User Credentials in ASP.NET Web API - asp.net

I'm a newbie with ASP.NET Web API and I heard so much about it that, it's the new industry standard and all, I've decided to build a regular hotel management system with it. I created some models and generated controls and created database using code-first migration. It all was tough at the beginning but now I've got hold of the essence. It's Awesome.
Now I'm stuck at the user management level. According to Web API spec there are options to manage access to resources like basic, Forms, integrated Win and OAuth. And also something about 2-legged and 3-legged which I understand are all authentication options which involves another data source or app (may be not the right terms) that will handle the authentication on behalf of the Web API I build.
Since my application is simple (for now), I was thinking is it possible to allow the Web API to include the necessary authentication, for example authenticating (user) and authorizing (role) before giving access to the data, thus seliminating the "LEGGED" dependance but at the same time it is open to allow 2-LEGGED and 3-LEGGED implementation in the future if I wish to.
From what I've seen and read the Web API is not ideal for a system like what I'm developing. Hope I'm wrong coz I find it awesome in terms of a service that can be consumed by other systems.
In my mind the big picture for the system is to allow customersI and third parties to access
hotel information via web and smart phones to check room availability and book rooms
restaurant information ...
hotel events, spa..etc
Please advice, to achieve this, how do I go about implementing authentication and authorization?

Related

Add users for ASP.NET Core from internal website

Sorry no code here because I am looking for a better idea or if I am on the right track?
I have two websites, lets call them A and B.
A is a website exposed to the internet and only users with valid account can access.
B is a internal (intranet) website with (Windows authentication using Active directory). I want Application B (intranet) to create users for Application A.
Application A is using the inbuilt ASP.NET JWT token authentication.
My idea is to expose a Api on the extranet website (A) and let (B) access this API. I can use CORS to make sure only (B) has access to the end point but I am not sure if this is a good enough protection? We will perform security penetrations test from a third party company so this might fail the security test?
Or
I can use entity framework to a update the AspnetUsers table manually. Not idea if this is feasible or the right way or doing things.
Any other solution?
In my opinion, don't expose your internal obligations with external solutions like implementing APIs etc ...
Just share the database to be accessible for B. In this way, the server administration is the only security concern and nobody knows how you work. In addition, It's not important how you implement the user authentication for each one (whether Windows Authentication or JWT) and has an independent infrastructure.
They are multiple solution to this one problem. It then end it really depends on your specific criteria.
You could go with:
B (intranet) website, reaching into the database and creating user as needed.
A (internet) website, having an API exposing the necessary endpoint to create user.
A (internet) website, having data migration running every now and then to insert users.
But they all comes with there ups and downs, I'll try to break them down for you.
API solution
Ups:
Single responsibility, you have only one piece of code touching this database which makes it easier to mitigate side effect
it is "future proof" you could easily have more services using this api.
Downs:
Attack surface increased, the API is on a public so subject to 3rd parties trying to play with it.
Maintain API as the database model changes (one more piece to maintain)
Not the fastest solution to implement.
Database direct access
Ups:
Attack surface minimal.
Very quick to develop
Downs:
Database model has to be maintained twice
migration + deployment have to be coordinated, hard to maintain.
Make the system more error prone.
Migration on release
Ups:
Cheapest to develop
Highest performance on inserts
Downs:
Not flexible
Very slow for user
Many deployment
Manual work (will be costly over time)
In my opinion I suggest you go for the API, secure the API access with OAuth mechanism. It OAuth is too time consuming to put in place. Maybe you can try some easier Auth protocols.

How to communicate b/w web app and ASP.NET Web API with secure token communication

We configured Azure web app infrastructure such way that consist
customer web portal and WebApp API site
Scenario: when a user accessing a customer web portal where all requests communicate from Web API like (GET, POST, DELETE, PUT).
Here actually the problem is Web API portal is publicly available for now (but I don't know about for what extent Web API visible to users publicly still requires or not?).
In our case Customer ----API call should be in internal communication only there no third-party vendors supply.
Is there any methods secure the cus--API.
We tried to secure cus---API azure network restrictions in Web API network settings but that not helps us (we got stuck the complete cus--API communication is blocked)
As I mentioned Web API hide from the internet then we applied Azure AD authentication for Web API.
In this case, we got results were negative
we have no prior knowledge from code level securing and communication token generation
Finally, we looking for suggestions, and suggest me what are security checks to WEB APP-API COMMUNICATING WITH CUSTOMER PORTAL. WHAT ARE SECURITY CHECKS THAT NEED FIGURE OUT?
Another big problem is really WEBAPP-API put publicly if yes then what are the ways to tighten security.
Please share ideas and suggestion it would be greatly helpful to us.
Thank you

Is it possible to enable using Google Cloud Endpoints Portal without granting extra permissions to access GCP projects on client side?

I have successfully deployed a Google Cloud Endpoints Developer Portal for my API running on Endpoints. I would like to provide access to testing to people outside my organisation that are not using GCP in their projects.
Login to the portal works correctly if I enable the Service Consumer role for these people (on per-email basis). However, when they open it for the first time, they are being asked to grant some extra permissions to the portal:
This form can create totally unnecessary security concerns. Does anyone know, why is it needed?
I only would like my clients to be able to test my API using a GUI, before they could start connecting their projects (not necessary on GCP) to mine. This seems to be a valid use case for me, however I might be misunderstanding some basic concepts.
Or should I submit a feature request to Google about a new role that only enables the access to the portal, and nothing else, so no such forms are shown?
Since Endpoints APIs must be explicitly shared with customers, the portal needs to verify that the logged-in user has permission to view that Endpoints API. So the short answer is that these scopes are being requested primarily so the portal can check the user's access to this API.
Longer answer is that we (the Endpoints team) are looking into if it's possible to build narrower OAuth scopes that would correspond to the access checks we perform. We agree that it's unnecessarily broad of an access request and are hoping to improve this in the future. Thanks for your comment!

Is it possible to get my personal info from linkedin api without oauth?

I'm setting up a personal page, and I would like to display my past work experiences and other data I have on linked-in so it is automatically updated when I update my linked-in profile. Is this possible without having to do oauth? I just want my own data.
No.
As the company says on their REST API page:
In order for your applications to access LinkedIn member data and/or act on their behalf, they must be authenticated. LinkedIn relies on the industry standard OAuth 2.0 protocol for granting access, due to its simplicity and ease of implementation.
See also this previous SO question.
This doesn't mean, however, that OAuth can't be handled for you:
As a convenience, if you are developing a front-end JavaScript or
Android application, we provide SDKs to handle the authentication
process for you.
Additionally, there are several 3rd party libraries available in the
open source community that abstract the OAuth 2.0 authentication
process for you in every major programming language.
As for the major languages they support, LinkedIn provides walkthroughs in PHP, Python, and Java on their API Get Started page.

'API First' security best-practices

I'm developing an API for a project I'm involved in. The API will be consumed by an Android app, an iOS app, and a desktop website. Almost all of the API is accessible only to registered users. The API allows authentication via WSSE which is great for the mobile apps, but not so great for the website. However, I'm using Symfony2 to develop the API, and I have configured it to allow access to the API by both WSSE and/or session/cookie authentication (multiple firewalls with common security context, if you're interested).
With an API-first approach like this, I'm concerned about things being abused. Take my signup method for example. I only want it to be used by the apps or the website. However, there's nothing to stop someone writing a simple script to hammer the API with bogus signups. Then there's the concern about CSRF. Because the API is can be accessed by a logged in user, then there's a risk that this can be exploited.
I don't want the API to be public, but I don't know if this is possible given that it will be used by the website. Is there anything I can do remove (or reduce) the risks and the vulnerability exposure?
Kind regards.
For the signup brut force problem you could enable a "rate limit" for your API calls.
This blog post introduces this concept and how to use it in a Symfony2 application thanks to the RateLimitBundle.

Resources