I am currently building an identity server with Duende IdentityServer v6.1. I separated the identity server from my API into two different subdomains. People can register an account with the IdentityServer, but I also want some registration information to be saved to the API-database. So I want IdentityServer to be able to communicate to the API. Is this possible and if so, how?
It is described in the documentation of IdentityServer: https://docs.duendesoftware.com/identityserver/v6/tokens/internal/
Related
I have two web applications that I've worked on in ASP.net Web API for a client. The two applications are hosted on the same domain, but in different virtual directories.
Each application has a data source with information about authorized users. I've been asked to set up a separate app that will allow a user to log in and issue an OAuth bearer token that can be used to access each web application.
I have the Owin stuff set up in one of my two apps with something of a boilerplate setup and it automagically makes the tokens work for me, but that's only within a single web application.
I have a general idea of how the OAuth tokens work: a user is authenticated and they receive a token that contains a user ID, a time stamp, and a cryptographic signature that says that the token came from my client's server and not somewhere else, and the Web API framework automatically checks that token for me when I decorate my API endpoints with the [Authorize] attribute.
I want to know how I can set this up so that the token is issued by one web app and consumed by another. I know that at a minimum, I need to make the two web apps work with the same key pair for the cryptographic signatures.
Can I please get some direction about how to make this happen?
So I'm trying to use Google Sign In and Sign in with Apple in my native mobile app which also communicates with my own backend server. I think I have the grasp of the OAuth2 flow and the concept of ID Tokens behind OpenID Connect. The only doubt I have is if I can/should use the access/refresh token pair to authorize access to my own endpoints? On apple's documentation this isn't clearly stated and on Google's site they mention you CAN use it to access Google APIs, but nowhere have I found you could use it for your own backend server. If not, how should this be approached (generating my own access/refresh token pair after validating the the authorization server's ID Token?)
Note that I only need to authenticate my users via these platforms, I don't want access to other Google APIs (for now).
TL;DR: Can I use Apple's/Google's access/refresh token pair to authorize access to my own backend's endpoints or should I generate my own/do something else?
You can use the tokens provided to you, but often you soon or later will want to customize what they contain and then introducing your own local provider can be a solution. So that your internal services trusts the tokens from your own service an your auth server trusts the tokens from Apple/Google.
The second problem is that your internal systems might need to trust multiple token issuers. In my experience is to internally only trust one token service and not multiple, even if this is not a hard requirement.
I have multitenant setup for our application for example:
1.t1.xyz.com
2.t2.xyz.com
I want both to talk to okta for different IDP setup for both the tenants. Like t1.xyz.com should talk to shibboleth and t2.xyz.com should use ping identity or may be another tenant will use okta as an IDP.
Other solutions that I have seen are using different accounts for each tenant which is not feasible. Can we do it using okta applications for diff tenant. Or if anybody has different solution please respond.
We have to identify the tenant from the url. Based on that, in the application, you can have a redirect to the corresponding IDP [Shibboleth or PingIdentity etc].
However, this approach works fine if all the IDP's are talking using a common protocol like OAuth2. I have did one implementation with OAuth2. I did write a generic oauth middleware that can take care of handling any OAuth2 providers.
However, if your idea is to use the Okta as an IDP that internally handles the various IDP's, you will have to initiate the login request using the group [tenant code / id] so that it can lookup the identity provider and redirect accordingly
We're developing an API and a single page application (that is one of more possible future consumers of it).
We already started on the web API, and basically implemented a system very similar to the one John Papa made in his course on pluralsight, named "Building Single Page Apps (SPA) with HTML5, ASP.NET Web API, Knockout and jQuery".
We now need to implement authentication and user managing in this application and need to find the easy way out to implement this in as little time as possible as we are in a hurry.
We realized the SPA template included in the ASP.NET update had very similar features to our needs, but we wonder what the best approach to implement a similar feature in our existing code.
We are novice developers, as you might figure.
Is it possible nstall some packages using the package manager, and voila, a simple membership and OAuth auth option be readily available?
Our use case is that we need to protect some resources on our API based on roles, and that one should be able to log in using a username and password, but also log in using ones facebook, google, or twitter account.
Found an interesting talk regarding the subject here: https://vimeo.com/43603474 named Dominick Baier - Securing ASP.NET Web APIs.
Synopsis: Microsoft’s new framework for writing RESTful web services and web APIs is appropriately enough called ASP.NET Web API. As the name applies, this technology is part of ASP.NET and also inherits its well-known security architecture. But in addition it also supports a number of new extensibility points and a flexible hosting infrastructure outside of IIS. There are a number of ways how to do authentication and authorization in Web API - from Windows to usernames and passwords up to token based authentication and everything in between. This talk explores the various options, and puts special focus on technologies like claims, SAML, OAuth2, Simple Web Tokens and delegation.
We eventually went with the SPA template, doing authentication on the API (separate MVC part).
Then the API would generate a unique token and redirect the user to the front-end with the token in url parameters.
The front-end then needs to send this token on every subsequent request.
Have a look here - Identity Server done by the security experts. This is all you need in one package.
In terms of OAuth, you would need to use Client-Side Web Application flow which the access token is issue immediately to the client and can be used.
I have a site hosted on a shared hosting, I am building a forum and want users to register through OpenId. The problem is I am not able to connect to OpenId providers like Google and Yahoo, because my server doesnt connect to them!
Is there a way to use client side OpenId validation using ajax (XmlHttp) or anything like that?
No. OpenID relying parties MUST have the capability for outbound HTTP requests. If anyone tells you differently, it's not OpenID and/or it's not secure.