The issue I am facing is to get webApi authenticated with bearer token received from webapp authentication.
Created web app, Angular template of .net core 2.1. Aded WsFed authentication to it. https://demoapp (dummy name)
Created Web Api app. Added wsfed authentication to it. https://demoapp-api (dummy name)
Now target is to authenticate web app, use token from there to make calls to api, and get data.
In WebApp, in OnTicketReceived WsFederationEvent, acquiring token using AcquireTokenAsync(AppId, credential);
Doing this because, we receive SAML token from WsFed.
Here tried with AppId of WebAPI, and also of WebApp. Both tokens do not work.
Passing this token as Bearer token in header to API.
When hitting API, facing redirection for authentication.
Ideally, when sending token, it should be allowed, right ?
I have added permissions of WebAPI on WebAPP in Azure portal, and also vice-versa.
Acquiring token using AppSecret.
Am I missing something here ? Or I am trying to achieve something which is not possible with WsFed ?
Can anyone please help with this webapp-webapi-wsfed scenario ?
Related
My setup is as follows:
Rest APIs (Spring boot)
Front-end application (Angular 8)
Auth Server (Keycloak)
Current scenario:
User enters the username and password in the angular login page.
Angular makes a POST request and gets the access token, refresh token etc. from keycloak server.
In all subsequent request to rest api server(which is bearer only), the access token is passed in
header as "Authorization: Bearer <ACCESS_TOKEN>"
Rest api looks at the role of the user and based on that either returns the desired data or throws a 403 Forbidden exception.
What I want:
To authenticate external users using an api-key and then add rate-limiting to it. For that, i am using Kong API Gateway. For internal or trusted users that login through the angular app, the existing access token flow should work.
Issue:
When using apikey in Kong, it does pass the Kong's authentication but the rest api server still expects an access token and hence get the 401 unauthorized error.
I found the solution for this. Basically you need to configure an anonymous consumer and enable multiple authentication methods using the Kong's key-auth plugin for api-key based security and openid-connect plugin for keycloak based security.
For those who don't have Kong Enterprise, since openid-connect plugin is not open source, you can configure just the key-auth plugin with anonymous access enabled and then handle the keycloak based authentication in your rest application.
I am building a WebApi for external consumers. I want to lock it down using Azure AD B2C token authentication. .NET Framework 4.7.2 using Owin middleware.
The workflow (as I understand it) goes like this:
Successful path:
GET request on secure endpoint, contains a header with a valid auth token
API returns expected result
Invalid/missing token path:
GET request on secure endpoint, contains an invalid/missing token in the header(s)
API returns 401
This all looks correct from a security point of view, but my poor consumers won't know how to get a new token. Should I be returning something with the 401 to assist in them getting a new token? (i.e. the URL for the Azure AD B2C endpoint) - does this break conventional rules on returning objects with a 401? Am I expecting too much for my consumers to know how to interact with my chosen 3rd-party auth provider?
My question is more about design but would appreciate any technical examples.
My aim is to authorize browsable API(first app) using the JWT token generated(second app).
I have two apps created,
1. API - has all the data
2. Authentication - generate JWT tokens after validating the user.
Now, when I try to access the API after generating the token it says,
Authentication credentials were not provided.
Trying to access the API (passing the bearer whatevertoken)
I mean, is there a way to authenticate the Browsable API using JWT token? Instead of creating a user session.
Passing Authorization header as,
"Authorization: JWT token"
authenticates the user.
But, limits me to browse the API in a browser. Is there any way we can implement Browsable API using JWT authentication?
UPDATE
A thorough reading on
Authentication classes
Permission classes
Django settings
Helped in understanding the core concepts and apply appropriate solutions.
I have an issue with a web api returning HTTP 401 – Unauthorized when I use a Bearer Token to access it from a xamarin client. Either the iOS or UWP fail.
-This is an application that authenticates with Azure Active Directory to allow a user to login
-Once successfully logged in it gets a token that in turn is added to the web api request header
-The web api has its authentication turn on
The issue with azure settings
https://1drv.ms/v/s!ApPhjsvemKJggpR2ax5w4wRJcY7uXQ
the code
https://github.com/wleon12/XamarinForms-AAD-WebAPI.git
I cant seem to figure out what is wrong, appreciate any input or guidance
It depends how you protect the web API.
Normally, when we protect the web API using Azure AD, we will provide the the Audience and Tenant like this code sample. So that when we send the request with the token, the web API will verify the signature of the token and the value we config.
So for the 401 issue, please check the token you acquired with the value you config for the web API project. To check the Audience, Tenant and other values in the token, you can decode it from this site.
I am trying to understand the security features of the VS2013 MVC5 SPA Template WebAPI.
In Startup.Auth.cs there is this -
TokenEndpointPath = new PathString("/Token")
and this -
AuthorizeEndpointPath = new PathString("/Account/Authorize")
In my understanding, the AuthorizeEndPointPath is for when your acting as a 3rd Party OAuth authorization server.
However how it is used in the template, the flow seems to be
Login via Forms Authentication
Redirect to a secure page
Javascript checks for a bearer token in the local storage, it doesn't exist, so it redirects to this Authorize endpoint.
window.location = "/Account/Authorize?client_id=web&response_type=token&state=" + encodeURIComponent(window.location.hash);
Logs into app with OAuth security, returns token, which will be passed on subsequent API requests.
The /Token endpoint never seems to be used. A prior version of this templated did an ajax post to /Token to login. I have a similar situation where the website is secured via Forms authentication/cookies but the WebApi is secured by Bearer token.
Is the Authorize endpoint being used correctly in this SPA template - is this the correct pattern to follow? It seems like the appropriate way to authenticate for bearer token security "internally" for the app would be a "client credentials grant" though not sure how to generate the "secret".