I'm working on a project using ASP.Net MVC5 which also includes a Web API. The API will be for internal use only. I'm using the OWIN library to provider authentication.
I'm having a difficult time figuring out how to correctly implement authentication through the API. I was planning on using OAuth 2.0 but the problem with OAuth is that the user needs to login through a browser page instead of a native login screen. So I was wondering if it is possible to somehow skip the browser.
I've found this example which creates it's own OAuth Authorization Server. But it doesn't show how to make the login native.
If it's a highly trusted client, then you can use the OAuth2 resource owner password flow. You can look at the VS2013 SPA template and/or read on this post:
http://leastprivilege.com/2013/11/13/embedding-a-simple-usernamepassword-authorization-server-in-web-api-v2/
You could use Thinktecture.IdentityServer v2 as a light-weight security token service.
https://github.com/thinktecture/Thinktecture.IdentityServer.v2
You will need to create a WOPI host, which is basically a software solution that can take advantage of the browser-based Office(office web).
Create a custom WOPI host and configure it to use Office Web Apps Server to provide the browser-based file viewing and editing for Office files.
Nice sample on Microsoft MSDN
Related
I'm learning blazor and am having some difficulty wrapping my head around authentication. I have a .net core web api hosted and want to connect a blazor web assembly to it, but all the tutorials i find use it hosted in an asp.net core host in one package. How secure is the authentication when hosted like this on the same machine?
use Blazor WebAssembly with authentication (also if possible) is not a great idea:
usually, when you write a normal client-server application, the client collect the user typed data and send it to the server. In the server you can check if the password is correct (for example establishing a connection to a database and checking matches between username and password).
In Blazor WebAssembly, all the code is compiled, dll are generated, sent to the client (using the Web-Assembly technology) and runs inside a JavaScript sandbox. This mean that ALL the objects are available on client side and can be seen by the user, so also all the connection strings can be readed.
Also if there are some ways to mask them, none of them are 100% secure, actually.
If you don't need to have an off-line application I suggest you to use Blazor Server technology, that use SignalR.
However, if you really want to implement authentication in WebAssembly, you can take a look at the Microsoft documentation.
Hope this can be useful!
You can first go through the official docs. I also recommend you seeing this video. You'll likely need to use IdentityServer4, for that see this playlist and the official Github repo for sample projects.
I already have more than 10 applications developed using ASP.NET. There are different versions for frameworks 2.0, 3.5 and 4. Currently I need to apply single sign on on all of my applications using Windows Azure Active Directory SSO. But I do not know what the code or library should be added to my application to be configured with the Azure SSO. Do I need to re-develop my application or recreate it with different versions? Does anyone know what I should do?
Different .NET frameworks should not be a problem. You should be able to implement SSO for all of these applications, but you will need to add it individually to each one. You will need to add it in the code of the application itself and then register each application to your tenant.
Here is a very good tutorial that shows you step by step how to add SSO to a published web application in Azure using OpenID Connect. You can follow the steps exactly and build their demo version to test it out, or follow their steps at the bottom that show how to implement SSO in your own application.
https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect
Here is the official Microsoft documentation, which also describes how to implement SSO: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps
Alternatively, if you want to use a library that is already integrated with Visual Studio, you can go to Project > Add Connected Service > Authentication with Azure Active Directory.
The "SSO" in this case refers to SAML. To do SAML in C#, look into Windows Identity Foundation (WIF), which includes some SAML support.
Note that doing SAML SSO involves more than just dropping in the right kind of username/password field. You need to have additional special pages to handle certain redirects, and have a way to store exchange saml metadata with your Azure AD identity provider. It can be painful.
I need a way to authenticate users to a DNN site from an external desktop application, in my case a OS X MAC Application.
The Desktop app needs access to Web API service methods on the DNN Site. I think the JSON Web Token (JWT) would work for this, however, we are using DNN 7 and are unable to upgrade at this time. Is there another option to authenticate from outside of the framework? There does not appear to be a DNN API call to even check if a username and password are valid, as everything is strongly tied into .NET Identity. Is there a way to do this?
I want users to login to DNN directly from within a desktop app on MAC.
You could use basic auth with SSL. Here is an answer I gave on how to implement by authorizing web services with basic auth restricted by role.
Basic auth in DNN Web API service
Note: Just learning Identity so please bear with me. We are developing a Web API for use by apps that we build and apps built by our clients. I have the local engine working the way I want so that any "client" app could use our API to login in.
What I cannot seem to get to work is external login providers without being presented with a login page. Is it possible to converse with them in API only mode or is this type of setup out of the question? What I don't want our client's apps to have to do is know how to manage the logins to use our API.
I know this may be similar to a few other questions out there but I do not see one with our particular need.
Thanks,
Paul Speranza
If your api needs to have authentication in place then you would need some kind of registering done by the consumers of your api. But you could provide seamless ways to integrate login by not providing any additional form requirements from the client application. Popular login methods today are using social networks. Web api does support out of the box support for integrating with the social networks.
You can find a sample for using facebook authentication here
I am build a small web app with all HTML controls and have used javascrip and webservices for all my work.
Now i need to add Login Authentication to my App. Normally i would have done this with ease with Server side code.
FormsAuthentication.SetAuthCookie(strUSername, createPersistentCookie)
But i need to achieve this using purely Javascript and Webservice calls.
function Autheticateuser(strUser,strPwd)
{
Webservice.AuthenticateUser(strUser,strPwd,SetAuthentication,FailAuthentication)
}
But since Javascript is not secure, any one can manipulate this on the browser. How can i make this secure and also keep it away from Server side code.
web service calls are lying open in javascript it can be called by any malicious script easily to try combinations of username and pwd to break into the system.
The forms authentication controller is not very different from a web service. It takes a form post from an anonymous user with id/password and returns a cookie. This can be called by a script just as easily. That's why you build safeguards (lockout after several unsuccessful attempts) for the authentication.
You don't want to use cookies with Web API services. The easiest thing to do for you is to look into MVC5 SPA application or Web API 2.0 authentication. These come with Visual Studio 2013 and .NET 4.5. The web services have built in OAuth token support, which is the proper way to do authentication/authorization for web services. You can do it with earlier versions of MVC, but need to get external libraries for OAuth support.
This is a good video to get into web api security.