In my solution I am using Thinktecture IdentityServer.
I wanted to introduce the remember me feature (persistant cookie) so I used AllowRememberMe option described here: https://identityserver.github.io/Documentation/docsv2/configuration/authenticationOptions.html
and that is working good but the persistant cookie is created only for IdentityServer instance - not for the client website which called for authentication.
My question is: Is there out of the box solution to achieve that? or do I have somehow pass deatils about cookie expiration through claims or so?
Of course identity server can only issue cookies for itself - not your applications. You would need to do that in your application code.
Related
I am building a SPA using React and Redux on top of dotnet core 2.0. Unfortunately, the vs2017 template for this does not include Authentication/Authorization.
In looking around, I saw many people talking about the use of JWT's and suggesting things like Identity Server or OpenIddict to handle this, but I have only ever used ASP.NET identity to handle security before.
My question is, is it possible to secure a react app by using ASP.NET identity alone, and if so, why do so many people jump straight to JWT's as the solution for securing SPA apps?
Is token based authentication the only method that works with a SPA app, or can I use Cookie based authentication?
I will try to answer by your questions.
Q.1. Is it possible to secure a react app by using aspnet identity alone, and if so, why do so many people jump straight to JWT's as the solution for securing SPA apps?
Q.2. Is token based authentication the only method that works with a SPA app, or can I use Cookie based authentication?
Answer To First Question(this question technically related to difference between cookie based and token based authentication approach.)
Cookie based authentication system
cookie based session is StateFull. as here server needs track of active session,while on front end/client end a cookie is created that holds a session identifier.
you can secure your web api using cookie based authentication system. but in a very limited scope, because ,cookie based system doesn't work well, on native clients or suppose if your web api is going to be consumed by some other web api,
Token based authentication system
it is StateLess as server doesn't keep here the track of which token are issued or which users are log in.
Here server needs to verify only the validity of the token. so token based approach is more decupled than cokie based.
Sources
https://auth0.com/blog/cookies-vs-tokens-definitive-guide/
Update Above(Auth0) link not working any more Updated Link
https://learn.microsoft.com/en-us/dotnet/standard/microservices-architecture/secure-net-microservices-web-applications/
Answer To Second Question
Yes you can implement cookie based authentication in spa by using OWIN Cookie Authentication middileware .
you can find more information regarding it on following link.
https://brockallen.com/2013/10/24/a-primer-on-owin-cookie-authentication-middleware-for-the-asp-net-developer/
Hope above will help.
If you are going to have React and API in one domain, and the SPA would be the only client of API it may be recommended to use cookie based authentication with SameSite Cookies.
https://www.scottbrady91.com/OAuth/Cheat-Sheet-OAuth-for-Browser-Based-Applications
https://brockallen.com/2019/01/03/the-state-of-the-implicit-flow-in-oauth2/
(section same-domain apps)
longer post: https://blog.cdivilly.com/2020/06/10/oauth-browser-apps
I am developing a website using asp .net and i give the users two possibilities to log in.
The first is using WIF-ADFS and the second is through manual input.
The thing is, i want the application to check whether it is possible for a certain user to use SSO.
If yes, do SSO, if no, make the application choose the second login possibility automatically.
The question is whether it is possible to implement my application to do that.
The short answers is: probably not if you do not have a "list" of all users with all of their authentication options/methods. There for you have to present them the options (aka WAYF or HRD)....
WIF + ADFS use WS-FED, and the implementations have no graceful fall back. The ADFS server just display an error page. The older ADFS version had some limited options to fix it. The newer ADFS on S2012R2 cannot be extended/customized (except when it is possible in JavaScript on the client side).
If a user want's to log in you have at first no automatic mechanism to determine if he can do SSO (besides you can control all browsers in question and add something to their UserAgent) or not.
So all what is left is to display a form for login with local data and some buttons for login with ADFS or Google or Facebook or whatever.
Microsoft does this in Azure Authentication Services, Thinktecture supports it with the IdentityServer (I think) and MVC has a template for actions like that (and you can use ASP.NET Identity V2 with that).
I am very new in web api security. I have used form authentication technique. when user logs in, a token is created and stored as a cookie in user's web browser. On each request the token is varified and if user is authenticated and authorized user is given access to the service.
but I think this approach does nothing in web api security. cookies can easily be copied and pasted in other browser and anyone can get the service.
I am thinking to use App key and secret along with form authentication. I am not suggested to use third party service like Oauth for authentication. I am not Sure about the Implementation of app key and secret that how it exactly works.
Please provide better way to secure my web api wihtout using third party services and to prevent cookie hijacking etc. What actions are performed to build a strengthly secure web api.
The forms authentication is good enough. You can also do the following:
Use anti-forgery (antifrogery) tokens. Check this or this
It will also be great if on sensitive actions you check if the call to the function was made from the same site or not.You can implement your own action filter for this. (check if the referral site is your site, or the expected site)
Edited:
Thanks guys for your comments. I guess you are right. Well authentication cookies in ASP are created as httpOnly cookies which means even if the site had some XSS vulnerabilities it will still be safe and cant be stolen. I would also suggest to use https everywhere if the site is used for sensitive operations (like a bank) to make sure the cookies are perfectly safe.
Two questions:
1) How/where do I set the lifetime of the session cookie in my web application when using an STS to get claims? From what I can tell, it seems I can only do this programmatically in the ServiceConfigurationCreated event.
2) How/where can I make sure that the expiration is sliding?
StsDude, I asked your question here: How can I make a security token automatically expire in a passive STS setup?
A code sample for the answer may be found here: http://social.msdn.microsoft.com/Forums/en/Geneva/thread/a048694c-3548-4b4d-9bb3-0589c888fd02
HI have the following scenario:
1) i'm authenticated against some aSP.NET web site and my session time out expires in 24 hours.
2) after several time I would like to run query against asp.net Web Service located on the site using existing authentication.
What should I add to cookie Container? I how do sent existing cookie to Web service?
Thank you in Advance.
Danny.
A web service call is just an http call so it will come under the existing authentication.
I am assuming here that you are issuing this from the browser?
If not - e.g. if you are doing it from a console application, then you will have to interact with the site as if you were a user. Some more details are her http://www.ksingla.net/2006/08/sample_forms_authentication_test_in_csharp/
Basically you need to issue a post to login to the login page - track all of the cookies etc - and then start issuing your WS calls with those cookies.
Another option is here http://en.gli.sh/Blog/post/NET-Interoperability-Between-Smart-Client-and-Internet-Explorer-Using-Cookie-based-Authentication.aspx which is reading the correct cookie info from the windows machine you are on - relies on you being logged into the website and also trusted to be able to get to that file.
Alternatively you can look into implementing WSE or WCF solution.