What approach is recommended in a case where I will be using ASP.NET MVC for authorization, but I will also have a few web services (WCF) that will be hit by JQuery AJAX requests once the user has been authorized.
I understand authorization in ASP.NET and in MVC. It's straightforward. One thing that I don't completely grasp is how my JQuery Ajax requests will become part of that session with the WCF services. In JQuery Ajax, do I need to manually attach a client side authentication token in the header of the request? Assuming this will be the same token returned from ASP.NET in the response header once the user is authorized?
Any tips on helping me understand how this works?
Related
I have an asp.net webforms solution that uses Identity for authentication. Within the solution I have some webservices that handle ajax requests for the site. The controller apis require authentication, which is not a problem from within the solution, since they receive auth cookie from the session. (Or atleast that's how I understood it).
Question is how do I handle authentication when calling the webservice outside the solution, for example from an android app or an outside web page etc?
The calling user should be authenticated, so that only user-relevant data can be accessed.
I am trying to do something like this:
I have a MVC4 Web App and a Web-API service (hosted on two separate roles in azure)
Another role runs CustomSTS1.
The MVC Web App trusts the CustomSTS1
Now the customer logs into the site he is redirected to the STS login page.
Once logged in, he is redirected back to the MVC Web Site.
From this web site, the customer performs actions, which in turn invoke the web-API Service.
I have the SAML token in the web app, which I pass to the WebAPI service.
Now when I try to validate the SAML token at the Web API side, I get a
Message=ID1032: At least one 'audienceUri' must be specified in the SamlSecurityTokenRequirement when the AudienceUriMode is set to 'Always' or 'BearerKeyOnly'. Either add the valid URI values to the AudienceUris property of SamlSecurityTokenRequirement, or turn off checking by specifying an AudienceUriMode of 'Never' on the SamlSecurityTokenRequirement.
This is without the Web API service trusting the CustomSTS1
Once I setup the trust,
I am always given a HTTP 401: UNAUTHORIZED, whenever I try to make a HTTP Get request to the WEB API Service.
Now, My Question is, (I know that my current approach is definitely wrong)
How do I setup the Trust relationship with the CustomSTS1, such that the WebAPI service is able to do an ActAS on behalf of the user logged into the MVC site?
OR
Is this architecture wrong?
And is there another way to achieve this?
That approach is wrong conceptually. The MVC application should negotiate a new token for the Web API in the STS using ActAs. That's how it traditionally works for SOAP Services. However, Web APIs are moving away from SAML as it is a complex format that relies on different WS-* specs. OAuth 2.0 is becoming the standard in that area if you want to support SSO at that level.
Another approach is to establish an implicit trust between the MVC app and the Web API, so all the calls to the Web API from the MVC app are done through a more standard Http auth mechanism like Basic Auth using an specific set of credentials that only the MVC app knows. The info about the logged user in the MVC app is passed as additional information.
Regards,
Pablo.
I've got 3 different clients accessing my ASP.Net service layer. I'm in the process of moving the Silverlight client to RIA services and I'd like to consolidate my authentication code if possible. I use a custom table in my database to store user credentials and profile information.
Can an ASP.Net Membership Provider be used for RIA, MVC and Web Service applications? Or is there an easier way?
WCF: http://msdn.microsoft.com/en-us/library/ms731049.aspx
RIA: http://msdn.microsoft.com/en-us/library/ee707353(v=vs.91).aspx
ASP.Net MVC: http://www.asp.net/mvc/tutorials/authenticating-users-with-forms-authentication-cs
I got myself tied up in knots a bit trying to use the same auth mechanism for RIA and a WCF REST & SOAP endpoints; RIA is a WCF endpoint at the end of the day. However consuming a RIA service is more comparable to using an MVC app; call a login service after which the browser or Silverlight app automatically attach a cookie to all subsequent requests which will be authorised by the ASP.Net membership provider.
Conversely clients of the WCF SOAP and REST services there are better ways to authorise requests rather than force them to call a login service, extract the cookie and attach it to all future requests. The above link for WCF actually describes a mechanism where the username and password are set for every request. In practice a lot of public web API's require a single header with a secret key to be set.
My conclusion is that I'll use the same membership provider for ASP.Net MVC and RIA but a different mechanism for SOAP and REST WCF services.
My website uses Forms authentication. I did silverlight 3 module which is designed to work in context of asp - authenticated user. Silverlight module talks with WCF hosted by the same asp.net website, but the issue is that it cannot authenticate to WCF service.
I run Fiddler and I see that .ASPXAUTH cookie is not sent to WCF service.
How to force Silverlight to get this cookie from browser and send it to service?
Finally I solved it.
The problem of missing cookie was made by inproper host name.
I was sending asp.net requests to myhostname, but SL was calling WCF using myhostname.mylocaldomainnam.local. This is why there was no .aspauth cookie during WCF calls.
I've used it successfully. First, I make sure that there are is a service endpoint for the WCF AuthorizationService used by ASP.NET. Then use the Silverlight project to generate a "Service Reference" to the AuthorizationService. Finally, in your module, you will use that service reference to login your visitor using their credentials stored within your provider. If you have some more information on how you've built your site, I might be able to offer a more concise answer to your problem.
I have a web app protected by ASP.NET Forms Authentication. The site uses jQuery's $.ajax() functionality to call a web service in the same app.
Browsing to the web service .asmx does cause forms authentication to kick in and I once authenticated and make a $.ajax() call to the server I also see the ASP.NET session cookie and forms auth cookie being posted back to the server in Fiddler.
So...although all appears to be well, I'd like to put my mind at rest that indeed the web service will be protected by ASP.NET forms authentication when called from any of the pages in the web app using $.ajax().
From the server's perspective, an ajax request is not very different from normal GET/POST request - just some extra headers added on in the request. It passes through your normal authentication routine, the same as any other request - if that was not the case, you should be much more worried about the overall security of your application as requests can be forged very easily by people who know what they are doing.
You can easily setup a test to see if a resource requiring authentication successfully blocks out unauthorized requests arriving by Ajax. That should put your mind at ease.
As long as your checking on the server that the user is authenticated then yes you should be protected. I am using $ajax to call both PageMethods and to call an ASP.Net WCF service, and things look good.
It'll be protected, but watch out for what happens when your auth expires and the forms auth redirects back to the login url with a 302 FOUND response.