I am developing an application using ASP.Net MVC6 and I would like to implement OAuth 2 auth using bearer tokens. I can't find any solid information on whether or not this is possible. Would anyone be able to point me in the right direction?
TL;DR: the official packages developed by Microsoft for ASP.NET Core only support OAuth2 bearer token validation.
This means that...
... you'll be able to authenticate your users using bearer tokens issued by an external identity provider (like Azure Active Directory) with the Microsoft.AspNetCore.Authentication.JwtBearer package:
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
AutomaticAuthentication = true,
Audience = "http://localhost:50000/",
// Authority is only useful if your JWT tokens
// are issued by an OpenID Connect server.
Authority = "[OpenID Connect provider address]",
// If you don't use an OpenID Connect server, you have to manually update the
// token validation parameters with the issuer's signing key.
TokenValidationParameters = new TokenValidationParameters
{
IssuerSigningKey = new X509SecurityKey(certificate)
}
});
That said, only JWT tokens are now supported OTB: the OAuth2 bearer middleware shipped with Katana 3 used to natively support opaque tokens produced by the OAuth2 authorization server, but this support has been removed.
... you won't be able produce your own tokens anymore. The OAuth2 authorization server has been removed and won't be ported to ASP.NET Core: OAuth Authorization Service in ASP.NET Core.
Luckily, alternatives exist. I'm personally developing an OpenID Connect server middleware based on the OAuth2 server shipped with Katana, that offers the same low-level experience: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server
For more information, you can take a look at this SO answer: Configure the authorization server endpoint
Related
I have client application what is writen using Angularjs and .Net Core WebAPI backend. User's authenticate using Google sign-in where we get the token. This token is sent to backend with every API request where its has to be validated.
Is there a middleware or how could i create middleware what would validate the token?
Yes there is: Microsoft.AspNetCore.Authentication.Google
which you can install with:
dotnet add package Microsoft.AspNetCore.Authentication.Google
and then configure the middleware in your startup.cs:
app.UseGoogleAuthentication(new GoogleOptions()
{
ClientId = Configuration["Authentication:Google:ClientId"],
ClientSecret = Configuration["Authentication:Google:ClientSecret"]
});
I'd suggest you read the extremely helpful and easy to follow Microsoft guide for asp.net core social authentication here:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/
and the Google specific walkthrough here:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/google-logins
I am trying to configure a web application using ASP.NET Identity 2.0 for Single-SignOn with ADFS.
To configure their ADFS, my client asked me to provide a SAML Service Provider metadata file matching the following format:
In my application, I am setting up authentication in my OWIN pipeline as so:
app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions()
{
MetadataAddress = ConfigurationManager.AppSettings["SsoAdfsMetadataEndpoint"],
Wtrealm = ConfigurationManager.AppSettings["SsoWtrealm"]
});
I have 2 questions:
I can generate an X509 certificate to include in the metadata, but how can I add it to my configuration in the web app?
Where can I get the URLs for all the AssertionConsumerService bindings?
SAML2P (P is for protocol) and WS-FED are two completely different protocols. To confuse things, SAML2 tokens (or assertions in SAML2 lingo) can be carried in WS-FED protocol messages.
You won't get any SAML2P functionality out of a WS-FED middleware. You need a SAML2P middleware. The open source Kentor.AuthServices.Owin package contains such a middleware, that will automatically generate the needed metadata and that has been tested with ADFS.
Disclaimer: I'm the author of Kentor.AuthServices
I've begun an implementation using the OpenID Connect Implicit Flow - I've retrieved my access token and ID token in my browser based javascript app, and now I need to protect the resource on my ASP.NET Core Web API so it can only be accessed via a valid access token from a user with a specific claim.
What middleware do I use to validate the token(s) and determine the user and their claims so I can then allow or deny them access to the resource they are requesting?
I've looked at OpenIdConnectAuthentication middleware, however the only implementation examples I've seen use a SignInScheme of "Cookies", not the Bearer token that my js app is providing.
Thanks
What middleware do I use to validate the token(s) and determine the user and their claims so I can then allow or deny them access to the resource they are requesting?
If your authorization server issues JWT tokens, you can use the JWT bearer middleware developed by the ASP.NET team: https://github.com/aspnet/Security/tree/dev/src/Microsoft.AspNetCore.Authentication.JwtBearer.
app.UseJwtBearerAuthentication(new JwtBearerOptions {
Authority = Configuration["jwt:authority"],
Audience = Configuration["jwt:audience"]
});
You can find a sample here: https://github.com/aspnet/Security/tree/dev/samples/JwtBearerSample.
I am using Visual Studio 2015 Enterprise Update 1 and ASP.NET 5 rc1-final to build an endpoint that both issues and consumes JWT tokens as described in detail here. In this approach we have a single project that 'does it all' - the project uses OIDC to issue tokens, JWT bearer authentication to validate them and then guards access to various controllers using the Authorize attribute - all in the same project.
Now we would like to refactor this solution by creating an OIDC authorization & authentication endpoint that only issues and validates tokens. Then we want 'n' additional endpoints that rely on that OIDC endpoint as a central authority for authenticating tokens. This will allow us to stand up additional endpoints on our growing service backbone without having to code the authorization & authentication into every endpoint.
While I understand how to configure OIDC to issue tokens from one endpoint, it's not entirely clear how I would point my other endpoint to the OIDC endpoint for token authentication. Presently JWT authentication and OIDC are simultaneously configured in the middleware 'Configure' method so I'm guessing perhaps on all the subordinate sites I would have a small piece of code in calling app.UseJwtBearerAuthentication simply pointing the JWT middleware to the OIDC endpoint? If this is the case there's still a bit of magic taking place with the app.UseJwtBearerAuthentication that uses OIDC to allow IdentityModel to use HTTP, so I'm not clear if I would need this on the subordinate servers also.
Any advice on how to establish a single OIDC authorization & authentication endpoint and then have 'n' subordinate endpoints point to that endpoint for authentication of JWT tokens would be very much appreciated.
Separating the resource server role (i.e the API) from the authorization server role is definitely possible with ASOS.
When opting for JWT tokens (instead of the default encrypted tokens), you need to ensure the audience is correctly added to the authentication ticket by calling ticket.SetResources, so the JWT access token gets the appropriate aud claim, containing the identifier associated with your resource server (i.e API):
public override Task GrantResourceOwnerCredentials(GrantResourceOwnerCredentialsContext context) {
var identity = new ClaimsIdentity(context.Options.AuthenticationScheme);
identity.AddClaim(ClaimTypes.NameIdentifier, "[unique identifier]");
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
context.Options.AuthenticationScheme);
// Call SetResources with the list of resource servers
// the access token should be issued for.
ticket.SetResources("resource_server_1");
// Call SetScopes with the list of scopes you want to grant.
ticket.SetScopes("profile", "offline_access");
context.Validate(ticket);
return Task.FromResult(0);
}
In your API app, you just have to set the options.Audience property with the identifier used in the authorization server, and it should work:
app.UseJwtBearerAuthentication(new JwtBearerOptions {
AutomaticAuthenticate = true,
AutomaticChallenge = true,
Audience = "resource_server_1",
Authority = "http://localhost:61854"
});
I would have a small piece of code in calling app.UseJwtBearerAuthentication simply pointing the JWT middleware to the OIDC endpoint? If this is the case there's still a bit of magic taking place with the app.UseJwtBearerAuthentication that uses OIDC to allow IdentityModel to use HTTP, so I'm not clear if I would need this on the subordinate servers also.
The JWT bearer middleware automatically retrieves the cryptographic key used to sign the access token from the authorization server mentioned in the options.Authority property, by making an HTTP call to the configuration metadata endpoint: you don't have to configure anything, even if the API project is separated from the authorization server app.
I've read articles and seen example projects. I know owin allows to decouple application from web-server specific code, oauth allows third party clients to get access to application resources, and bearer token - client can get security token by login and password and use it as key for access to application resources.
I know that for simple cookie authentication using owin it's enough UseCookieAuthentication. But owin has this extensions: UseOAuthAuthorizationServer, UseOAuthBearerAuthentication, UseExternalCookieAuthentication, UseOAuthBearerAuthentication and I don't understand the full picture.
Could I use oauth without oauth bearer token (does it make sence)?
What are use cases for external cookie?
What are use cases for oauth (is it required only in case of client and server work in different domains using some api)?
What are use cases for oauth bearer token authentication?
Is it required oauth and bearer token authentication for web api only and for classic asp.net mvc applications it's no need?