I have a Web API which is developed on.Net where enabled Windows Authentication. I have added some custom authorization code also where it checks for the systemid/userid from the database.
Here I am trying to check if the user details are there in the DB it is working fine. If the details are not there in the DB then the authentication pop up is keeps on poping up even if entered the correct Windows credentials. How to handle that pop up if the user is not there in the DB instead of popping up the window continuously.
Added custom authorization class and added the attribute over the controller.
Related
We are creating a Xamarin Forms app, only Android for now, which connects to a web API also created by us (ASP.Net Core). I have managed to get OpenId Connect authentication working by:
Using Azure as the identity provider.
Using Android custom tabs to show the Microsoft's login page.
Detect when the custom tab is redirected to our redirect URL.
Get the id token and use it as the authentication bearer token sent to our web API.
Using JwtBearer authentication in the web API.
The problem appears when the id token expires. We want to get a new one without asking the user any question.
To do that, we repeat the authentication process by adding the prompt=none, id_token_hint=THE_TOKEN and login_hint=THE_USER parameters in the authentication request, as defined in the OpenId Connect specification, and supported by Azure.
During that request, we have an issue with the redirect URL:
If the redirect URL has a custom scheme (like myapp://...) Azure responds with an interaction_required error.
If the redirect URL has an HTTPS scheme, then Azure responds successfully (including the necessary parameters to continue the process), but I am not able to detect the redirect URL in the Android custom tab. So my app gets stuck in the custom tab trying to load my invalid redirect URL.
The explanation for #2 is that HTTPS URLs are handled by the browser (Chrome in this case), so it does not trigger any action that I can detect from my app. This seems reasonable.
I also tried to detect custom tab navigation events from Xamarin, trying to detect the event "manually", but failed. Such events are never triggered.
Now, as for #1, I do not have any reasonable explanation. So my question is:
Is there any way to make Azure accept a redirect URL with a custom scheme when trying to refresh an id token by using the standard prompt=none OpenId Connect parameter?
Working on a custom credential provider which authenticates the user based on the response from a server. If the server or a third party responds with a yes, the CP should allows the user to login without any further authentication but I couldn't find a way to avoid the user authentication. Can we avoid the authentication and allow the user to login based on the response from another server ?
I am trying it on Windows 10. Developing using VC++.
Thanks, Shan.
It's so strange that this simple solution is not yet implemented or is it that I can't Google it ;p) (I'm trying from last 5 days).
My requirements:
Call from Angular App (withCredentials = true) on a URL to see if it is windows user (challenge NTLM). (I may configure this based on what URL user accessing it). If it's a valid Windows user and I find them in DB, I return the Bearer Token.
If Above call returns Unauthorised (401), I show login form to user in my AngularJS (1.6) client. User provides non-windows username and password and when user click Login, from angular service go to another URL (for getting Bearer Token - standard OWIN stuff).
** In any case above, I store Bearer Token in my client for any further API interaction.
I'm not using ASP.NET identity but I have my own DAL to verify user from DB.
I'm going to have my own custom Authorise (inherited) attribute (which will check for Bearer Token only).
I don't want users to enter Windows login on my form and to authenticate them from Active Directory.
I Don't want windows users to click on any separate button to login. (They should just login seamless - with prompt from browser asking them windows login)
I've seen hundreds of posts but nowhere I could see exactly what need. Either the mixed authentication needs to be Cookie based or separate MVC implementation. (Lot's of confusion)
Already referred:
https://techblog.dorogin.com/mixed-windows-forms-authentication-for-ajax-single-page-application-e4aaaac0424a
https://techblog.dorogin.com/mixed-windows-forms-authentication-for-ajax-single-page-application-e4aaaac0424a
https://github.com/MohammadYounes/OWIN-MixedAuth
Don't know if this may help: (but again with cookie) https://github.com/pysco68/Pysco68.Owin.Authentication.Ntlm
Can someone please help?
I may have to give up on this by tomorrow evening :-(
I am trying to integrate a Joomla website with an internal Single Signon System. The SSO user authentication & authorization system was home grown and handles all of our user access.
I have an SSO website that I would like to send all Joomla users to, once they are authenticated they will be re-rerouted back to the Joomla website and they would be logged in.
What I need to be able to do is set a session variable and check this session id against our authentication server to see if the User session is still valid, essentially augmenting the Joomla Session / authorization check. If the session is invalid, I would redirect the user to the SSO login page.
Is there a core Joomla event that I can attach to that would allow be to perform authorization also??
This is a high level overview where you can do some things.
There are two events which you can use to trigger and to intercept the authentication process.
As a system plugin, using onAfterInitialise() you can trigger very early in the execution cycle an authentication request:
// Get the application object.
$app = JFactory::getApplication();
$result = $app->login($credentials, $options);
Basically when the user loads a page, if it does not already have a session / is a guest JFactory::getUser()->guest === 1, you can try to authenticate the user, based on whatever you like.
The request earlier triggered can be intercepted with a authentication plugin, implementing the method onUserAuthenticate(). Inside this method you can actually make a request to the external system by whatever means you like (see existing authentication plugins).
You need an authentication bridge.
JFusion should allow you to do what you want. As well as integrating with various existing systems it allows for a custom authentication bridge.
http://extensions.joomla.org/extensions/access-a-security/site-access/authentication-bridges/3723
I've a web application which is configured to use SSO - Siteminder authentication. Now we have developed over own custom authentication code and want it to be implemented instead of using Siteminder. The application is being deployed in WAS 8.0 server which by default is using Siteminder. So even after we changed our code to perform custom authentication I don't know how when deploying it to server it automatically redirects us to SSO login instead of our custom login page.
In my local machine, the same code picks up this newly developed custom authentication and we've tested it too successfully. But when this code is deployed in actual DEV server, it ignores our custom login module and goes to Siteminder login page. Do I have to set something at the server side to disable SSO ? If so, can anyone tell me how to disable Siteminder at server for my application?
You need to disable the TAI (Trust Association Interceptor) for Siteminder. You can either disable TAI completely or just the Siteminder Interceptor. Via Admin Console go to Security>Global Security>Web and SIP Security>Trust Association to make the necessary changes.
HTH
Dan