I am starting a new MVC project for one of my clients. They already have an iPhone app which is having most of the functionalities that I intend to do. And a web service exists. I do not have any database side work. My question is, I want to use the web service calls for authentication. But asp.net MVC is using Identity as default authentication. How do I tackle to use Identity with out much effort to call the web service for authentication?
Related
If I were to create two separate projects:
ASP.NET Core Web API project
ASP.NET Core MVC project
The MVC project would use HttpClient to talk to the Web API.
If this is the case and I wanted to use the built in ASP.NET Identity should I be doing it through the Web API or just keep it as part of the MVC project?
From the description of your question, it seems like you will end up protecting only 1 layer of your app.
Ideally, you would protect both. On the MVC application side you would want to do user authentication with ASPNET Identity (establish who wants to get information) and on the WebAPI side you would want to do resource authentication or client authentication to check if the caller of the API (app x) actually has the rights to call the API. The latter cannot be done through ASPNET identity. You would want something like Identity Server 4 or Azure B2C like products to achieve that.
Now, you could keep the API open & internal and just call it from HTTPClient in the MVC APP, but, I wouldn't do that if I were you. The only reason I can think of why you would want an API is, so that you can later use it from other apps, so, keeping the API open like that is not advisable.
If I were in your shoes, I would want to have a security framework around my applications and then proceed with giving applications the required access on the API to carry out needed operations.
What I am trying to achieve:
I currently have mobile apps on top of services and would like to add a web site on top of the same services.
Services details:
ASP.NET Web API project using OAuth (bearer token) and Identity for authentication and authorisation.
Microsoft.AspNet.WebApi 5.2.3
Microsoft.Owin.Security.OAuth 3.0.1
Microsoft.AspNet.Identity.Core 2.2.1
Mobile details:
Xamarin projects.
Xamarin.Forms 2.3.3.193
What architecture should I use for the web site?
Create a new ASP.NET MVC project and call my current services from the MVC controllers? This seems bad because:
I would have 2 layers of controllers (web site MVC controllers calling services API controllers)
I would need to store bearer tokens in cookies
I would need to manage the tokens and cookies expirations
Create a new ASP.NET MVC project and call current services database directly? This seems bad because:
I would have to duplicate the models in the services project and in the web site project
Create a new ASP.NET project and call my current services using ajax? This seems bad because:
I would need to create my own register/login pages
I would need to store bearer tokens in cookies
I would need to manage the tokens and cookies expirations
I would need to say bye to future social authentication (OAUTH2) implementation because I wouldn’t be using OWIN
Thanks,
fcorbeil
If you already have the API a brand new MVC app shouldn't be such a bad choice. If you have your models stored in a different project just reference them to the MVC one. As for the services, them would work perfectly with the new application. This all can be achieved without changing almost nothing to the current implementation.
I am working on a project and using a similar architecture.
I decided to create an Angular project for the website front end and all it does is talk to the Web API. Angular handles the JWT authentication really well. If you've never worked with Angular before, it is really nice to work with.
However, a vanilla ASP.NET MVC web app would work just as well.
It depends on how comfortable you are with Angular, or how willing you are are to learning it! :)
I am having a project in which i need to implement authorization using OAuth.
I am developing different apps with their different data.
Web app 1:
This is a SPA web app that will connect with a webAPI built for it that will expose related bussiness data to this web app.
Web app 2:
This is an MVC asp.net web site that also uses another web API built for it to get access to it's bussiness data.
My Auth service - this is what i want to know how to build:
What i need is to use asp identity and make a separate database and a separate web API that will handle authorization and authentication for the above web apps.
Web app 1 has it's own database and is using it's own web api to present data to users. So, is web app 2. This means that web app 1 does not depend, care or communicate in any way with web app 2. When a user of web app 1 or web app 2 wants to register or login he should communicate with web API of my auth service to do that. All my webapps should use the same auth service and be agnostic of it's specific details and only use this service's api for auth.
An example of this is google or facebook.
I am using c#, asp.net 5.
Any ideas or resources how to do this would be very helpful
A basic implementation is included in Visual Studio 2015 templates. Choose new ASP.NET Web Application and then MVC or Web API with Individual User Accounts as Authentication option. MVC or Web API depending on the way you want to register and log in.
You have a more complete example with refresh tokens and managing different clientIds in the following post by Taiseer Joudeh, it's not ASP.NET 5 but I think it could be interesting for you.
I'm having all kinds of trouble understanding this. Every article I read seems to have some unmentioned prerequisite amount of knowledge.
I have written a WCF service that was initially designed to be an intranet service. Now we are moving this service to a cloud hosting solution and it needs to only let authorized users call its methods.
I've since created an ASP.Net MVC 5 website for support purposes. The idea for this is that support staff will login to the mvc site with seeded credentials and add users as they sign up for the service. At the moment, users should not need to enter username or password anywhere. The service client will have username and password knowledge via local settings or configuration file or something and the authorization will be invisible to users. The MVC project seems to be working fine after some changes to the out-of-the-box flow. The database (remote) is created and being populated with new registered user information.
Because the WCF service is in a different project, and to keep a level of portability I have referenced that project in the MVC project. I then added a "wrapper" wcf service to the MVC project that I intend to be the forward facing door to the existing WCF project. In this wrapper wcf service is where the authentication should happen. I don't understand how to tie the ASP.Net Identity authorization used in the new MVC project into the wrapper wcf service. How can I make the wrapping service authorize user credentials against the identity database created and populated using the MVC site?
Thanks,
PS
Transport security is not my issue at the moment so if possible leave those topics out.
NET web application and a WCF Application that share the same ASP.NET membership database.
They are both sharing the same ASP.NET membership database.
It is basically like:
WCF: is https://ServerName/Services.svc
ASP.NET: is https://ServerName/Default.aspx
(both are two virtual folders in the same web application and both are using the same ASP.NET membership database).
The user logs on to the ASP.NET application and can then decide to call the WCF service.
What are my options for setting the security for the call between the ASP.NET and the WCF service that make the call using the credentials supplied by the user when logging to the ASP.NET application?
If you run you application in ASP.Net Compatibility mode. You will get all the security features available with ASP.Net. Things such as HttpContext.Current.User will point to the logged in user.
For the fastest implementation (by fastest I mean to get up and running) get Juval Lowy`s ServiceModelEx library from http://www.idesign.net and use his declarative security library.
I have used this library a lot and it works well.