Microsoft is deprecating Basic Auth for Exchange Server logins. I have the following Java code for Basic Auth:
ExchangeCredentials credentials = new WebCredentials(userID, ConfigurationUtil.getPassword());
service = new ExchangeService();
service.setCredentials(credentials);
What's the easiest way to go from Basic Auth (above) to an alternative? Ideally I'd like to avoid doing something complicated, like standing up an Okta Authorization server to handle credentialing.
Related
I'm new to IdentityServer. I have followed the IdentityServer4 tutorial here
But this tutorial only shows how to secure a .net core API. I cannot find any tutorials using IdentityServer4 which also shows how to secure a .net 4.# WebAPI. I have found a post on StackOverflow here which suggests to use Microsoft Katana JWT middleware, but I have no idea how this would be implemented as I'm new to this.
Can anyone point me to a tutorial (or combination if needed) which will point me in the right direction. Thanks in advance.
UPDATE:
I am attempting to use IdentityServer3 for the API and IdentityServer4 for the Authorisation server.
I have created an IdentityServer4 authorisation server, this seems to be working fine.
I have created a WebAPI (using full .Net framework - in this case 4.7.1). I have followed the instructions on how to incorporate IdentityServer into the API from the IdentityServer3 documentation. So as expected, I now get a 401 Unauthoriased Access, when I try to navigate directly to the controller via a browser, so this is secure.
I have created a console client. I have configured this to point at the IdentityServer4 Auth Server and now get an access token back.
Only now when I SetBearerToken with this access token on the client, I still get a 401 Unauthorised. I have used both http and https for the authorisation server... I'm now scratching my head again!
Here is the complete example. As described in the brief guide you found yourself,
all you need (after adding all the necessary packages) is to add the following to you Startup.cs:
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
Authority = "https://identity.identityserver.io",
RequiredScopes = new[] { "api1", "api2" }
});
Turned out that when used with ValidationMode = ValidationMode.ValidationEndpoint option, IdentityServerBearerTokenAuthentication from Identityserver 3 is not compatible with Identityserver 4. Switching to ValidationMode.Local solves the situation.
I have a need to authenticate against Azure Active Directory from a .net Web API. I read Vittorio Bertucci's article: Using ADAL .NET to Authenticate Users via Username/Password, and was wondering if there's any way of getting around the limitation of not being able to do this from a website/confidential client. He describes this as an AAD setting. Is it one that can be turned off?
Any assistance with this would be much appreciated!
This is not common scenario to use the Resource Owner Password Credentials in a web app. The recommend way is that using the Client Credential flow as Shawn Tabrizi suggested.
If you do want to use the Resource Owner Password Credentials flow, you can construct the request yourself as below:
POST: https://login.microsoftonline.com/xxxxx.onmicrosoft.com/oauth2/token
Content-Type: application/x-www-form-urlencoded
resource={resource}&client_id={clientId}&grant_type=password&username={userName}&password={password}&scope=openid&client_secret={clientSecret}
The Client Credential Flow (App Only Flow) should enable your confidential client to be able to authenticate to a downstream resource without a logged in user. This type of authentication is pure Service to Service Authentication, and will require only a secret for the client app to be presented either in the form of an App Key (symmetric key) or a Certificate Credential (asymmetric key).
However, all forms of access to an AAD Resource will require some form of initial interactive login. In the case of App Only Flows, you will need an Admin to perform an interactive login experience with the Client application, which will then allow subsequent user-less flows.
Check out these sample and let me know if it addresses your question!
https://github.com/azure-samples?utf8=%E2%9C%93&query=daemon
I hope this helps!
I currently have a distributed system containing an OpenID Connect server (IdentityServer3) acting as SSO server. The clients using the SSO server are AngularJS SPA:s with WebAPI v2 backends.
I got the basic login flow working, but I need some help with configuring the WebAPI/OWIN pipeline to allow transformation of the received token claims, ie. removing unnessecary claims and adding local claims. I'm assuming I need to create a local JWT instead of using the JWT received from the SSO server.
The question is, what is the best way of doing this? Are there OWIN middlewares that can help with this, or do I need to "manually" generate a new locally signed JWT from the claims received from the SSO server?
Current implementation details:
The AngularJS SPA authenticates against the SSO server using
authorization code flow and receives the authorization code.
The SPA posts the authorization code to the WebAPI.
WebAPI receives the authorization code and requests an AccessToken/JWT from the SSO server using the OAuth2Client class (part of Thinktecture.IdentityModel.Clients). This AccessToken is returned to the SPA to use in any further requests done to the WebAPI.
So my question mostly relates to step 3. How do I best change my current flow to generate a token also containing the local claims?
Also, what kind of authentication middleware should be used with your proposed solution (JwtBearerAuthentication, OpenIdConnectAuthentication or OAuthBearerAuthentication)?
Apoligizes for my probably confused terminology usage, I'm a beginner regarding OAuth and especially the OWIN pipeline. :)
Your WebApi should use BearerTokenAuthentication.
To get access token (access_token) and claims (id_token) in single call you need to set response type as ResponseType="token id_token"
You can checkout various ready to run sample at IdentityServer3 Samples. Specifically checkout implicit flow sample.
Ok, the situation is this.
We already have an existing ASP.NET MVC 5 site with Custom Forms Authentication, Logon, Registration etc with a custom database for roles and profiles already implemented.
We now are adding some new functionality to the MVC site and we decided to use Web Api 2 OData 3 endpoint which lives in another domain. The Web Api currently doesn't include any authentication but we need to be able to map the requests to a certain user to get his roles etc from the backend. The MVC and API sites use the same backend.
What we would like to accomplish is, that when the user logs on in the MVC site, the MVC site calls the Web Api server-to-server with the user's credentials and receives a token that the client can then use to call the web service with.
When API receives a request with the token, it can then map the request with the user in backend and do authorization.
As far as I understand it, Simple Web Token (SWT) could pull it through. But considering the environment, .NET 4.5.1 / Web Api 2 / OData 3 with Entity Framework in Azure Web Role, I started thinking is this SWT something I should really use or if there is any NEW technologies recently published that could easily pull this through. I don't want to add any unnecessary 3rd party dependencies to the project if the .NET stack already contains something like it.
So, what would be the simplest way of pulling this kind of authentication through without adding unnecessary dependencier to the project.
The solution we are looking for, is only temporary meanwhile we redesign our authentication scheme. So we are looking for something really simple to implement that works with least dependencies that need to be removed later on.
I'm using this in a project I'm currently working on. I use the OAuth 2.0 OWIN Middleware component that ships with Web API 2.0 (if you add a new Web API project with Authentication enabled, it includes the base infrastructure).
You would use the Resource Owner Password Flow as defined in the OAuth 2.0 specification. Basically you request a Token from the Web API OWIN Middleware sending:
client_id - identifies your MVC endpoint
client_secret - identifier your MVC endpoint
username
password
And in response you get a bearer token. The token generating is based upon a claims principal, the OAuth middleware component has predefined hooks for adding claims. This token now needs to be added as authorisation header to each response. On the MVC side you might add this to session so that it's always available to make backend API calls in the context of the user associated with an incoming HTTP request. If you're using WCF Data Services Client, you'll need an authorisation service/manager or similar that you can hook into OnRequestSending and OnResponseReceived events, so that you can insert that bearer token into the HTTP headers.
You can customise the OAuth Middleware component as you need to quite easily, it took a bit of time to figure it out as it's not too well documented, but downloading the Katana source code did help a bit as the source code does have some good documentation.
The nice thing about it all is that you simply need to enable HostAuthenticationFilter and add Authorize attributes on the Web API side and it's ready to go. You can get access to the claims principal object and use claims as identifying pieces of information for your user - e.g. identity, roles, other attributes etc.
To get started, look at http://www.asp.net/vnext/overview/authentication/individual-accounts-in-aspnet-web-api
Also as a wrap, I did consider the use of JSON Web Tokens (JWTs) as there is an OWIN library available for generating and parsing these. The use case here would be that you authenticate, get a JWT back, and then use the JWT to get an OAuth 2.0 bearer token. The JWT is useful if you want to move authentication elsewhere, or if you want to get additional information about the user at the MVC side of things.
Hello I am building an ASP.Net WebApi. First I authorized the WebApi using basic authentication .net membership provider and the Thinktecture Identitymodel.
var authConfig = new AuthenticationConfiguration();
authConfig.AddBasicAuthentication((username, password) => Membership.ValidateUser(username, password));
config.MessageHandlers.Add(new AuthenticationHandler(authConfig));
I guess it couldn't be made any easier.
To take it a step further i've set up the Thinktecture IdentityServer which provides me with oauth2 tokens. My question is how do i validate the access tokens the client sends me (the WebApi) with the identity server?
I've been looking into the AddJsonWebToken methods the IdentityModel provides, but I can't really figure out wich uri (endpoint) in the identityserver i should call to validate the token. Probaply I'm just completly lost here and missing the point, any help would be greatly appriciated!
To summarize:
How do I validate the access_tokens i receive in my WebApi and how do I wire that to the [Authorize] attribute?
Simply call AddJsonWebToken in you web api config - and add the issuer name, signing key and realm uri.
There is no need to call idsrv for validation.
Here's a sample:
http://leastprivilege.com/2012/05/26/thinktecture-identitymodel-and-asp-net-web-api/