WCF feed:
http://blogs.msdn.com/b/astoriateam/archive/2010/07/21/odata-and-authentication-part-7-forms-authentication.aspx
Also, here is a similar example that is trimmed down in scope:
http://www.codeproject.com/Articles/190806/Send-Cookies-When-Making-WCF-Service-Calls