Situation
I am currently working on a project with following goals:
Front End Web Application with Blazor-Server
Database with MS SQL
Rest API as interface between Database and Blazor App
Microsoft Identity Platform for user management etc.
Question
My Question is, where do I put the Microsoft Identity part in here? As I want to use it in the Rest API to authorize users for respective api endpoints and to manage the users within the Blazor Application.
Also the database is designed with Entity Framework's Code-First approach within the Rest API.
My idea was to also put the Microsoft Identity part in the Rest API. Since in the future other services might need to consume this API aswell. But how can I make use of the generated Identity Pages (like login.cshtml etc.) in the Blazor App, when the Identity Implementation is in the API?
Im not really sure how to solve this, any help and recommendations are greatly appreciated.
Related
I currently have an asp.net Web API that uses identity authentication which an angular client then uses to authenticate users using an access token.
I want to have a another separate restful API that deals with the logic, crud operations etc side of things but I want this to have [Authorise] on the controllers to ensure it is secure.
What would be the best way to achieve this? Do I have to install identity on this logic API too?
Any help on this would be really appreciated.
We have our own existing we portal in ASP.NET MVC, now our one of the customer do not want to use our portal as separate tool, instead they want to consume our feature via WEB API and consume it on their side.
Now I want to implement authentication and authorization in web API, I did google to find my question's answer, but didn't get it.
I am confused in below points.
Is it best choice to OWIN the default implementation which Microsoft provide? or some custom implementation?
What are the advantage and disadvantage to use OWIN in terms of security?
When to Use JWT (Json Web token) and OWIN?
Or any other implementation which help to create more secured web API?
Looking for all expert's valuable to input to help me to decide.
I implemented something similar. This is how we work: we have our application (MVC app) which permits us to login. Logging in uses a separate mvc project (our STS) which handles all user authentication. When our login and password is posted correctly, we generate a JWT which is returned to the MVC app. Back on the application side, we decode our token and build up the claims in it in an asp.net application cookie.
We also have a separate project containing our WebApi REST methods. Those can only be called by using the JWT generated by our STS. We elaborated this more with a custom attribute so we can set permissions on specific permission or role claims that are in the token.
For creating all of this, i was helped very much using these series of articles: http://bitoftech.net/2014/10/27/json-web-token-asp-net-web-api-2-jwt-owin-authorization-server/
In terms of architecture this is in my opinion 'how it should be' but i am not an expert in this.
So summary:
Web Application - application cookie to authenticate/authorize
Calling WebApi Rest methods - using the JWT to authenticate/authorize
Separate STS which takes in POSTS to authenticate and generate JWTs
I am in the process of learning ASP.NET MVC 5 (Visual Studio 2015) and have created a basic MVC web application. When I created the project, I selected "MVC" and "Web API" under "Add folders and core references for:". I also selected "Individual User Accounts" under authentication. I created some models, controllers, and views using EF. Those are working great along with authentication. I also created a "Web API 2 Controller with actions using Entity Framework" to add API capabilities to one of my models. Again this works fine.
Now I am trying to get OAuth working with the Web API but ran into problems when requesting the Token... I don't think the Web Application template comes with that piece. After much reading, I found some recommendations on Stack Overflow that it is usually better to create a separate project for your Web API.
So my questions are:
I will most likely be deploying the Web API on one server and/or subdomain and the Web Application on another. If that is the case, they have to be in separate projects anyways, right?
When having two projects, what is the best way to share common components, like models? In my Web API, should I add a reference to my Web Application and then create the Web API Controller like that or should I copy the code from the model and create a new model in the Web API?
To answer your questions:
Yes, they need to be separate projects if you are going to deploy them seperately.
To handle common items, create a library DLL project and reference that from both the Web API and Web App. It can contain the common components.
Also, if you are using cookies for authentication, you are also going to have to setup CORS to allow the cookie to be shared between two sites with different domains.
I need to authorize my web client asp net mvc app with asp net web api. How to authenticate?
i have a wep api server an have access to database, but my asp net mvc app don't access to the database.
Assuming here Web API does all database related operation, MVC project is for UI purpose which calls Web API through JavaScript or HTTPClient.
Implement Identity Management(Authentication API) using Identity 2.1/ Web API. Use this Identity Management. Implement Token based authentication so that you can use "Authorize" for point 2
Use this Identity management along with Web Api which talks to database. Use appropriate web api methods with "Authorize" attribute.
Let MVC application authenticate users by accessing this newly created Identity Management, on success keep hold of tokens, call web api(database) with token in headers which will look for authorize and gives proper access to web api methods.
Using this approach will give web api(database) strong authentication layer, plus api's will work with different clients MVC, WPF, mobile apps. Some additional efforts are involved but its worth in long term.
Have a look at this, actually it is a big article and it has a lot of things that you might.
To have fast look at the authentication part search for GenericAuthenticationFilter in the article.
The another thing which related to call it from mvc, it is already answered:
How to call an ApiController from another .net project?
I hope this helps.
We're developing an API and a single page application (that is one of more possible future consumers of it).
We already started on the web API, and basically implemented a system very similar to the one John Papa made in his course on pluralsight, named "Building Single Page Apps (SPA) with HTML5, ASP.NET Web API, Knockout and jQuery".
We now need to implement authentication and user managing in this application and need to find the easy way out to implement this in as little time as possible as we are in a hurry.
We realized the SPA template included in the ASP.NET update had very similar features to our needs, but we wonder what the best approach to implement a similar feature in our existing code.
We are novice developers, as you might figure.
Is it possible nstall some packages using the package manager, and voila, a simple membership and OAuth auth option be readily available?
Our use case is that we need to protect some resources on our API based on roles, and that one should be able to log in using a username and password, but also log in using ones facebook, google, or twitter account.
Found an interesting talk regarding the subject here: https://vimeo.com/43603474 named Dominick Baier - Securing ASP.NET Web APIs.
Synopsis: Microsoft’s new framework for writing RESTful web services and web APIs is appropriately enough called ASP.NET Web API. As the name applies, this technology is part of ASP.NET and also inherits its well-known security architecture. But in addition it also supports a number of new extensibility points and a flexible hosting infrastructure outside of IIS. There are a number of ways how to do authentication and authorization in Web API - from Windows to usernames and passwords up to token based authentication and everything in between. This talk explores the various options, and puts special focus on technologies like claims, SAML, OAuth2, Simple Web Tokens and delegation.
We eventually went with the SPA template, doing authentication on the API (separate MVC part).
Then the API would generate a unique token and redirect the user to the front-end with the token in url parameters.
The front-end then needs to send this token on every subsequent request.
Have a look here - Identity Server done by the security experts. This is all you need in one package.
In terms of OAuth, you would need to use Client-Side Web Application flow which the access token is issue immediately to the client and can be used.