I am in the process of learning ASP.NET MVC 5 (Visual Studio 2015) and have created a basic MVC web application. When I created the project, I selected "MVC" and "Web API" under "Add folders and core references for:". I also selected "Individual User Accounts" under authentication. I created some models, controllers, and views using EF. Those are working great along with authentication. I also created a "Web API 2 Controller with actions using Entity Framework" to add API capabilities to one of my models. Again this works fine.
Now I am trying to get OAuth working with the Web API but ran into problems when requesting the Token... I don't think the Web Application template comes with that piece. After much reading, I found some recommendations on Stack Overflow that it is usually better to create a separate project for your Web API.
So my questions are:
I will most likely be deploying the Web API on one server and/or subdomain and the Web Application on another. If that is the case, they have to be in separate projects anyways, right?
When having two projects, what is the best way to share common components, like models? In my Web API, should I add a reference to my Web Application and then create the Web API Controller like that or should I copy the code from the model and create a new model in the Web API?
To answer your questions:
Yes, they need to be separate projects if you are going to deploy them seperately.
To handle common items, create a library DLL project and reference that from both the Web API and Web App. It can contain the common components.
Also, if you are using cookies for authentication, you are also going to have to setup CORS to allow the cookie to be shared between two sites with different domains.
Related
I think this is the first time to ask a question here, but wanted to try. Hope I got this right. I have searched all over web but nothing seems to come up for this scenario.
On a Test Project, I was going to have a ASP.NET Web API that will be exposed to the web. It will have authentication and authorization. The roles will be managed thru the Web API. I will have a ASP.NET CORE MVC app as one of the clients accessing the Web API.
What I would like to do is pass the users roles (in a Claim?) from the Web API into the Web Site and have the roles be used in the Controllers Authorize as well as in the views (menu filter and button disable functionality). Of course the issue is the separation of the Website from the Web API.
I have seen tutorials where the role is passed to a Angular/React/Vue site but I am trying to see about this in a Asp.net Core website.
I think I want to pass the claim(with the Roles) to the Website and have it use it as if the website was accessing the DB directly.
Just trying to figure out how this would be done.
Any direction would be appreciated.
Thanks
Situation
I am currently working on a project with following goals:
Front End Web Application with Blazor-Server
Database with MS SQL
Rest API as interface between Database and Blazor App
Microsoft Identity Platform for user management etc.
Question
My Question is, where do I put the Microsoft Identity part in here? As I want to use it in the Rest API to authorize users for respective api endpoints and to manage the users within the Blazor Application.
Also the database is designed with Entity Framework's Code-First approach within the Rest API.
My idea was to also put the Microsoft Identity part in the Rest API. Since in the future other services might need to consume this API aswell. But how can I make use of the generated Identity Pages (like login.cshtml etc.) in the Blazor App, when the Identity Implementation is in the API?
Im not really sure how to solve this, any help and recommendations are greatly appreciated.
It is a first time that I am using ASP.NET Boilerplate for API development. There are default features like multi tenancy and role management which I don’t want to use in the template. When creating a new project. in the project wizard I am choosing “Single Page Web Application” and I am unchecking the “Include login, register, user, role and tenant management pages” box. But when I do this, it is removing the connection between Swagger and Application Service. So the methods I am writing in Application Service are not being translated as API endpoints automatically.
Ideally, I want this: ABP Template + Empty API solution + swagger connection.
Am I missing something? Could you point me in the right direction? Thanks in advance.
"The methods that I am writing in the Application Service are not automatically translated as API endpoints." Regarding that, the app service should be translated automatically in the version that does not include login and roles, check the documentation. Regarding the swagger, you have to add it manually.
I just got Visual Studio 2013 loaded up and want to create a new web/mobile app that uses the same authentication for the website version and the mobile version.
I loaded up both templates (MVC5 w/Indivual Account & WEB API w/Individual Account) to check them out but it looks like I actually want to do a merge of those projects so the MVC5 uses the Web Api 2 OWIN for normal username & password authentication along with Social Media logins via Oauth.
SPA - I did look at this template but I'm not looking for a SPA as my website will need to be SEO friendly plus I know MVC and want to keep using it.
This would seem like an obvious template that developers would like to have in order to support both websites and mobile apps in the same project.
If your target is to share user accounts between the MVC app and the Web Api app, then all you need to do is to have them both point to the same UserStore.
I think this is what you are looking for:
http://leastprivilege.com/2012/10/23/mixing-mvc-forms-authentication-and-web-api-basic-authentication/
We're developing an API and a single page application (that is one of more possible future consumers of it).
We already started on the web API, and basically implemented a system very similar to the one John Papa made in his course on pluralsight, named "Building Single Page Apps (SPA) with HTML5, ASP.NET Web API, Knockout and jQuery".
We now need to implement authentication and user managing in this application and need to find the easy way out to implement this in as little time as possible as we are in a hurry.
We realized the SPA template included in the ASP.NET update had very similar features to our needs, but we wonder what the best approach to implement a similar feature in our existing code.
We are novice developers, as you might figure.
Is it possible nstall some packages using the package manager, and voila, a simple membership and OAuth auth option be readily available?
Our use case is that we need to protect some resources on our API based on roles, and that one should be able to log in using a username and password, but also log in using ones facebook, google, or twitter account.
Found an interesting talk regarding the subject here: https://vimeo.com/43603474 named Dominick Baier - Securing ASP.NET Web APIs.
Synopsis: Microsoft’s new framework for writing RESTful web services and web APIs is appropriately enough called ASP.NET Web API. As the name applies, this technology is part of ASP.NET and also inherits its well-known security architecture. But in addition it also supports a number of new extensibility points and a flexible hosting infrastructure outside of IIS. There are a number of ways how to do authentication and authorization in Web API - from Windows to usernames and passwords up to token based authentication and everything in between. This talk explores the various options, and puts special focus on technologies like claims, SAML, OAuth2, Simple Web Tokens and delegation.
We eventually went with the SPA template, doing authentication on the API (separate MVC part).
Then the API would generate a unique token and redirect the user to the front-end with the token in url parameters.
The front-end then needs to send this token on every subsequent request.
Have a look here - Identity Server done by the security experts. This is all you need in one package.
In terms of OAuth, you would need to use Client-Side Web Application flow which the access token is issue immediately to the client and can be used.