I have forms authentication setup through a Web API project. The forms auth works fine to login the user to the web site (note: API server is not the same server as web server). However, the API services I have restricted to logged in users are returning a 401, because Request.IsAuthenticated = false when I send back the very same forms auth cookie the API server just set, back to itself.
I have no idea why this is happening. I verified the .ASPXAUTH cookie is being sent with the request. Forms Auth is setup consistently across API and Website; and the website picks up the forms auth cookie just fine. Why is my API server not recognizing my user as logged in, even though the API server itself set the cookie?
Figured it out. The issue was a browser conflict with one of my Chrome add-ons. Once I opened the site up in a incognito window sans add-ons, it worked as expected.
Related
We have a blazor webassembly hosted application (SPA) and we need to implement authentication using Azure Active Directory.
The Documentation explains how to do that using JWT bearer tokens.
The problem is that we need cookie authentication, not JWT.
Ideally we would have the following authentication process :
When the user hits the application url, (s)he is redirected to the login/consent page.
Once credentials entered, an authentication cookie is generated.
The cookie would then be accessible to the SPA and subsequent queries to the host/server would all be authenticated.
Is there a way to achieve that and how ?
Notes:
I'm no OAuth/OpenId guru
The real problem we're trying to solve behind is that we need to share the authentication context between two applications (this blazor application and another .NET Framework legacy application). The Legacy application already uses cookie authentication. We need the authentication process to be "transparent", so that when a user is authenticated in one of them, (s)he doesn't need to authenticate again in the second.
I am developing a website using WIF-ADFS technology to achieve single sign on (SSO).
As such, the page will first automatically redirected to the ADFS Page, however the users will then need to input their ADFS Login Credential.
If ADFS-Login is successful, the page will then redirect back to my site with the claims.
The questions are:
Can I omit the ADFS-Login step? regardless of my device and my working network?
If yes, what response should I expect if the user is not recognized by ADFS? will there be no claims sent?
You can not omit the ADFS login step.
If everything is configured correctly in ADFS, IE and Chrome will likely do automatic logon. Firefox won't, Mobile devices won't and Linux machines won't also.
If a user is not authenticated ADFS will never send him back to your application. If a user accesses your application without being authenticated, he will be redirected (or the access will be denied).
I am using facebook/twitter logged in user to authenticate my web api. i followed this
Okay that was most likely what I what. But my view page will be differently hosted. That is user will be logging in with a different page and they will send an ajax request get values from api controller.
I would authorize the web api only to user who is logged in.
If by "differently hosted" you mean on separate domains, then you won't be able to share a cookie between the two. If you mean that the client is a iOS app or Windows Phone app running on a device, the general pattern is to use a "Browser Control" and build a little UI as part of your API site. You can show your users this UI in the browser control and then scrape the token out. If you use Azure ACS, this is much easier with the "javascriptnotify" protocol that enables the token to be pushed out of the browser control.
The best article I've seen on this is http://www.cloudidentity.com/blog/2012/04/04/authenticating-users-from-passive-ips-in-rich-client-apps-via-acs-2
I have an iOS app that uses a UIWebView to display pages from a ASP.Net Site. The user logs into the site through the UIWebView, which creates the forms authentication cookie and authenticates any further page loads in the UIWebView.
I'm attempting to use this same cookie to authenticate some http requests that are done with a ASIHttpRequest.
Supposedly this should happens automatically, but it wasn't working. I'm now explicitly setting the cookie for ASP.NET_SessionId on the ASIHttpRequest, and the request is still not authenticated, it ends up redirected to a login page.
Is there something in the forms authentication cookie that would make it specific to the UIWebView where it wouldn't also work with an ASIHttpRequest?
Ah, apparently this was related to ASP.Net not recognizing that the UIWebView browser supported cookies. (even though the authentication mostly worked in the UIWebView)
I added the generic.browser file as seen in this other question -
Asp.Net Forms Authentication when using iPhone UIWebView
I have a desktop app
I authenticate using the wcf authentication service login method, by calling the desktop application.
Everything seems to work.
I then open internet explorer and try and browse to a protected page.
I get bounced to the login.
Why? How can I authenticate using the WCF Service?
Internet Explorer and your desktop app are not the same application, so the forms authentication cookie can't be read/encrypted/decrypted by both at the same time. A method you might try is to embed a web-browser control in your desktop app (even make it invisible if you like) and perform a post login through an HttpWebRequest object (formulating post headers etc). This would instantiate a web browser and generate an auth cookie at the same time your desktop app logs in. I can't vouch for the security of it though.