I have created identity server4 implementation which is working fine with. Net core api. I also have a old .net framework api and I want to secure that using identity server4. How to implement that?
You can implement it using IdentityServer's Katana Access Token Validation Middleware named IdentitySever3.AccessTokenValidation on the API.
I have a detailed blog post with sample code for it:
https://nahidfa.com/posts/identityserver4-and-asp-.net-web-api/
Related
I currently have an asp.net Web API that uses identity authentication which an angular client then uses to authenticate users using an access token.
I want to have a another separate restful API that deals with the logic, crud operations etc side of things but I want this to have [Authorise] on the controllers to ensure it is secure.
What would be the best way to achieve this? Do I have to install identity on this logic API too?
Any help on this would be really appreciated.
We have our own existing we portal in ASP.NET MVC, now our one of the customer do not want to use our portal as separate tool, instead they want to consume our feature via WEB API and consume it on their side.
Now I want to implement authentication and authorization in web API, I did google to find my question's answer, but didn't get it.
I am confused in below points.
Is it best choice to OWIN the default implementation which Microsoft provide? or some custom implementation?
What are the advantage and disadvantage to use OWIN in terms of security?
When to Use JWT (Json Web token) and OWIN?
Or any other implementation which help to create more secured web API?
Looking for all expert's valuable to input to help me to decide.
I implemented something similar. This is how we work: we have our application (MVC app) which permits us to login. Logging in uses a separate mvc project (our STS) which handles all user authentication. When our login and password is posted correctly, we generate a JWT which is returned to the MVC app. Back on the application side, we decode our token and build up the claims in it in an asp.net application cookie.
We also have a separate project containing our WebApi REST methods. Those can only be called by using the JWT generated by our STS. We elaborated this more with a custom attribute so we can set permissions on specific permission or role claims that are in the token.
For creating all of this, i was helped very much using these series of articles: http://bitoftech.net/2014/10/27/json-web-token-asp-net-web-api-2-jwt-owin-authorization-server/
In terms of architecture this is in my opinion 'how it should be' but i am not an expert in this.
So summary:
Web Application - application cookie to authenticate/authorize
Calling WebApi Rest methods - using the JWT to authenticate/authorize
Separate STS which takes in POSTS to authenticate and generate JWTs
I need to authorize my web client asp net mvc app with asp net web api. How to authenticate?
i have a wep api server an have access to database, but my asp net mvc app don't access to the database.
Assuming here Web API does all database related operation, MVC project is for UI purpose which calls Web API through JavaScript or HTTPClient.
Implement Identity Management(Authentication API) using Identity 2.1/ Web API. Use this Identity Management. Implement Token based authentication so that you can use "Authorize" for point 2
Use this Identity management along with Web Api which talks to database. Use appropriate web api methods with "Authorize" attribute.
Let MVC application authenticate users by accessing this newly created Identity Management, on success keep hold of tokens, call web api(database) with token in headers which will look for authorize and gives proper access to web api methods.
Using this approach will give web api(database) strong authentication layer, plus api's will work with different clients MVC, WPF, mobile apps. Some additional efforts are involved but its worth in long term.
Have a look at this, actually it is a big article and it has a lot of things that you might.
To have fast look at the authentication part search for GenericAuthenticationFilter in the article.
The another thing which related to call it from mvc, it is already answered:
How to call an ApiController from another .net project?
I hope this helps.
I have the task to build a new API. The API will mainly be used by tablet applications.
I'm thinking of using the new ASP WebApi.
My biggest concern however is the security part. Because the apps will be build by third-party companies, we do not want that usercredentials will be entered in their application, but redirected to our site (authenticationserver).
I have done some researching and I came accross OAuth 2.0. For working with mobile devices and tablets it's probably the best to work with the 'autohorization code flow' principle -correct me if I'm wrong-.
Am I thinking in the right direction or are their simpler authentication systems to achieve my goal?
Are their any frameworks (.NET) available (or documentation) how to create an Authentication Server and how to use it in the Asp webapi?
Is it easy these days to implement oauth2.0 in an IOS app?
Thanks for any help!
OAuth 2.0 authz code based grant is suitable when client app is a Web application. Will the apps that are going to be built by third party all be Web applications? There are HTTP redirects involved in that flow.
In OAuth 2.0, there is a client, there is a resource server (Web API in your case) and there is an authorization server. There is no such thing as Authentication server. Are you referring to some thing else?
I'd like to support multiple authentication mechanisms such as oAuth and ADFS in my MVC site. Is this possible, and how would I go about using one or the other?
My understanding is that ADFS/WIF will hook into the entire site preventing alternates such as oAuth
FedUtil only allows an application to point to one instance of ADFS. If you use it again to point to another instance, it simply overwrites the old ADFS info. in the web.config.
The trick is to federate ADFS with another STS which does support the OAuth protocol.
StarterSTS is an example of an STS which supports OpenId. This was developed by Dominick Baier. He has just announced via his blog that he is developing a MVC version.
Matias Woloski has blogged about a protocol bridge here. It supports not only OpenID but also OAuth.
#nzpcmad suggestion of adding an STS to do protocol translation is correct. Another alternative is to use ACS (AppFabric Access Control Service).
You can alternatively add the trusts relationship on the web.config manually (or run Fedutil on a separate project and merge the changes). In this case the trust would be to an STS that knows how to deal with OAuth and SAML/WS-Federation (like the STSs mentioned by #nzpcmad). Out of the box, WIF only understands SAML tokens and WS-Federation/WS-Trust.
StarterSTS does not support OAuth but the follow-on project by the same guy does. Check out http://identityserver.codeplex.com/ for more details.
In addition to supporting OAuth it is new code using the ASP.NET MVC framework and WCF for its underpinnings.
This is only at CTP 1 status and is not yet considered a full release yet so review carefully.