I am using structureMap for injecting dependencies, I'd like to know
Which implementation should I provide for IIdentity in SignalR?
Basically, SignalR uses the already existing authentication, so you just authenticate users as you would normally in an ASP.NET application, and you can have hubs or specific hub methods that have the Authorize attribute.
http://www.asp.net/signalr/overview/security/hub-authorization
SignalR does not provide any features for authenticating users. Instead, you integrate the SignalR features into the existing authentication structure for an application. You authenticate users as you would normally in your application, and work with the results of the authentication in your SignalR code. For example, you might authenticate your users with ASP.NET forms authentication, and then in your hub, enforce which users or roles are authorized to call a method. In your hub, you can also pass authentication information, such as user name or whether a user belongs to a role, to the client.
Hope this helps! Good luck!
Related
I have a web site that calls an API. To call the API from the web site I'm getting first a jwt token using GetAccessTokenForUserAsync(scope).
My problem is that this method doesn't retrieve user's roles inside the jwt token.
My user.identity.claims has a few roles but they are not include in the jwt token.
What I'm missing?
I'm to trying to including the roles in the jwt token because I need to secure my api methods. For example, a method can be called only by AdminMember, other method only can be called by SpecialMember.
Is there another way to secure my api without sending my user's roles?
Thanks
Since the roles are defined in your client app's registration, they will only be available in its tokens.
So, there are fundamentally two options:
Define the same roles in the API app registration as well. You will need to assign the roles on that app as well to the users. This could be made easier by using groups for the role assignments.
Change the API to use the same app registration. Now you will get the roles in the access token. Using one app registration can mean violating least privilege since then any permission you want to give to either the API or client app will be given to the other as well.
Depending on your case, you can choose either option :)
I write a webapp with mvc5 and Identity for authentication. It's work fine.
Now I need to authenticate same client (ios app, windows phone app, and android app) with users that are registered. Think to use a specific webapi where user can register, modify, autheticate ours user. So when they are autenticated the use can access other webapi for get data. Is this correct procedure? How I can use Identity into webapi?
Thanks
You want to look into oAuth and JWT tokens. There is already a library built for this which works really well called Thinktecure. When you are authenticating from a mobile app you really want to go the route of stateless authentication and just pass a token with the necessary claims to identify the user. There is plenty of documentation on the site as well as a sample repo (below).
https://github.com/IdentityServer/IdentityServer3.Samples/
I am relatively new to uisng ADFS (in ASP.NET) which is what my company wants to use and just have a few basic questions about that:
Am I correct there is no explicit "Authorize" call you can do like with ASP.NET Membership Providers? Unless you on a domain it presents you with a login screen and once you enter credentials it does validation and returns back a token with claims information.
Can you configure some forms to allow anonymous access like you can do with Forms Authentication?
Thanks.
Yes, you can setup pages in your app that don't require authentication. It works exactly like you'd do with Forms Auth.
On #1: in a claims based model, your app relies on an external system to authenticate users and receives evidence that the user is valid in the form of a token. You can completely automate this (using WIF and config files), or you can explicitly trigger the authentication process. In any case, your app won't be responsible for validating legitimate users anymore. It is a responsibility that it delegates to the STS (e.g. ADFS). That's why apps are called "relying parties".
I'd suggest you read the first couple chapters of the A Guide to Claims based Identity for a better understanding of the underlying principles.
I'm new in WCF and I want to know how can I protect a WCF Rest service.
I have an asp.net website, only registered users can access it, the application uses a service hosted on the same IIS server, my question is, how can I restrict the use of this service, for that only registered users may use it, knowing that the service can be used by many clients (Android, iPhone, ...). what type of authentication I can use? to test the service I created a winform and I use an HttpWebRequest.
PS: I cant use https.
Thanks
Simplest way is to use asp.net compatibility mode. The WCF service call will result in the same preprocessing used for ASP.NET pages, including checking the ASP.NET auth and session cookies. You will also be able to check HttpContext, including httpcontext.current.user.identity.isauthenticated. If the user is not authenticated, throw an exception or return an error code. Here is some more information: http://msdn.microsoft.com/en-us/library/aa702682.aspx.
So if you are already using forms auth for your application, and the service should be called after a user has logged in to your application, you are set.
You can also create an authentication service. The service will allow the client to send a username / password, and will use ASP.NET authentication to authenticate the user. It will send back an auth cookie, and then you can check future service calls as above. See http://msdn.microsoft.com/en-us/library/bb386582.aspx.
I believe the authentication service can called using json. See How to Call .NET AuthenticationService from json client without ASP.NET.
I've implemented a custom ASP.net membership provider to deal with forms authentication. The custom provider uses a custom User object for authentication and authorization. I was wondering If I can pass this object to each WCF call without adding it to the parameters list?
Since you are already using a MembershipProvider you can utalize that on wcf as well so both are secured by the same mechanism.
See this post on msdn.
Windows Communication Foundation (WCF)
developers can take advantage of these
features for security purposes. When
integrated into an WCF application,
users must supply a user name/password
combination to the WCF client
application. To transfer the data to
the WCF service, use a binding that
supports user name/password
credentials, such as the WSHttpBinding
(in configuration, the wsHttpBinding
Element) and set the client credential
type to UserName. On the service, WCF
security authenticates the user based
on the user name and password, and
also assigns the role specified by the
ASP.NET role.
Another option would be to create a custom IAuthorizationPolicy that pulls off your user via
OperationContext.Current.IncomingMessageHeaders.GetHeader<T>
And than setup your principal like the following:
evaluationContext.Properties[Constants.EvaluationContextPrincipal] = principal;
Here is some more information on creating a custom IAuthroizationPolicy. With this method you could achieve what you want without passing your user to the method.
Just be warned if you go this route a crafty person could end up impersonating the user by simply suppling a bogus user in your header.
Using the asp.net membership provider for wcf would most likely get you what you are really after plus adding some security.
You definitely should not add this to the parameters each method.
I do not know about your custom user object but as far as WS* and most security standards concerned, your user object will have username and password.
The answer depends on the binding you use. BasicHttpBinding or BasicHttpContextBinding can use HTTP authentication schemes while WsHttpBinding can use custom Message security which you can provide user name and password.
BasicHttpContextBinding is especially good since it can work with ASP NET session.