I was reading here,
http://blog.scottlogic.com/2016/01/20/restful-api-with-aspnet50.html
but I am missing how to do security.
What security model is used for an API?
Do I give a consumer a generated "key"?
Windows Authentication?
Mobile?
I have found this blog post to be very helpful when implementing security for Web API. Look at Owin token based authentication first. The blog describes usage with AngularJS but the client could be anything including mobile.
Related
We use Oauth2 authentication with Okta for our Classic ASP.Net MVC website. After the user logs out of the application, he can "replay" an old request with all of the original cookies and still get access to the website. How can I prevent this security hole?
I have successfully developed a custom ITicketStore for my ASP.Net Core websites to solve this problem (similar to https://ml-software.ch/posts/implementing-a-custom-iticketstore-for-asp-net-core-identity), but I cannot find a similar concept to ITicketStore for Classic ASP.Net applications.
It turns out that there is an equivalent to ITicketStore in Owin, which is called IAuthenticationSessionStore. You can find an example at: https://rhastastudio.wordpress.com/2016/07/19/owin-authentication-and-session-store/
Note: Just learning Identity so please bear with me. We are developing a Web API for use by apps that we build and apps built by our clients. I have the local engine working the way I want so that any "client" app could use our API to login in.
What I cannot seem to get to work is external login providers without being presented with a login page. Is it possible to converse with them in API only mode or is this type of setup out of the question? What I don't want our client's apps to have to do is know how to manage the logins to use our API.
I know this may be similar to a few other questions out there but I do not see one with our particular need.
Thanks,
Paul Speranza
If your api needs to have authentication in place then you would need some kind of registering done by the consumers of your api. But you could provide seamless ways to integrate login by not providing any additional form requirements from the client application. Popular login methods today are using social networks. Web api does support out of the box support for integrating with the social networks.
You can find a sample for using facebook authentication here
I'm working on a project using ASP.Net MVC5 which also includes a Web API. The API will be for internal use only. I'm using the OWIN library to provider authentication.
I'm having a difficult time figuring out how to correctly implement authentication through the API. I was planning on using OAuth 2.0 but the problem with OAuth is that the user needs to login through a browser page instead of a native login screen. So I was wondering if it is possible to somehow skip the browser.
I've found this example which creates it's own OAuth Authorization Server. But it doesn't show how to make the login native.
If it's a highly trusted client, then you can use the OAuth2 resource owner password flow. You can look at the VS2013 SPA template and/or read on this post:
http://leastprivilege.com/2013/11/13/embedding-a-simple-usernamepassword-authorization-server-in-web-api-v2/
You could use Thinktecture.IdentityServer v2 as a light-weight security token service.
https://github.com/thinktecture/Thinktecture.IdentityServer.v2
You will need to create a WOPI host, which is basically a software solution that can take advantage of the browser-based Office(office web).
Create a custom WOPI host and configure it to use Office Web Apps Server to provide the browser-based file viewing and editing for Office files.
Nice sample on Microsoft MSDN
I'm currently developing a web application that will use Facebook as a authentication service. Does it make sense to implement it as an ASP.NET Forms Authentication custom membership provider? While I made my research, I didn't come across any concrete significant advantage of using the Forms Authentication. However, it instinctively seems to me as a good thing to do, because aside from creating a completely custom implementation of authentication using Facebook, I didn't find any extensibility point inside ASP.NET where I could plug in the Facebook auth behavior.
Can you then tell me whether the Forms Authentication is a good idea or not. And if not, is there any other way than completely custom code (I'd like to avoid managing the session cookies, loading the current user, etc. manually).
I'm using ASP.NET MVC 3, Entity Framework and I'd like to avoid the Facebook C# SDK (the extensive use of dynamic types is a bit of a turnoff for me :-) ).
Thanks for any advice.
A simple answer is to use .NET 4.5 oAuth templates, they are incredibly easy to link Facebook up to forms authentication.
http://www.asp.net/vnext/overview/videos/oauth-in-the-default-aspnet-45-templates
However you may struggle to find a decent server if you are planning on releasing immediately. In a couple of months plenty of servers will support .NET 4.5.
The OAuth templates work for both v4.0 and v4.5 so you can publish them onto a server today itself :)
We have clients who have RSA securid deployed within their premises and we want to sell our product to them. We need to integrate with their 2 factor authentication setup for authentication into our product.
We have an asp.net (C#) web based application that is exposed to the clients and which needs to support authentication using their own securid setup.
Can someone please help me in getting this support implemented? Pointers to existing documentation are also welcome.
I searched through the queries on this forum and found that most are talking about giving token generation mechanism on your web application itself but I don't think that is the approach that is required for our use case.
have you checked out the web sdk from RSA?
http://www.emc.com/security/rsa-securid/rsa-securid-software-authenticators/web-sdk.htm