I am starting on a new web API and I want to use ASP.NET Core 3.0. I also want to authorize callers to my API using JWTs and Azure AD as the Identity Provider.
I have set up many ASP.NET Core 2.x web APIs using JWTs and Azure AD that have worked just fine, however, when I try the same methods using ASP.NET Core 3.0 I get a 401 every time I try to access the API.
In my ASP.NET Core 2.2 web API, in Startup.cs I have the following in the ConfigureServices method;
// Add Azure AD OAUTH2.0 Authentication Services
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddAzureAdBearer(options => Configuration.Bind("AzureAd", options));
And I have an AzureAd section in my appsettings.json file that have values for...
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "mydomain.com",
"TenantId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", //<-- Directory ID for mydomain.com
"ClientId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" //<-- Application ID of web API as a registered application in mydomain.com domain
},
Then in Startup.cs --> Configure method, I have ...
app.UseAuthentication();
app.UseMvc();
And finally, I decorate my API controller with...
[Authorize]
And this all works just fine for ASP.NET Core 2.2.
However, after creating a new project for an ASP.NET Core 3.0 Web API, and trying to implement the same techniques, I always get an HTTP 401 status code.
I realize the ASP.NET Core 3.0 was just released and I have to assume that the issue is related to changes in the way Core 3.0 operates, but I am having difficulty finding a solution.
Update 10/2/19
I test my APIs using Postman. In Postman, I make a POST to Azure AD with the correct values needed to obtain the access token from Azure AD. I copy that valid token to the Authorization header in a GET request to my API.
If I set my API to ASP.NET Core 2.2 and run it, then test the API using Postman as described above, my API authorizes the request and returns the correct data in the GET request's response.
If I change the API to ASP.NET Core 3.0 and try it again, I always get an HTTP 401.
The issue has to be a difference between how ASP.NET Core 3.0 handles JWT authorization and how ASP.NET Core 2.2 does it.
Related
I need to implement SAML 2.0 sso authentication to our existing Web API. I am fairly new to the topic so i am not sure where to start. i have been playing around with the dev ADFS server (ADFS 4 - Windows server 2016) and been following tutorials on how to setup Relying Trust Party.I have gotten the gist on how SAML works but still lost on how to implement this one via code in my webapi. I want to know how to begin implementing the SAML 2 auth to connect to the ADFS server, the web app is deployed on a different iis server. I have read https://github.com/Sustainsys/Saml2/tree/master but i am not getting how my web api would connect to the ADFS server to retrieve a SAML token and process it.
The problem you have is that the SAML spec. does not cater for API (either webapi or REST API). It's purely a browser SSO redirect protocol.
In ADFS, API are configured by the Application wizard but that's OpenID Connect with a JWT not an XML token.
Update
If your webapi is a REST API then use OIDC with a JWT.
Just FYI: ADFS also supports WS-Fed. WS-Fed does have an API profile (called the active profile) which is essentially WCF.
I am working with a project where frontend is Angular 4. It consumes Asp.Net WEB API services. I have implemented token based authentication for accessing restricted api calls along with refresh token implementation.
Now i want to implement additional authentication mechanism like Native AD, ADFS and other third party services like OKTA using SAML 2 authentication.
I want to understand flow how it will work with web api along with Angular SPA.
These are the flows you could use. https://developer.okta.com/authentication-guide/implementing-authentication/ and Okta already have SDKs that can help you https://developer.okta.com/quickstart/#/angular/nodejs/generic. <- uses Implicit flow.
I'm trying to search for an answer since yesterday and until now no luck unfortunately.
We have a WebApi backend with frontEnd written in Angular2.
Authentication is created with the use of JWT Tokens.
So basically user makes a call to WebApi and obtains the Authentication token that stores some other info like Roles in Claims.
In the same project there are other things we'd like to include with very limited functionality so there is no need to separate them to another project like: small MVC app, HangFire, Elmah etc.
How can we authorize those apps ? Is it possible to use the JWT token obtained from WebApi ? If I understand correctly MVC and WebApi exist in different contexts.
I'm trying to integrate WSFederation into my asp.net web api. I have 2 azure hosted app services one is for webapp and one webApi. Users can access WebApi from WebApp or can make direct calls from the browser.
I looked at azure samples https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect and https://github.com/Azure-Samples/active-directory-dotnet-webapp-wsfederation
I am unable to integrate both the samples to have what I need i.e. use WSFederation for web application and webApi.
P.S. I'm getting back SAML token from IdP and we are not using ADFS but Ping.
I've implemented an ASP.NET Web API application having one regular controller (HomeController) and several other Web API controllers. I have already the handled authentication for the API controllers (using anonymous authentication together with custom authorization attributes), but i want to restrict the access to the MVC controller and all its actions using Windows Authentication, without affecting the rest of the controllers.
Is it possible to achieve this? Can Windows and Anonymous authentication be mixed is such a way in a Web API application?
Note: the application will be hosted in IIS.