We have a classic ASP.NET web application and a SOAP based API built on it. We are planning to implement oAuth2 authorization into it to implement a service provider that can create tokens, persist them and do evaluation.
I found few examples using DotNetOpenAuth , Azure access control service but all of them are based on MVC. Any pointers on how we can implement on oAuth2 on classic ASP.NET web API?
There are quite a few examples of using DotNetOpenAuth with asp.net applications. For instance:
http://www.nuget.org/packages/DotNetOpenAuth.AspNet
http://blogs.msdn.com/b/webdev/archive/2012/09/12/integrate-openauth-openid-with-your-existing-asp-net-application-using-universal-providers.aspx
Edit
So unfortunately I don't know a direct example with asp.net.
The OAuth1 sample might help in giving the basic idea of how to integrate DotNetOpenAuth as a service provider into an ASP.NET application -
https://github.com/DotNetOpenAuth/DotNetOpenAuth/tree/master/samples/OAuthServiceProvider
And I think that using that as a base, and combining with working with the OAuth2.AuthorizationServer (as the oauth2 samples show, like https://github.com/DotNetOpenAuth/DotNetOpenAuth/tree/master/samples/OAuth2ProtectedWebApi), is a good reference point.
Related
I have a traditional ASP.NET 3.5 Web Forms application. As of now it is using On-Premise ADFS which is working fine. Now we have a requirement to change on-premise ADFS to Azure ADFS.
In the web.config, I have changed the required URL to point to Azure ADFS but it is not working. I checked Stackoverflow and Googled around but I found examples related to ASP.NET MVC and ASP.NET Core where changes are required in Startup.cs file.
I want to know what all changes are required in my traditional Web Forms application. Any example link would help.
You should be able to get it working by using the Azure AD parameters rather than the ADFS ones e.g. metadata. What protocol are you using?
There are some ADFS samples. Look at the LHS under ADAL and MSAL. These generally start with an Azure AD sample and show how to convert to ADFS. So you can then work "backwards".
Update
I had a look at that code. It looks like OIDC? "Redirect_Uri" is not a WS-Fed parameter.
There is a WS-Fed sample here.
I'm looking for a good MFA provider to be incorporated to a legacy Web Forms application that uses Forms Authentication for security. It seems most of the MFA providers I see (such as Authy) are built around ASP .NET Identity. I'm trying to look for a solution that doesn't scratch the legacy application much... migrating the legacy application to ASP .NET Identity will be a nightmare. I've tried looking into Authy, Auth0, PingID and Okta and they all seem to be overkill for our use case. I'm trying to find an MFA provider that can work alongside Forms Authentication.
I use https://www.twilio.com/ for my MFA. I am only using the SMS functionality though, so essentially you need to hook up their sms code with your form authentication process. The only difference is that you don't have the identity component (which I highly suggest that you implement). Check out the C# code here for more info on the SMS API procedure: https://www.twilio.com/docs/sms/quickstart/csharp-dotnet-framework.
I understand that the following is for MVC, but you can convert the code to Web Forms as well: https://www.twilio.com/docs/sms/tutorials/two-factor-authentication-csharp-mvc.
The above example also uses the identity framework, but just take a look at the implementation of using SMS and you can migrate the concept into your web form.
If I were to create two separate projects:
ASP.NET Core Web API project
ASP.NET Core MVC project
The MVC project would use HttpClient to talk to the Web API.
If this is the case and I wanted to use the built in ASP.NET Identity should I be doing it through the Web API or just keep it as part of the MVC project?
From the description of your question, it seems like you will end up protecting only 1 layer of your app.
Ideally, you would protect both. On the MVC application side you would want to do user authentication with ASPNET Identity (establish who wants to get information) and on the WebAPI side you would want to do resource authentication or client authentication to check if the caller of the API (app x) actually has the rights to call the API. The latter cannot be done through ASPNET identity. You would want something like Identity Server 4 or Azure B2C like products to achieve that.
Now, you could keep the API open & internal and just call it from HTTPClient in the MVC APP, but, I wouldn't do that if I were you. The only reason I can think of why you would want an API is, so that you can later use it from other apps, so, keeping the API open like that is not advisable.
If I were in your shoes, I would want to have a security framework around my applications and then proceed with giving applications the required access on the API to carry out needed operations.
What I am trying to achieve:
I currently have mobile apps on top of services and would like to add a web site on top of the same services.
Services details:
ASP.NET Web API project using OAuth (bearer token) and Identity for authentication and authorisation.
Microsoft.AspNet.WebApi 5.2.3
Microsoft.Owin.Security.OAuth 3.0.1
Microsoft.AspNet.Identity.Core 2.2.1
Mobile details:
Xamarin projects.
Xamarin.Forms 2.3.3.193
What architecture should I use for the web site?
Create a new ASP.NET MVC project and call my current services from the MVC controllers? This seems bad because:
I would have 2 layers of controllers (web site MVC controllers calling services API controllers)
I would need to store bearer tokens in cookies
I would need to manage the tokens and cookies expirations
Create a new ASP.NET MVC project and call current services database directly? This seems bad because:
I would have to duplicate the models in the services project and in the web site project
Create a new ASP.NET project and call my current services using ajax? This seems bad because:
I would need to create my own register/login pages
I would need to store bearer tokens in cookies
I would need to manage the tokens and cookies expirations
I would need to say bye to future social authentication (OAUTH2) implementation because I wouldn’t be using OWIN
Thanks,
fcorbeil
If you already have the API a brand new MVC app shouldn't be such a bad choice. If you have your models stored in a different project just reference them to the MVC one. As for the services, them would work perfectly with the new application. This all can be achieved without changing almost nothing to the current implementation.
I am working on a project and using a similar architecture.
I decided to create an Angular project for the website front end and all it does is talk to the Web API. Angular handles the JWT authentication really well. If you've never worked with Angular before, it is really nice to work with.
However, a vanilla ASP.NET MVC web app would work just as well.
It depends on how comfortable you are with Angular, or how willing you are are to learning it! :)
Where can I find a complete code sample (the entire project) that includes the following:
.NET Web Api 2
.NET Identity 2.0
External login provider
Token authentication instead of cookies
I have a Web API project working with an external login provider but it uses cookie authentication and does not use .NET Identity. I can't find any complete code examples that include the above four requirements.
The best working example one can find is the series of Mr.Mittal at Codeproject in it one can find Entity Framework, Generic Repository pattern and Unit of Work.
Also all the stuff you explained
.NET Web API 2
.NET Identity 2.0
External login provider
Token authentication instead of cookies
keep up with him you'll get to know how this all works here is the link Enterprise Level Application Architecture with Web APIs using Entity Framework, Generic Repository Pattern and Unit of Work