I have just developed a PERN stack SPA where the app and the server are both hosted on Heroku. The SPA uses Azure authentication (MSAL). Everything works well and user on authentication is redirected to our SPA hosted on Heroku.
Now the API which is built is still not secure. Anyone having the endpoints can access and manipulate data in our database. Can anyone guide with the current structure how can I authorize my server API's hosted on heroku with Azure AD credentials.
Example : https://my-first-app.herokuapp.com/getusers
The example API above can by used by anyone to get results, how can I prevent this and only allow users logged in to my SPA to use the API's only.
To protect your node API you can use:
express-jwt
passport
For the SPA keep using MSAL to get access tokens for your API/resource.
Related
I have an old web app that uses Forms Authentication that we've converted to support SAML using Shibboleth. This part is complete and works fine. The app redirects to login.microsoftonline.com, allows a login against the customer's AD (hburg.kyschools.us), and redirects back to the app which now allows the authenticated user in.
The web app also has some ASP.NET Web API controllers that we'd like to authenticate the same way. This also seems to work when the controllers are accessed from a browser that has already logged in. So far, so good.
Now we want to access these Web API controllers from a WPF app. The WPF app has been accessing them for years but just using Basic Authentication. Looking for an example, I found this project on github that shows how to use MSAL:
https://github.com/Azure-Samples/active-directory-dotnet-desktop-msgraph-v2
This project will acquire a token via MSAL and then use it with HttpClient to call a web service. I can run this project and use it to log in to the same AD as above (hburg.kyschools.us). And then it can use HttpClient to access MS Graph.
Now, when instead I try to have the project call into my Web API controller using HttpClient, passing in the same token I received back from the hburg.kyschools.us AD, I get back the Log In page at login.microsoftonline.com, as if I haven't authenticated.
Can I use MSAL to get a token this way that can be used to access my web api via HttpClient from WPF? It seems like I'd need to tell MSAL that I want the token to include authorization for the web app. Is that done somehow in the scopes parameter?
I am trying to develop a VueJS SPA app with WebApi 2 as backend and would like to implement OWIN authentication.
The front end app should be accessible to intranet users (Windows authentication) and based on the roles (already existing table that is stored in the database- which I would like to add to claims), the corresponding pages should be accessible to user.
Most of the examples use Forms Authentication, which return token, which are not helpful in my situation
Follow the link http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/ for token based authentication.
I want my users to be able to access my Laravel application from their mobile app (Android/IOS).
The application has authentication, as laravel requires CSRF in forms so I decided to use REST API. After searching I've found Laravel Passport, JWT-auth. (I don't need to use anything like Oauth, socialite).
As I dig into JWT-auth, I found anyone having "token" can access to user accounts that is very much risky.
What should I do? Is there any way I can request to server from mobile application for CSRF Token and send it to the server while requesting authentication. (My input fields are static to the mobile app)
We want to implement SSO in our multiple application
eg : abc.domain.com/app1 and abc.domain.com/app2.
We have configured ADFS on our server. WE have used WS federation authentication. Our both app are aware of claim based authentication.
Scenario we want to achieve,
1. Make login on app abc.domain.com/app1 using ADFS WS federation authentication.
2. We have successfully authenticated in this domain.
3. Now make request on abc.domain.com/app2. It should be login automatically in this app.
Actioned:
Both app URLs are added on relying party trust in ADFS.
We have added Endpoint URL of 1st app abc.domain.com/app1
Both app refer same ADFS metadata URL.
We have achieved this in our local environment. In local system these two different app are running on different port
1. localhost:44313
2. localhost:44330
When we make successfully login on localhost:44313 and request on localhost:44330 then user also authenticated for this app as well and displayed as logged in.
This scenario is not working fine for the live environment. Our live URL structure is same as mentioned above (abc.domain.com/app1, abc.domain.com/app2) but it's not working there.
Any help would be appreciated!
What errors do you see in the event log?
If you have two different apps, you need two different RP on ADFS.
Also you need to run both on https.
Do you have https on your live environment?
I am working through a process of validating the JWT after OKTA Login. I have a SPA Sample SPA Site that handles user login and calling an API.
SPA SITE
User Logins into OKTA
Obtains a JWT
Passes JWT to a .NET Web API (hosted on my own server not at OKTA).
WEB API: This accepts the JWT and needs to validate it.
Per OKTA I need verify the JWT through an Authorization Server. I setup the Authorization Server but I cannot see where the two features (shown on the images) are located on the SPA API or the Auth Server. This includes a URL that is required that follows the format of xxxx.okta.com/AS/{key}
Is there something that has to be enabled that is not enabled in my OKTA Account? I think so but what is it? OKTA support states that everything is enabled and confirmed this is a good code sample (GitHub) to use.
The Image Below should appear after setting up the SPA App. I cannot find this feature under the SPA or under the Auth Server. It does not seem to exist anywhere on OKTA. This is why it seems something is not enabled on my Dev account, or this documentation is outdated?
SPA Code Sample (includes the images below from the PDF) https://github.com/oktadeveloper/okta-oauth-spa-authjs-osw
I see that under the Security menu item -> API.
Also, when I had my app OpenID Connect enabled, I used well-known endpoint:
GET /.well-known/openid-configuration to get "jwks_uri", I used this url to self-verify the JWT token at the API level.
OKTA confirmed the code sample and documentation is out of date. They have no ETA to any updated samples and could not provide any documentation to help. This was via a response on a support ticket. Well already then, time to look at Azure.