I have to authenticate my user credentials in my asp.NET web api with ldap server and if success token is given have to check whether the user has access to controller with another table with contains user role and id
I have tried with token based authentication but could not implement the table authorization part
Related
We are using Okta as a OAuth login provider.
What we wish to achieve is to fetch user role information in the authentication response itself. We are using spring security.
Currently we get following details in org.springframework.security.oauth2.core.oidc.user.OidcUser object
[Edit]
Adding content of authorities
This does not include user role information. Is there a way to get the user role information in the authentication response itself?
So I'm a bit new with REST APIs and web in general. I'm trying to setup Login using HTTPS + Basic Auth through my REST API. My front end is built with Vuejs. Lets say there's a login button that sends the username and password information (basic auth by the way) what should the API return in the response? I was thinking it simply returns "Success"?
tl;dr how to perform login against a Spring Boot REST API using Vuejs through HTTPS + Basic Auth?
Thanks
For basic authentication you have to pass some key in headers to validate the user and then you can follow the crud to fetch that data of the user from database..since you are https you have to use keystore to authenticate the url also. It will return the role of the user on the basis of the role you can direct the user to that page , the user can be admin , normal user or user from diff department. you can also fetch active user (whether the user is active or not )
I have an auth server built using spring boot oauth2.0 and follows david_syer model.
My auth server does following -
Let user login via third party oauth provider like google or let user create his account on our server using username and password and generate token.
So, when user uses external oauth like google to login then I simply store the token and pass the same(google) token to my UI app for accessing resource api servers. I have an authentication filter that verifies token and allow api access.
When user uses username and password to get token we store user and his permissions and generate a token for him. Now UI uses our auth servers generated token to access resource api servers.
Now my question is
Is this the correct way of using token from external api and using the same to access our resource api server?
And how do I add authorities to user who are signing up using 3rd party oauth provider since I don't add user entry and authorities for them?
So, spring security which loads user and user authorities (loadUserByUsername() from UserDetailsService) will not have any thing if user came from eternal provider.
I have a suggestion for step 2:
After the user uses the google authentication, and gets redirected back to your application page, do the claims transformation on your server and generate your own token issued by the identity server that you have.
The reason is you will be able to provide specific claims and the claims names does not necessarily required to match up.
That way you keep verifying your own token all the time on the client app. So lets say the user uses Facebook instead of Google and even in that scenario as you will assign your own token, you need not to verify the token coming from different third party Identity servers.
That way, your identity server trusts Facebook, Google provided token and your application will trust only your identity server so your app doesn't need to know about what IDP is issuing the token.
And with the approach I suggested above, you will be able to even modify the claims for the user on your own and don't have to depend upon the third party identity server to provide claims.
I am developing some RESTful services for our mobile app using Spring Boot. I succesfully implemented Oauth2 authentication with our registration using username and password. Users can authenticate by using username and password. Also our client want to be authenticated with their custom token. They have a web service that you send token and response is true or false.
My first thought was, I can write a service like /custom-login and that service accepts custom token. In my service I can check this token with external service and if it is valid I call oauth2 authentication and return oauth2 authentication response.
How can I implement custom authentication oauth2 ?
OAuth2.0 spec allows for custom grant types,
So your auth server can create an custom grant type,
for eg: let's assume your wanted to authenticate with Google using Google access token, so you will create new grant_type called google_token
So now when your users wanted to authenticate using Google access token , they will pass like
grant_type=google_token&client_id=clientId&client_secret=secret&google_token=google-access-token
Then your auth server can verify the access token with Google and optionally verify client is issued to, etc and once verified , it can return your own access token
This applies for third party auth severs, so you can create number of custom grant types
I'm developing an application using asp.net core Web API and Angular2
I want to implement authentication and authorization for my application
I want to know if it is a good choice to use identity server if have just one client(in angular 2 ) and I want that the login screen be attached to my client and not the identity server ?
As far as i understand, you want to use Token Based Authentication with following flow :
Client sends user cridentials(username, password) to server
Server generates a token and sends it to client
Client uses the token each secure web api calls
So, my suggest for your case:
If you use AspNet Identity, OpenIddict with password grant is an option.
If you use custom user store, use IdentityServer4 with password grant.
If you want to write your own token endpoint, take a look at Token Based Authentication in ASP.NET Core
note: password grant enable you to implement own login screen.