I need a bit of help implementing an OAuth 2 provider for a rest service built on the new ASP.NET Web API. I'm aware there are some similar questions on Stack Overflow but they're more or less links to OAuth libraries. What I'd really like is some sample code or a sample project to get my started. Can anyone point me in the right direction?
I'm looking at DotNotOpenAuth and I believe the 4.0 beta supports OAuth 2 providers. Unfortunately I can't seem to find any code demonstrating how to implement it.
What I need some assistance with is actually getting a 2.0 provider up and running. Once I have that it should be easy enough to integrate it via a HTTP Module or a filter.
I'm interested in 2 legged authentication for API to API communication.
Until DotNetOpenAuth ships a distribution that includes OAuth 2 and the samples together, the best you can do is install the DNOA 4.0 resource server and authorization server roles via NuGet, and then check out the resource server and authorization server samples on GitHub.
But there are currently no samples for the "client secret" grant type, which is the one that best fits your "2 legged" concept for API-to-API communication. In fact the library itself doesn't (yet) support it, but the next NuGet release will and should be available in the next week or so.
Related
I have an Dotnet Core API application which uses IdentityServer4 as IDP. The frontend is built in Angular.
Now, I need to connect to Successfactors of one of my client. I understand SAML is the best federation protocol there.
Please suggest what should be my approach here and relevant tutorials that I can follow. I am not getting good google results.
You need a SAML stack.
Microsoft does not have one. So you need to integrate a third-party product.
There are a number of examples here.
We are planning to receive a SAML assertion from another website into ours (ASP.NET). No one here has ever worked with SAML. We simply need to verify the signed assertion, decrypt the token containing a user id and if we can verify it, log them into our site (authenticate/authorize). We are using Forms Authentication for all other authentication. I would like to avoid installing WIF if possible because my understanding is we'd have to install the runtime on all the developers machines and servers. Our machines are locked down by policy such that it would be a lot of paper work to get it installed. Are there alternatives to WIF and are they realistic to use in an enterprise environment? If so, can someone point me in the right direction, a good tutorial, video, book or anything with examples would be helpful? I looked at some third party components but I'd have the same issue as with WIF on our servers (not to mention dealing with procurement).
Thanks
Is this internal or an external facing application? You may want to checkout PingOne.com Application Provider Services (APS) [Note: I work for Ping]. PingOne handles all the SAML protocol stuff for you and provides self-service capabilities, reporting, etc. No need to install WIF... just a few lines of .NET code (or whatever) to integrate with the RESTful service that PingOne provides.
HTH - Ian
I have been researching for a while now about how to implement an OAuth provider to secure my web api, but without good results.
For what I've seen so far, apparently there are only three libraries to develop an OAuth provider in .net:
1- DotNetOpenAuth
2- DevDefined
3- OAuth.net from madgex
madgex doesn't have any documentation for providers at all, at leats I haven't found anything, same with DevDefined, well, the last one has some documentation, but it lacks samples.
DotnetOpenAuth I think is the one most developers use, but I'm having a hard time to understand its samples, and documentation is terrible.
Has anybody implemented any of these libraries to write an Oauth PROVIDER, NOT CONSUMER, or anyone knows where I can find a decent documentation fro any of these.
For the record im trying to develop a 3-legged oauth provider.
Can anybody help me out here??
Have you checked out this project template, which although it's MVC 2 should provide some useful ideas for doing it in MVC 3:
http://visualstudiogallery.msdn.microsoft.com/81153747-70d7-477b-b85a-0374e7edabef
Then there is the OAuthServiceProvider sample that comes with DotNetOpenAuth, which is WebForms but the principles are mostly the same.
A good sample of DotNetOpenAuth implementation could be found here Releasing an ASP.NET MVC 3 OpenId StarterKit under Open Source License
Project url: http://mvcopenid.codeplex.com/
It should be good for you to start with.
UPDATE
By the way in ASP.NET MVC 4 third party auth providers it is out of the box.
I have followed the steps mentioned at https://github.com/DotNetOpenAuth/DotNetOpenAuth/wiki/Security-scenarios to implement an OAuth 2.0 authorization service.
I have used the below link to create security certificates:
http://www.jayway.com/2014/09/03/creating-self-signed-certificates-with-makecert-exe-for-development/
Don't forget to change your solution to use the thumbprints from the certificates created by you.
This is the best place to understand the OAuth 2 protocol:
https://www.rfc-editor.org/rfc/rfc6749
We have clients who have RSA securid deployed within their premises and we want to sell our product to them. We need to integrate with their 2 factor authentication setup for authentication into our product.
We have an asp.net (C#) web based application that is exposed to the clients and which needs to support authentication using their own securid setup.
Can someone please help me in getting this support implemented? Pointers to existing documentation are also welcome.
I searched through the queries on this forum and found that most are talking about giving token generation mechanism on your web application itself but I don't think that is the approach that is required for our use case.
have you checked out the web sdk from RSA?
http://www.emc.com/security/rsa-securid/rsa-securid-software-authenticators/web-sdk.htm
I am trying to do some research into potentially setting up an existing Drupal site with user accounts/login page to also be an OAuth service provider, basically authenticating users to make calls with a web service. I am looking for a Drupal module which will give this functionality. Most of what I run into are OAuth consumer modules, which is not what I want in this case.
I've found a few modules which I think might do this for me, but the module descriptions are generally pretty vague and don't have much of a user base which doesn't inspire much confidence.
Has anyone else done this before? What are the best modules available for doing this?
As of now, you should be using "services", version 3.x, and "oauth". You won't want to use any of the other modules. They are not compatible with the latest services and oauth modules.
For OAuth2, there's OAuth2 Server. OAuth is for OAuth1.
The corresponding client for OAuth2 is OAuth2 Client.
After several days of research I was able to find a few modules which help with this. Namely, Services http://drupal.org/project/services and it's accompanying OAuth authentication module http://drupal.org/project/services_oauth.
Both of these have several dependencies as well. Once configured you can authenticate users on third party sites using OAuth. Supposedly, this exposes a whole Drupal API web service, but I am yet to get that to work successfully.