I'm developing MVC 2 web application. I'm using FormsAuthentication for sign in users to my application. I want to generate an authentication token after users are successfully login to the application. I have to pass that authentication token to another application. Are there any best ways to accomplish this task using MVC2(.net framework 4.0). Please help me to solve this problem.
At best, FormsAuthentication has a GetAuthCookie method which gets the cookie details for a logged-in user. It's not really good for token-based authentication though. You can, however, share the forms auth cookies across web applications. There are restrictions involved, but here is some documentation (and this for ASP.NET Core) to help understand where to begin.
Related
I am building a SPA using React and Redux on top of dotnet core 2.0. Unfortunately, the vs2017 template for this does not include Authentication/Authorization.
In looking around, I saw many people talking about the use of JWT's and suggesting things like Identity Server or OpenIddict to handle this, but I have only ever used ASP.NET identity to handle security before.
My question is, is it possible to secure a react app by using ASP.NET identity alone, and if so, why do so many people jump straight to JWT's as the solution for securing SPA apps?
Is token based authentication the only method that works with a SPA app, or can I use Cookie based authentication?
I will try to answer by your questions.
Q.1. Is it possible to secure a react app by using aspnet identity alone, and if so, why do so many people jump straight to JWT's as the solution for securing SPA apps?
Q.2. Is token based authentication the only method that works with a SPA app, or can I use Cookie based authentication?
Answer To First Question(this question technically related to difference between cookie based and token based authentication approach.)
Cookie based authentication system
cookie based session is StateFull. as here server needs track of active session,while on front end/client end a cookie is created that holds a session identifier.
you can secure your web api using cookie based authentication system. but in a very limited scope, because ,cookie based system doesn't work well, on native clients or suppose if your web api is going to be consumed by some other web api,
Token based authentication system
it is StateLess as server doesn't keep here the track of which token are issued or which users are log in.
Here server needs to verify only the validity of the token. so token based approach is more decupled than cokie based.
Sources
https://auth0.com/blog/cookies-vs-tokens-definitive-guide/
Update Above(Auth0) link not working any more Updated Link
https://learn.microsoft.com/en-us/dotnet/standard/microservices-architecture/secure-net-microservices-web-applications/
Answer To Second Question
Yes you can implement cookie based authentication in spa by using OWIN Cookie Authentication middileware .
you can find more information regarding it on following link.
https://brockallen.com/2013/10/24/a-primer-on-owin-cookie-authentication-middleware-for-the-asp-net-developer/
Hope above will help.
If you are going to have React and API in one domain, and the SPA would be the only client of API it may be recommended to use cookie based authentication with SameSite Cookies.
https://www.scottbrady91.com/OAuth/Cheat-Sheet-OAuth-for-Browser-Based-Applications
https://brockallen.com/2019/01/03/the-state-of-the-implicit-flow-in-oauth2/
(section same-domain apps)
longer post: https://blog.cdivilly.com/2020/06/10/oauth-browser-apps
I'm very new to the identity management world, so please spare me. :)
What I would like to do, is to have multiple client (MVC) applications that talk to a single Web API application to authenticate their users against. In that Web API application, I would like to use ASP.NET Identity to talk to a database with users.
That way, I could use SSO for the client applications (I guess).
Does that make sense? Could someone help me on my way to implement this (links are also welcome of course)?
I don't know if IdentityServer could help me with what I want?
And as a side question: when I could implement this the way I would like to, how do I deal with the same-origin policy?
Thank you for all the help. :)
I did some research myself during the last few months and I learnt a lot about the identity management stuff. Many of that also thanks to the guys from IdentityServer (and their other projects).
What I finally did was the following (very briefly):
IdentityServer is used as a provider for all client applications. The cookie and OIDC middleware are used.
I used the ASP.NET Identity user service to store the users in an SQL Server database. (The IdentityServer configuration is by the way also stored in a database.)
I set up a Web API service that uses the ASP.NET Identity user manager for user configuration (change password, create new users, ...). It uses bearer authentication with the application with IdentityServer as provider.
As a side note, IdentityManager is used as an internal admin tool to manage all the users.
If anyone is looking for some help setting up his / her identity management system (and thinks I can help): please ask. ;)
Many articles on active profile e.g. Federated Security: How to setup and call a WCF service secured by ADFS 2.0. But that article assumes you want to use AD?
I'm guessing you want to use ASP.NET Identity for the provisioning?
IdentityServer OOTB supports a SQL DB and has basic user provisioning built in. It allows users to authenticate against the DB and supports WIF.
This scenario is also close to what you need, take a look at the answers:
How to implement an OWIN Authentication server with a MVC Web Api content server and an Android end-user apk
I also recommend reading this article:
Decouple OWIN Authorization Server from Resource Server
We are planning to start developing our new site with ASP.Net, MVC and AngularJS. I will also have a WebApi that i would like to use oAuth authentication with, because it is easy to to pass in token, plus may want to allow users to login with Google, Facebook etc in the future.
Questions
If i want to use oAuth on my WebApi (which is a separate application), what authentication method should i be using for my asp.net MVC website? oAuth? Forms? Both? And how do you implement this? On my API i wrote a simple oAuth provider that asks for a username and password and returns a token string.
Should my WebApi have a single sign on login page to interact with the website? Or should the login page be on the website? Should the login page use client side calls or server side calls?
What is actually within the oAuth token and how does it link to my website? Do I have to do something on the server once they login via Facebook/Google? Can I use this token on my server to determine which user is logged in?
Our website has many databases, all the same, but depending which user is logging in, depends on which database they can view data from. Is this easy to cope with using standard method/objects in ASP.Net MVC? Or is this going to force me in writing my own code?
Any advice would be appreciated as well!
If are you planning to use MVC 5 You could use Asp.Net Identity.
Take a look here: http://www.asp.net/mvc/overview/security/create-an-aspnet-mvc-5-app-with-facebook-and-google-oauth2-and-openid-sign-on
I hope this could help you.
Diego
Your best bet :
This topic shows how to secure a web API using OAuth2 to authenticate
against a membership database for both local and social login
http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api
I'm developing a cloud application. I'm confuse about my login system implementation, which one is best for me?
What about Asp.net Membership class?
Secondly about the Form authentication and Session Implementation
Remember this application is on cloud, so please give suggestion according to scenario.
I would suggest ASP.NET Membership Class. Its an industry standard and it eases handling of many login related features including:
User lockout after certain number of login attempts.
Security Question and answer.
Password encryption and hashing.
Session management.
Especially considering it being on the cloud, if you were supposed to lets say up the security for the site by making accounts to lock after one failed login attempt, it would be just a Web.config change.
Being a completely tested solution, ASP.NET membership provider is best approach.
I'm using Asp.net c# language programming.
What is the best way for authenticating web methods in a web service?
Is it right having authentication for every web method and verify user name and password for each web method?
Is there a way to authenticate just once not for every web method? something like using sessions and etc?
You might want to look into this one:
http://weblogs.asp.net/cibrax/archive/2006/03/14/implementing-a-secure-token-service-with-wcf.aspx
Edit
If you are bound to only use asmx for some reason, then I would also suggest looking into WSE from MSFT.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=018A09FD-3A74-43C5-8EC1-8D789091255D
You can pass around a token from your client into the web method. The token is encrypted with public/private keys.
For more info here:
http://msdn.microsoft.com/en-us/library/ms996931.aspx
First of all, you should be using WCF for web service development unless you're stuck at .NET 2.0.
Secondly, you can use Windows authentication or Basic authentication over https, but those restrict you to users who are Windows users. If you have a separate set of users, then you will need to do your own authentication.
You can use SOAP Headers so that you don't need a username and password in every web method.