I already have configured Federation service. I have to use Web API with WS-Federation service. As Federation services use cookies to store security tokens and there is no support of Cookies in Web API. Now, how to use Web API with WS-Federation?
This link discussion will help you:
Invoking webapi throws No Access-Control-Allow-Origin header is present on the requested resource
It states that WebApi uses host's sign-in protocol.
Related
I am buiding an app using svelteKit and django rest framework. SvelteKit is responsible for rendering HTML page(SSR) and django rest framework is responsible for providing restful API.
Both App server and browser will fetch my restful API. I want protect my restful api by add Authorization. After reading some documents, I plan to use OAuth2(django-oauth2-tookit) and I draw the following chart:
My auth flow chart
But I was confused by following problems:
I can use Authorization Code grant flow auth APP server, but how about the browser?
Can I separate the auth server and restful server, If so, how auth server protect restful server?
I can use Authorization Code grant flow auth APP server, but how about
the browser?
In fact the authorization code based flow is the one that is suitable & meant for web client. While using this flow server will redirect the intermediate code (oauth code) to the redirect uri passed in the request so client can capture that code and make another request to exchange it with access_token.
Can I separate the auth server and restful server, If so, how auth
server protect restful server?
Blockquote
Yes, you can. The resource server should talk to auth server to get the authentication/token object verified.
I use token authorization in my sample api buit with django rest framework. Using web api interface I can navigate through my api. I can do any type of requests (post, put, patch, delete, option) to my api. But I don't see how to provide headers. Some of my endpoints require authorization, so even with GET request I can't access them from web api.
Is it possible to provide authentication token using django rest framework web api?
Send your requests by Postman or other http clients rather than the web UI of rest framework.
Currently I have created a WebAPI Project using identity framework and I have setup tokens to be returned when authenticating with the API.
So now I am looking at creating a standalone MVC application that will allow the user to make calls to the WebAPI to get back end data.
The goal is to separate functionality so that other applications can also start interacting with back end data through web calls.
So the confusion now is how do I setup my MVC project so that I can use the Authorize attributes on controllers with the token received from the WebAPI. I think I need to enable bearer tokens in the ConfigureAuth method in Startup.Auth.cs. However will that be sufficient enough? Or do I also need to enable the cookie authentication?
MVC and Web Api are fundamentally different when it comes to authentication. With Web Api, the bearer token has to be set in the header of the request, but this is not an issue as all API requests are done programmatically by the client, i.e. there's human-intervention involved in setting up the client to authenticate the request properly.
MVC is a different beast in that the actions are accessed generally via a web browser, which will not automatically affix a bearer token to the request header. What it will do is pass cookies set by the server back to the server. That's why cookie auth is used most typically for MVC web applications.
What you should do is enable cookie auth for the MVC site and then set up your sign in action to authenticate via the Web Api. When you get back a valid auth from the Web Api, then you can manually sign in the user via the Identity API:
await SignInManager.SignInAsync(user);
Having a Asp.Net MVC 5 Web Role using OWIN Katana Components for OAuth and OpenId. Enabled Google Authentication support inside Startup.Auth.cs (provided by default MVC 5 template).
Everything works fine until authentication but not sure how to request authorizaion token as mentioned here Google Contacts API v3.
Please share pointers to samples or documentation. Thank you.
Google has multiple authentication protocols. The one implemented in Katana v2.0 is not OAuth2, so there is no authorization token. It's only useful for having google confirm who the user is, it does not give you access to their resources.
In Katana v2.1-rc1 (coming this month) support is being added for Google's OAuth2 protocol.
https://katanaproject.codeplex.com/SourceControl/changeset/0eb10848ae18a5f339e7fde8ff1e877242e944dc
I'm currently stuck in a situation where by I have created a ASP Web API project and deployed in separately from my main MVC application, which uses the Thinktecture identity server for federated authentication.
The problem that i'm facing has to do with the web api cors support. More specifically, i authenticate my self in the mvc application but then when it sends requests to the web api i get the following error:
XMLHttpRequest cannot load XXX. The request was redirected to 'https://localhost/idsrv/issue/wsfed?wa=wsignin1.0&wtrealm=http%3a%2f%2floca…assive%2..., which is disallowed for cross-origin requests that require preflight.
The error makes sense, because the request doesn't contain the Http headers that are needed by the WSFederationAuthenticatioModule to verify that i'm already logged on.
Is there any possible workaround that I'm not aware of?
As far as I see you have 3 issues here:
1. How to enable WIF authentication with the Web API.
For this you should use Thinktecture.IdentityModel.45 (or the one for MVC 5 - Thinktecture.IdentityModel) that exists as a NuGet package. See the sample here: Web Api security sample
After that you'll have to send the token in a security header in the Ajax request.
If your MVC site and your Web Api are not on the same domain then you'll have to handle CORS issues
For issues 2 & 3 see: Dog fooding our api authentication
This Should also give you a good idea of how to use the security token received in your MVC site to authenticate with your Web API.