I am working on Asp.net MVC5 app and a Web APi2 ,The API is to be used across multiple sites and to be used to authenticate the user as well.
I have created the MVC5 and Web API project in VS 2013,The default template for the authorization server comes whith grant_type=password,but I am looking for implemantation using Code authorization flow.
I have created the Login view in my WebAPI+MVC project which should be called by the client application
I should validate the user using username and password
If user is valid then pass the Authorize code to the client application using redirect Uri
I am getting confused in integrating above flow using owin "OAuthAuthorizationServer"
or what exactly I should override in below method
public override Task GrantAuthorizationCode(OAuthGrantAuthorizationCodeContext context)
{
return base.GrantAuthorizationCode(context);
}
I will be thankful if any one can guide me with the implementation.
Related
I am developing an angular +.net core web app(not to be confused with .net core MVC web app).
My UI client uses angular, my backend web api's use .net core 6. I am using external IDP to authenticate my angular app for that I am using AddOpenIdConnect. All though I am not using MVC for my other APIs(using web api type controller) but I pulled in couple of MVC controller(Home and Account) from the sample app present in external IDP's sample project(as I could not find a way how to achieve it with my APIs).
On login button press in my angular app I call this method of Account controller which redirects me to external IDP. After successful authentication I am being redirected to my angular app's landing page (http://localhost:4200/admin) which solves my purpose as far as SSO is concerned. Also in OnTokenValidated event I am getting the access token as well.
Now the problem I have with this approach is:
How can I return this token to my angular app(which is an independent SPA) so that it can be used as authguard for the angular app and for safe guarding other api end points?
I am thinking of making another end point which angular app would call after successful redirection which would return the claims and access token to UI. I tried fetching it from HTTPContext in the end point that I made but it is coming out to be null and User.IsAuthenticated as false.
How can I secure my web api end points with this same access token? I am thinking of using the access token returned to UI after redirection for authentication and then it can be sent back to backend apis in header for authentication. How can I achieve that?
All the example and sample code(even on IDP's website) use .net core MVC. Did I make a mistake by making it a web api project?
I am trying to implement Single-sign on for my ASP.NET web application using Azure Active Directory and the OAuth2 OpenIDConnect protocols. The documentation is recommending that implicit grant flow is used only for SPA, however, all code samples for ASP.NET are using the response_Type of idTokens. Inorder for this response type to work I need to allow the implicit grant flow. Can anyone point me to code samples using MSAL that can work with the authorization code grant?
The OAuth 2 authorization code grant can be used in apps that are installed on a device to gain access to protected resources like web APIs. This allows you to add sign-in and API access to your mobile and desktop apps.
To redeem an authorization code and get a token, and cache it, the IConfidentialClientApplication contains a method called.
AcquireTokenByAuthorizationCode(
IEnumerable<string> scopes,
string authorizationCode)
Here is code sample you could refer to and this one.
I'm developing a Blazor (ASP.NET Core hosted) project and hosted on IIS.
Back the day when I use ASP.NET core 2.2 with razor page, it can use windows authentication.
However with dotnet core 3.0, only Blazor server-side project template has windows authentication option to choose.
But what about the Blazor (ASP.NET Core hosted) project template? From my understanding, it's just like Blazor client-side + dotnet core MVC backend.
I don't understand why there's no "windows authentication" option for it.
In Blazor WebAssembly apps, user authentication and authorization must be handled by the back end web Api, because all client-side code can be modified by users.
Your ASP.NET Core Api can use the Windows authentication and keep track of the authentication state in a cookie. In Blazor WebAssembly you can implement an AuthenticationStateProvider which calls your web Api to get details about the authentication state of the user.
Then you can use the AuthorizeView component to show or hide content depending on the users log on state.
A clear description you can find in Blazor Prepare for Authorization
Source code example in https://github.com/Forestbrook/BlazorAuthorizationExample.
There are 2 problems to solve.
For the webassembly, use the solution with the AuthenticationStateProvider to get the user authenticated and do a call to the api (enable windows authentication and disable anonymous login) that returns the windows username and the authorization roles, if you use them for authorization. Load the roles into client side identity as claims and the webassembly is set up for authentication & authorization.
Because all code is run in the webassembly, you should also protect the serverside api controller actions with authorization attributes, except for the call that identifies the user to the wasm.
Enable authentication and authorization on the server api and use the IClaimsTransformation to modify claims for the authenticated user.
When configured correctly, you can use authorization attributes on the controllers too, securing the api.
You can implement StateContainers on both sides to cache user information so you don't have to read the database for the same info on every action. I use a singleton for that, with a retention time of 5 minutes. You may then update the timestamp on every cache read so you effectively call the database only once.
I think it will including this feature in later version according to asp.net core github
This is a multistep process, the basic outline is as follows. Best guide I have found is from Chrissanity.
On the server get the current Windows User and store it in a cookie using Blazored.LocalStorage nuget package.
Read that cookie in on the client in ApiAuthenticationStateProvider.cs
In a .razor file use [CascadingParameter] private Task<AuthenticationState>
authenticationStateTask { get; set; } to read the value into your component.
I am working on locking down various sections of an internal application's web api controller actions. Currently, we are using Windows Authentication and a custom role provider. When making ajax calls to the API, I would like to prevent the credentials prompt from showing up when the current user is not authorized to access the given api method. We have a custom authorization filter for our MVC controller actions (NOT WEBAPI), but am not having much luck in preventing that prompt from showing up when making AJAX calls to a webapi action.
Is it possible to just deny/grant access via an authorize attribute and prevent that annoying login prompt from showing up?
We are starting with a new application build with Asp.net. It should connect to a webservice which is already available to retrieve data to present to the user. We've created a repository which communicates with the webservice.
The webservice needs authorization with the same user credentials which the user uses to logon to the web application. The user is authorized with Forms Authentication with cookie support.
The problem is that we cannot retrieve the password from the user on new requests when the user is once authorized and automatically logged on. This password is needed to logon to the webservice from the repository classes.
Any ideas on how to implement this the best and safest way ?
You can try using Client Application Services to get and set the cookie. Or you can manually get and set the cookie using the sample code on this post. The example shows both methods and is geared specifically to passing a forms authentication cookie from an MVC application to an OData WCF feed:
http://blogs.msdn.com/b/astoriateam/archive/2010/07/21/odata-and-authentication-part-7-forms-authentication.aspx
Also, here is a similar example that is trimmed down in scope:
http://www.codeproject.com/Articles/190806/Send-Cookies-When-Making-WCF-Service-Calls