ASP.Net Mvc 3 webservice repository authentication - asp.net

We are starting with a new application build with Asp.net. It should connect to a webservice which is already available to retrieve data to present to the user. We've created a repository which communicates with the webservice.
The webservice needs authorization with the same user credentials which the user uses to logon to the web application. The user is authorized with Forms Authentication with cookie support.
The problem is that we cannot retrieve the password from the user on new requests when the user is once authorized and automatically logged on. This password is needed to logon to the webservice from the repository classes.
Any ideas on how to implement this the best and safest way ?

You can try using Client Application Services to get and set the cookie. Or you can manually get and set the cookie using the sample code on this post. The example shows both methods and is geared specifically to passing a forms authentication cookie from an MVC application to an OData WCF feed:
http://blogs.msdn.com/b/astoriateam/archive/2010/07/21/odata-and-authentication-part-7-forms-authentication.aspx
Also, here is a similar example that is trimmed down in scope:
http://www.codeproject.com/Articles/190806/Send-Cookies-When-Making-WCF-Service-Calls

Related

Can "Blazor (ASP.NET Core hostd)" use windows authentication?

I'm developing a Blazor (ASP.NET Core hosted) project and hosted on IIS.
Back the day when I use ASP.NET core 2.2 with razor page, it can use windows authentication.
However with dotnet core 3.0, only Blazor server-side project template has windows authentication option to choose.
But what about the Blazor (ASP.NET Core hosted) project template? From my understanding, it's just like Blazor client-side + dotnet core MVC backend.
I don't understand why there's no "windows authentication" option for it.
In Blazor WebAssembly apps, user authentication and authorization must be handled by the back end web Api, because all client-side code can be modified by users.
Your ASP.NET Core Api can use the Windows authentication and keep track of the authentication state in a cookie. In Blazor WebAssembly you can implement an AuthenticationStateProvider which calls your web Api to get details about the authentication state of the user.
Then you can use the AuthorizeView component to show or hide content depending on the users log on state.
A clear description you can find in Blazor Prepare for Authorization
Source code example in https://github.com/Forestbrook/BlazorAuthorizationExample.
There are 2 problems to solve.
For the webassembly, use the solution with the AuthenticationStateProvider to get the user authenticated and do a call to the api (enable windows authentication and disable anonymous login) that returns the windows username and the authorization roles, if you use them for authorization. Load the roles into client side identity as claims and the webassembly is set up for authentication & authorization.
Because all code is run in the webassembly, you should also protect the serverside api controller actions with authorization attributes, except for the call that identifies the user to the wasm.
Enable authentication and authorization on the server api and use the IClaimsTransformation to modify claims for the authenticated user.
When configured correctly, you can use authorization attributes on the controllers too, securing the api.
You can implement StateContainers on both sides to cache user information so you don't have to read the database for the same info on every action. I use a singleton for that, with a retention time of 5 minutes. You may then update the timestamp on every cache read so you effectively call the database only once.
I think it will including this feature in later version according to asp.net core github
This is a multistep process, the basic outline is as follows. Best guide I have found is from Chrissanity.
On the server get the current Windows User and store it in a cookie using Blazored.LocalStorage nuget package.
Read that cookie in on the client in ApiAuthenticationStateProvider.cs
In a .razor file use [CascadingParameter] private Task<AuthenticationState>
authenticationStateTask { get; set; } to read the value into your component.

Can we integrate keycloak to add security to a asp.net web application?

As part of a project we have integrated keycloak with our .net core application, but we have a legacy system which is a asp.net web application, It have its own login screen whenever a user logs in it should fetch the username and password and validate against Keycloak.
The approach we are trying to do is.
1.Fetch all users from Keycloak on a specific realm
2.Parse the json and find whether the specifc username and password exist in that json array.
Is this way of giving authentication is correct?
Need some suggestion!!!
Take a look at their basic authentication example...
https://github.com/keycloak/keycloak/tree/master/examples/basic-auth
As stated in the comments. Returning JSON with all of the username and passwords is NOT secure, hashed/salted/or not, it doesn't matter.

Authentication scheme in asp.net framework

I'm making a web service by using Asp.net Framework.
I'm struggling with jwt authentication.
I wonder if there is any AuthenticationHandler in ASP.NET Framework as ASP.Net core or not - where I can get token from request header, validate and set to HttpContext.
I want to authenticate every single request as header is available.
In AuthorizeAttribute, I only get the information from HttpContext.User and validate the availability of account in my system without parsing token there.
Finally, my question is : How can I write AuthenticationHandler to validate every API Request ?
Thank you,

Authenticate a user in an ASP.NET MVC web application by calling an external ASP.NET Web Api service

I'm planning on making a restful web service using ASP.NET Web Api. A number of ASP.NET MVC web applications and possibly native apps will consume the service. The service will use ASP.NET Identity to authorise requests/users. I can see how I would use the service with native apps by passing a token with each request.
My issue is with any ASP.NET MVC apps that consume the service, how will I mark a user as logged in after making a request to the service?
Here's what I'd like, is it possible?
User isn't logged in, redirected to log in page
User submits form which calls MVC controller in the app
The controller makes a call to the web service
The web service returns the id, name and roles of the user (JSON maybe?)
This is where I'm stuck: The ASP.NET MVC web application then marks the user as logged in for the whole MVC web app. The role will be used in any authorize attributes on any controllers/actions. The ASP.NET MVC web app will also be able to remember the user via a cookie and log them in automatically in the future.
To set the cookie you just need:
FormsAuthentication.SetAuthCookie(USERNAME, true /*rememberMe*/);
This solve your authentication issue. Authorization - determining what a user can and cannot do - is another story. You need to cache the roles a user is in somewhere and check them as needed.

How to protect a WCF Rest service with username and password?

I'm new in WCF and I want to know how can I protect a WCF Rest service.
I have an asp.net website, only registered users can access it, the application uses a service hosted on the same IIS server, my question is, how can I restrict the use of this service, for that only registered users may use it, knowing that the service can be used by many clients (Android, iPhone, ...). what type of authentication I can use? to test the service I created a winform and I use an HttpWebRequest.
PS: I cant use https.
Thanks
Simplest way is to use asp.net compatibility mode. The WCF service call will result in the same preprocessing used for ASP.NET pages, including checking the ASP.NET auth and session cookies. You will also be able to check HttpContext, including httpcontext.current.user.identity.isauthenticated. If the user is not authenticated, throw an exception or return an error code. Here is some more information: http://msdn.microsoft.com/en-us/library/aa702682.aspx.
So if you are already using forms auth for your application, and the service should be called after a user has logged in to your application, you are set.
You can also create an authentication service. The service will allow the client to send a username / password, and will use ASP.NET authentication to authenticate the user. It will send back an auth cookie, and then you can check future service calls as above. See http://msdn.microsoft.com/en-us/library/bb386582.aspx.
I believe the authentication service can called using json. See How to Call .NET AuthenticationService from json client without ASP.NET.

Resources