I have a Angular version 9.1.9 ClientApp and have .net-core web api. I am using the msal for angular library and azure ad b2c. Is it possible to only protect a specific route i.e. /api/GetProfile but not /api/GetCar ?
My question is not in reference to .net core but rather msal for angular.
"msal": "^1.4.2"
"#azure/msal-angular": "^1.1.1"
Assuming you are using aspnet core mvc, only the methods with a Authorise attribute are secured, if the attribute is on the class all the methods are secured, unless you add the allow anonymous attribute to a method. If you have middleware that enforces security if not explicitly set use the allows anonymous attribute at class or method level
Related
I would like to build a web based application using Spring Boot micro service. I am planning to use OAuth2 and OpenID Connect to implement authentication and authorization in my application. What grant type I have to choose to implement OAuth2 if my application is going to be single page application (Angular.js for front end Spring Boot services for backend)?
You can use Implicit or Authorization Code flow with a single page app :
In order for a single-page app to use the Authorization Code flow, it must be able to make a POST request to the authorization server. This means if the authorization server is on a different domain, the server will need to support the appropriate CORS headers. If supporting CORS headers is not an option, then the service may use the Implicit Flow instead.
oauth.com
but it's recommanded to use Authorization Code flow :
It is generally not recommended to use the implicit flow (and some servers prohibit this flow entirely). In the time since the spec was originally written, the industry best practice has changed to recommend that public clients should use the authorization code flow with the PKCE extension instead. oauth.com
I am working with a project where frontend is Angular 4. It consumes Asp.Net WEB API services. I have implemented token based authentication for accessing restricted api calls along with refresh token implementation.
Now i want to implement additional authentication mechanism like Native AD, ADFS and other third party services like OKTA using SAML 2 authentication.
I want to understand flow how it will work with web api along with Angular SPA.
These are the flows you could use. https://developer.okta.com/authentication-guide/implementing-authentication/ and Okta already have SDKs that can help you https://developer.okta.com/quickstart/#/angular/nodejs/generic. <- uses Implicit flow.
The real question, I could have asked, why am I only getting an id_token in my response to the authorization endpoint? And, probably best created in an azure stackoverflow space.
For context, the original question was more about customization strategy. Which, further research determined was not necassary.
I've been reading through the OAuth2/OIDC features of the Spring Security Reference Guide - 5.7 OAuth 2.0 Login, 31. OAuth 2.0 Login — Advanced Configuration, and the github OAuth2 Login Samples trying to figure out how to extend or create a custom implementation for Microsofts Azure OIDC API - Authorize access to web applications using OpenID Connect and Azure Active Directory.
These are observations. And generally, what I’ve seen based on my experiment and what I believe to be true based on the spring security behavior and the Microsoft Understanding OpenID Connect Protocol guide documentation.
Azure’s sign in request against the /authorization endpoint has 3 additional nuances to their sign-in request that are currently not supported in the Spring Security 5 code base.
“response_type” – The Microsoft OIDC API allows id_token or id_token+code … Spring Security supports “code” or “token” OOTB. (id_token gets you the id_toke, id_token+code will get you id_toke and code. The code you can exchange for an access token.
“response_mode” – The Microsoft OIDC API recommends use of response_mode=form_post … This is not supported OOTB Spring Security.
“nonce” – The Microsoft OIDC API recommends use of nonce=[unique_value] … This is not supported OOTB Spring Security.
I've created a fork to see what enhancements would be needed to support the above. I believe they would be.
spring-security-oauth2-core
OAuth2AuthorizationResponseType - to include additional types.
OAuth2AuthoriztionRequest - to include support for nonce and responseMode
oauth2-client
OAuth2AuthoriationRequestRedirectFilter
OAuth2AuthorizationRequestUriBuilder
And a mechanism to auto configure the appropriate options.
The changes to support these parameters at first glance appears to be trivial. However, the classes in spring security are final and thus the extension is much bigger.
Anyone have any advice on a customization strategy? What would be the recommended approach to creating a customized configuration to support the nuances without replicating the code base?
With juunas clue ... I realized my issues were related to the fact I had not created api scope when I registered my application in the azure b2c blade. Thus, the issue was not the spring security configuration. But, a result of the missing scope.
Incidentally, the Get Access Token section in Microsoft Understanding OpenID Connect Protocol guide states, "... By including permission scopes in the request and using response_type=code+id_token, the authorize endpoint ensures that the user has consented to the permissions indicated in the scope query parameter, and return your app an authorization code to exchange for an access token."
Per juunas, this happens when response_type=code as well. –
I'm trying to search for an answer since yesterday and until now no luck unfortunately.
We have a WebApi backend with frontEnd written in Angular2.
Authentication is created with the use of JWT Tokens.
So basically user makes a call to WebApi and obtains the Authentication token that stores some other info like Roles in Claims.
In the same project there are other things we'd like to include with very limited functionality so there is no need to separate them to another project like: small MVC app, HangFire, Elmah etc.
How can we authorize those apps ? Is it possible to use the JWT token obtained from WebApi ? If I understand correctly MVC and WebApi exist in different contexts.
I've implemented an ASP.NET Web API application having one regular controller (HomeController) and several other Web API controllers. I have already the handled authentication for the API controllers (using anonymous authentication together with custom authorization attributes), but i want to restrict the access to the MVC controller and all its actions using Windows Authentication, without affecting the rest of the controllers.
Is it possible to achieve this? Can Windows and Anonymous authentication be mixed is such a way in a Web API application?
Note: the application will be hosted in IIS.