I'd like to use WePay.com for authentication and authorization using OAuth 2.0 and ASP.NET MVC 4 Web API.
I was reading through their tutorials online here and was thinking do I just go through these steps and store the access token in the database along with their user_id from WePay.
Should I use FormsAuthentication.SetAuthCookie() to create the
secure cookie?
Is this secure?
Or do I authenticate users be some other means (Facebook, Twitter, Basic, etc)?
You could actually use WePay as your Auth mechnaism. Make sure you checkout the C# SDK here: https://github.com/bradoyler/WePayASPNet
Yes, you would just have to call FormsAuthentication.SetAuthCookie('wepayusers email or auth token') after the wepay login callback.
Good luck.
Related
Hello all and thanks first,
I have a project that has .NET Core 2 API and Angular 8 Client application. I have implemented token based authentication between app and the api (without using IdentityUser or IdentityRole).
Now, I have to do authentication over SSO. I have a saml2 identity provider metadata and configured my api using this metadata using Sustainsys.Saml2.AspNetCore2 package.
Now I can create my own metadata and registered this metadata to IdentityProvider. Everything seems okay
up to this point but when I try to login from IdentityProvider login page there is no change on my api.
Crazy questions in my mind
In Identity Provider's metadata there are only SSO and SLO redirect urls. There is no other method for authnrequests.(HTTP POST etc.) How will I login this Idp?
Idp has its own login page. If I will be have to redirect user to this login page, will I get any authentication token or cookie. Will my API be recognized about this login?
There should be an authentication data in any case(token, cooke, sessionid etc.). Where will I get this data to set Authorization header while sending requests to my API?
I have been trying for a while but my last attempt also does not work.
Can anybody help please?
Thanks a lot.
You need to redirect to the identity provider, and it will then redirect back to your service provider api, from which you can set whatever security mechanisms you are using, and then redirect again to your local front-end (wherever you need to send your user).
Here are some resources I found helpful:
1) https://learn.microsoft.com/en-us/aspnet/core/security/authentication/?view=aspnetcore-3.1 (how authentication schemes work in .Net Core)
2) ASP.Net Core SAML authentication
1. https://github.com/Sustainsys/Saml2 (SAML 2.0 authentication package)
2. https://stubidp.sustainsys.com/ (Free IdP – can be used instead of local implementation, if desired. A local implementation would require deployment of the “Sustainsys.Saml2.StubIdp” project).
3) Sustainsys SAML2 Sample for ASP.NET Core WebAPI without Identity
4) https://github.com/hmacat/Saml2WebAPIAndAngularSpaExample (super useful sample implementation)
5) Not able to SignOut using Saml2 from Sustainsys (help in getting the logout to work with https://stubidp.sustainsys.com)
6) https://www.nuget.org/packages/Sustainsys.Saml2.AspNetCore2/
I want custom firebase authentication where a user manages the roles of subordinate users. I need guidance on understanding on how to implement my own backend authentication system. Everywhere the documentation keeps mentioning that 'send the username and password to your backend that will generate a custom token'. What is this backend? where do I pursue this? My knowledge domain is firebase, firebase functions, angular 2/4, ionic2 for this discussion... thanks
To use custom authentication, you need to create a JSON Web Token (JWT) on your existing backend server, after you have used your existing backend server to validate the username and password of the user (or however else your backend server validates your users).
To create that JWT, use the configuration described at https://firebase.google.com/docs/auth/admin/create-custom-tokens?authuser=0#create_custom_tokens_using_a_third-party_jwt_library
There is PHP and Ruby code available at that page, for anyone using a language that does not have an SDK available from Google, but which does have a JWT library available.
The JWT is signed with your private key, which you can obtain as indicated at https://firebase.google.com/docs/auth/admin/create-custom-tokens?authuser=0#create_custom_tokens_using_a_third-party_jwt_library
Although that page describes initializing the SDK, this section also has instructions for creating the private key for your service account using the Firebase console at https://console.firebase.google.com/u/0/project/_/settings/serviceaccounts/adminsdk
You will have to send the email password to the firebase sdk in using javascript in web then when the sdk success functions tell that the user has been authenticated the web page will send result to your backend server (can be nodejs or php etc) from there you have to manage your own database to handle all the role base access.
Firebase is basically authenticating the user for you and telling you that you can identify this user using the following userid and then build your own system.
Firebase has access rules but those you have to define first you cannot fully customize them for each user.
For password auth see this:
https://firebase.google.com/docs/auth/web/password-auth
An easy way to do custom auth with Firebase is using an external identity provider. Auth0 is an example of such a provider.
Guide:
https://shusson.info/post/using-firebase-and-auth0-together
code:
https://github.com/shusson/firebase-custom-auth
We are building several websites/products, if a user has an account on one site they will also be allowed access to all other sites.
Let's say we have the following setup:
Clients
site1.com
site2.com
Single Sign On Portal
sso.company.com
APIs
api1.company.com
api2.company.com
The Single Sign On Portal supports multiple OAuth providers, such as Google, Microsoft, Facebook, etc and this is all working great built on top of the default ASP.NET Web Forms template in VS 2015 using OWIN and Idenity.
The SSO site is logging the user in an using a cookie for authentication, which works fine while still on the SSO site. Now we need to return a token that the client site can use to know that the user is authenticated
Now the challange here is how do we exchange the cookie to a token that we can return to the client(s) to use in the Authorization header in request sent to our APIs?
Should we generate a token our selves or is there some built in functionality we can use for this purpose?
I've seen most people generate a token themselves and then multiple accounts can be linked to that same user in your account (i.e. a user could log into both FB and Google). Most of the SSO providers have a way to get an identity token or one time use code for your server to use and get user info like FacebookId. The key is ensuring that identity token came from FB and not a third party.
Auth0 is a pretty good service if you want a managed route. Even if you don't use them, they have a lot of good resources on oauth. (I have no affiliation with them other than that we used them before.) we also have a little more info on auth: https://www.moesif.com/blog/technical/restful-apis/Authorization-on-RESTful-APIs/
I write a webapp with mvc5 and Identity for authentication. It's work fine.
Now I need to authenticate same client (ios app, windows phone app, and android app) with users that are registered. Think to use a specific webapi where user can register, modify, autheticate ours user. So when they are autenticated the use can access other webapi for get data. Is this correct procedure? How I can use Identity into webapi?
Thanks
You want to look into oAuth and JWT tokens. There is already a library built for this which works really well called Thinktecure. When you are authenticating from a mobile app you really want to go the route of stateless authentication and just pass a token with the necessary claims to identify the user. There is plenty of documentation on the site as well as a sample repo (below).
https://github.com/IdentityServer/IdentityServer3.Samples/
We are planning to start developing our new site with ASP.Net, MVC and AngularJS. I will also have a WebApi that i would like to use oAuth authentication with, because it is easy to to pass in token, plus may want to allow users to login with Google, Facebook etc in the future.
Questions
If i want to use oAuth on my WebApi (which is a separate application), what authentication method should i be using for my asp.net MVC website? oAuth? Forms? Both? And how do you implement this? On my API i wrote a simple oAuth provider that asks for a username and password and returns a token string.
Should my WebApi have a single sign on login page to interact with the website? Or should the login page be on the website? Should the login page use client side calls or server side calls?
What is actually within the oAuth token and how does it link to my website? Do I have to do something on the server once they login via Facebook/Google? Can I use this token on my server to determine which user is logged in?
Our website has many databases, all the same, but depending which user is logging in, depends on which database they can view data from. Is this easy to cope with using standard method/objects in ASP.Net MVC? Or is this going to force me in writing my own code?
Any advice would be appreciated as well!
If are you planning to use MVC 5 You could use Asp.Net Identity.
Take a look here: http://www.asp.net/mvc/overview/security/create-an-aspnet-mvc-5-app-with-facebook-and-google-oauth2-and-openid-sign-on
I hope this could help you.
Diego
Your best bet :
This topic shows how to secure a web API using OAuth2 to authenticate
against a membership database for both local and social login
http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api