We have a WebAPI 2 project that is using OAuth2 provider in OWIN/Katana in production.
Is it possible to be able to provide the token that is generated to another platform which doesn't run this same API so that they are able to decrypt the token and extract the claims? Obviously the machine keys would need to be in sync; but has anyone got any experience of this?
I'm not 100% sold on doing this yet, as i'm a firm believer in having a single authorisation server, however feedback is appreciated and whether this is indeed a mistep or not.
Cheers!
It appears the tumbleweed has spoken :)
Related
So long story short, I need to pass in a username and password to a web API in order to receive a JWT giving me access to use the API. I'll need to call the API for both web and console apps, so it will be used a lot.
I obviously don't want to call it using plaintext in the app(s) (them)selves because I don't want the credentials stored in version control. I also don't want to use Secret Manager or Environment Variables, because these apps will be used in production.
The only thing I can think of is storing the username/password (as plaintext) somewhere on the server and letting Windows Authentication handle the security of the data.
Is that a good practice though? I mean I guess it's as secure as the server is and if someone got access into the server we'd have bigger problems, but it just seems like it isn't good practice.
Also, I know Azure Key Vault would be ideal in this scenario, but the company is going through a lot of transitions and finances are up in the air with covid - so we're trying to minimize costs as much as possible for the time being.
Any one have any input?
I want to create an Oauth 2.0 server tied to a sql database using OWIN where we can create applications and get client ids and client secrets for those applications. And access a simple resource using those ids and secrets. (just like we get client id and client secret from google developer site by creating new application). If someone has a sample code or project It will be very help full. I've tried number of examples but still I couldn't find a way to create it. Thanks!
Rolling your own from scratch is not a simple undertaking. I would recommend that you take a look at IdentityServer3. The principal contributors are Dominick Baier and Brock Allen. They are the go-to guys for implementing OAuth 2 in .Net. IdentityServer3 is very comprehensive and very flexible.
It runs as OWIN middleware and they have a number of samples that should help you get started.
I have built a Restful Web API for my (android) mobile application, and now i am trying to secure the access to the API. I was reading for about a week on this topic and i got the whole spectrum - from those who say that is is impossible to secure a Restful API to those who say that Https (SSL) is enough.
Here I don't want to start a discussion about that.I have settled with OAuth or OAuth2 it doesn't matter(as far as I have read OAuth seems to be the better choice, but in the Microsoft tutorials they use OAuth 2, so here i am quite confused), and yes i know that they are completely different, but I am so frustrated of searching that I would accept either (I must admit that I expceted this to be much easier). As I said, I was searching for about a week, and all I got are concepts(a lot of them). You send some data -magic start - usually username/password to the server, your data is being processed and you get a token back - magic stop-. On SO there are a lot of questions on this topic but most of the answers are unprecise (and unfortunately unusuable). For example I got this one How to secure WEB API, nice answers, but not really use of them, or this one Implement Web API with OAuth and a Single Page Application. I also got the examples from the Microsoft tutorials but there is a lot of overhead in the code and the part about OAuth isn't quite clear(which is unfortunate because the whole example should be about OAuth). I could post tons of links which claim to talk about this topic, but actually they are of no help.
What I am looking for is an simple, very very simple, example of an ASP.NET OAuth(2) implementation. It would be great if I just could use it with fiddler, provide an username/password in the header and with use of grant_type: xxx I get the token back(the permitted username/password can be hard coded inside the project, so no need for Entity framework implementation or any database on the backend). And it would also be great if someone could explain me how to use this token to authorize the user (I got it that I have to provide the Controller functions with the [Authorize] attribute, but how and where is this token-check being done ?). But please, don't post any theory about OAuth, I don't need that, here I am looking for the actual implementation of OAuth inside of Asp.Net Web Api
thanks
Here is detailed post about adding the resource owner password credentials flow for your Web API project.
The most simple implementation of OAuth2 in Web API project you can find here:
WebApiOAuth2 on GitHub
There are just two important files:
Startup.cs (with settings)
AuthorizationServerProvider.cs (authorization of users using oauth2)
I'm totally new to SAML. I want implement SSO for my ASP.NET Website. I got the SAML assertion from my client. I would like to know what are all other requirements I need to get it from my client and what setup I need to implement at my end.
Can anybody help me out in this.
Thanks in advance.
The first thing that I would do is avoid writing the SAML code yourself. There's plenty out there. #Woloski (above) has some. My company has some (I work for the company that makes PingFederate). There's some open source stuff, too. I've seen good connections from KentorIT authServices. If this is your first foray into SAML, then my bet is that ADFS is way overboard. I'll be honest, the groups we see most commonly at Ping is when they decide to go "all in" with SSO. The first one or two connections are easy. Tehn it becomes a management nightmare rapidly thereafter. The reason I say to avoid writing your own, is because there are a LOT of nuances to SAML, with massive pitfalls, and headaches you just don't need.
As the service provider (SP), you need to tell your client (Identity Provider, or IdP) what "attributes" you need from them to properly connect their users to their account in your application (maybe a username?). In addition, you can ask for additional attributes to ensure their profile is up to date - phone number, email, etc. It's up to the two of you to determine what you need (and what they'll give you). Obviously, they shouldn't send social security number, if you have no need for it.
You also need to decide if you will do SP initiated SSO (will the users get links to documents deep inside your app?), or if just IdP initiated (Or will always just come to the front door?) will suffice. What about Single Logout? Do you (or they) want to do that? [Personally, I suggest NO, but that's a different topic]
What about signing the assertion? Your cert or theirs? If you're doing SP-init, do you need to use their cert or yours for signing the AuthnRequest? Do you need encryption of the assertion, or maybe just a few of the attributes?
Generally, you do all of this with a "metadata exchange". You give them your metadata that says "this is what we need". They import that metadata to build a new connection, fulfilling the attributes your app needs with calls to their LDAP or other user repository, as well as doing authentication (if required). They finish building their connection, and export THEIR metadata, which you import to build your connection (thereby making sure you all agree on certificates). You hook it to your app, and away you go.
I make this sound easy. It is, and it isn't. Rolling your own can mean issues. Lots of them. With some being so minute that it takes pros hours (and days) to see it. When it works, it works, and well.
HTH -- Andy
you can use something like ADFS to accepto SAML Assertions. ADFS gets installed on Windows 2008 or 2012.
You would need to ask your customer
the signing certificate public key and
the sign in URL.
Then you would create a "Claims Provider Trust" in ADFS and enter those details. Then a "Relying Party Trust" that represents your application. Finally you would have to configure your application with ADFS using WIF. This blog post have more details:
http://thedotnethub.blogspot.com.ar/2012/12/adfs-20-by-example-part1-adfs-as-ip-sts.html
Also you can use Auth0 to accomplish the same without setting up any software on your side (disclaimer: I work there).
I have spent days trying to get up to speed on this but everything has changed since I last touched a web project and I'm utterly overwhelmed right now, and getting nowhere. I'm trying to put together the pieces for an implicit grant flow - just a simple web API that respects the tokens issued by my local instance of I.S.
I have been able to download and configure I.S. v2 locally. I've got it issuing authentication tokens in JWT format after sending the browser to the login page. I can see the token info come back as part of the redirect URL from IS, like 'access_token=...&token_type=urn:ietf:params:oauth:token-type:jwt&expires_in=599'.
So now I need to configure my asp.net API site to accept these tokens, and I can't figure out how. As I said, I haven't done web work in a while so Owin, WIF, and many more things involved here are brand new to me all at once.
What are the key steps I need to do have my API site accept these tokens? I guess I'm not sure what packages to include, what goes into the web.config related to the WIF aspect, do I need to write any code to make it work, or should there be some combination of config settings that just activate it? Do I need to create a custom ClaimsAuhtorizationManager?
Please, I'm bad shape here, I've been looking at this stuff for days and I still don't know enough to even figure out what else to try. Every sample I've found has had a significant different from my situation, rendering it unhelpful to me (most point to Azure or ADFS, or use the old classes which are now deprecated). It's not for a lack of effort, I've been reading everything I can get my hands on and scouring the web for days.
Thanks in advance for any help.
IdSrv issues standard JWT tokens - so there is nothing specific to it.
You can e.g. use the JWT handler from Microsoft. For Web API v2 the typical way would be to use the JWT middleware - here is a sample:
https://github.com/thinktecture/Thinktecture.AuthorizationServer/blob/master/samples/Flows/ResourceServer%20(Web%20API%20v2)/App_Start/AuthConfig.cs