I am build a small web app with all HTML controls and have used javascrip and webservices for all my work.
Now i need to add Login Authentication to my App. Normally i would have done this with ease with Server side code.
FormsAuthentication.SetAuthCookie(strUSername, createPersistentCookie)
But i need to achieve this using purely Javascript and Webservice calls.
function Autheticateuser(strUser,strPwd)
{
Webservice.AuthenticateUser(strUser,strPwd,SetAuthentication,FailAuthentication)
}
But since Javascript is not secure, any one can manipulate this on the browser. How can i make this secure and also keep it away from Server side code.
web service calls are lying open in javascript it can be called by any malicious script easily to try combinations of username and pwd to break into the system.
The forms authentication controller is not very different from a web service. It takes a form post from an anonymous user with id/password and returns a cookie. This can be called by a script just as easily. That's why you build safeguards (lockout after several unsuccessful attempts) for the authentication.
You don't want to use cookies with Web API services. The easiest thing to do for you is to look into MVC5 SPA application or Web API 2.0 authentication. These come with Visual Studio 2013 and .NET 4.5. The web services have built in OAuth token support, which is the proper way to do authentication/authorization for web services. You can do it with earlier versions of MVC, but need to get external libraries for OAuth support.
This is a good video to get into web api security.
Related
I'm trying to implement SAML as service provider in our ASP.NET 4x application using Sustainsys SAML2 but I'm starting to wonder if this is the right way to go.
The application is technically ASP.NET MVC, but we only use one mvc page to load the frontend SPA (angular). As the application is also multitenant I have mostly focused on the OWIN-version of Sustainsys (as the ASP.NET MVC version doesnt seem to support different configurations based on the request). But we also use custom authentication and the Sustainsys library seems tightly linked to the ASP.NET cookie authentication, which I dont know that much about. Is it possible to use this library without ASP.NET authentication?
Yes, it is possible. Hook the AcsCommandResultCreated notification and set the HandledResult flag on CommandResult to true to supress the default handling, including calls to the cookie authentication. Then do whatever you want to do.
Note that you would need to copy parts of the CommandResultExtensions.Apply method to clear the state cookie and apply the redirect.
I want to build a Blazor Server Side app that calls an ASP NET Core Web API that requires authentication/authorization using the Microsoft AspNetCore Identity. I have gonne so far to login, but couldn't find a way to send the cookie after login and delete it on logout.
I have searched extensively, but only found for OAuth, OpenID, Azure, AD, IdentityServer4, ClientSide etc...
As far as I know, the asp.net core identity contains the login view and login action method, there is no build-in that support web api. If you want to use web api with identity, you should inject the user manager and build the authentication controller by yourself.
More details, I suggest you could refer to this article.
Besides for client side part, I suggest you could try to refer to this blog to know how to authentication with client-side Blazor using WebAPI.
This article provide a complete example to authentication with client-side Blazor using WebAPI and ASP.NET Core Identity and configuring Role-based Authorization with client-side Blazor.
It also contains the github for this example.
If I were to create two separate projects:
ASP.NET Core Web API project
ASP.NET Core MVC project
The MVC project would use HttpClient to talk to the Web API.
If this is the case and I wanted to use the built in ASP.NET Identity should I be doing it through the Web API or just keep it as part of the MVC project?
From the description of your question, it seems like you will end up protecting only 1 layer of your app.
Ideally, you would protect both. On the MVC application side you would want to do user authentication with ASPNET Identity (establish who wants to get information) and on the WebAPI side you would want to do resource authentication or client authentication to check if the caller of the API (app x) actually has the rights to call the API. The latter cannot be done through ASPNET identity. You would want something like Identity Server 4 or Azure B2C like products to achieve that.
Now, you could keep the API open & internal and just call it from HTTPClient in the MVC APP, but, I wouldn't do that if I were you. The only reason I can think of why you would want an API is, so that you can later use it from other apps, so, keeping the API open like that is not advisable.
If I were in your shoes, I would want to have a security framework around my applications and then proceed with giving applications the required access on the API to carry out needed operations.
I'm working on a project using ASP.Net MVC5 which also includes a Web API. The API will be for internal use only. I'm using the OWIN library to provider authentication.
I'm having a difficult time figuring out how to correctly implement authentication through the API. I was planning on using OAuth 2.0 but the problem with OAuth is that the user needs to login through a browser page instead of a native login screen. So I was wondering if it is possible to somehow skip the browser.
I've found this example which creates it's own OAuth Authorization Server. But it doesn't show how to make the login native.
If it's a highly trusted client, then you can use the OAuth2 resource owner password flow. You can look at the VS2013 SPA template and/or read on this post:
http://leastprivilege.com/2013/11/13/embedding-a-simple-usernamepassword-authorization-server-in-web-api-v2/
You could use Thinktecture.IdentityServer v2 as a light-weight security token service.
https://github.com/thinktecture/Thinktecture.IdentityServer.v2
You will need to create a WOPI host, which is basically a software solution that can take advantage of the browser-based Office(office web).
Create a custom WOPI host and configure it to use Office Web Apps Server to provide the browser-based file viewing and editing for Office files.
Nice sample on Microsoft MSDN
We have an ASP.NET MVC application that is not part of SharePoint. However, it'd be preferable to leverage SharePoint's security framework. For instance, when the user enters username/password in the non-SharePoint app, could it call a SharePoint webservice to authenticate the user? Or is there any other way to achieve this?
It all depends, if SharePoint uses AD then I see no added value in authenticating with SharePoint. If SharePoint uses forms-based authentication, I would create a custom web service running on the SharePoint server that allows you to authenticate users. That way if you ever need it again for another application you can use that webservice / wcf service.
To use the SharePoint Security framework you will have to run your application inside the context of the SharePoint. One quick solution to achieve this is to create a Virtual Directory under the SharePoint web application and place your code there and you will have the full sharepoint context.