I am new the webAPI2, so please excuse me if my question is trivial. I want to implement token based security for my webAPI, so that other applications (apart from my SPA) can also call my webAPIs.
I started with Owin OpenAuth and implemented a POC. Everything worked well. But when I had to send client to Authorization to Authorization server, I could not find any inbuilt function to do that. I had to build this my self. Then I came across DotNetOpenAuth that provides APIs to set the communication as well. As far as I could find out, Microsoft is favoring Owin OpenAuth over DotNetOpenAuth.
Can anybody please provide the differences between these two? Also, which one is recommended?
Thanks In Advance
Brock Allen answered a similar question here
The OWIN middleware is grated more for just the protocol bits, but has
none of the necessary persistence bits (or replay protection or
refresh token support or many other things). If you are interested in
working directly with the protocol because you want to learn it and
really learn how to build a server, then the OWIN middleware is an ok
place to start. But if all you want is a sever that already has all of
those pieces implemented, then consider looking into IdentityServer
or DotnetOpenAuth
Related
I have a REST API which uses Azure Active Directory and OAuth 2.0 to authenticate.
How can I set this up using api blueprint in apiary.
I can see it works for http://docs.powerbi.apiary.io/
Just cannot seem to find an example.
Any pointers?
actually APIBlueprint does not support any authentication scheme.
However, something is definitely moving in the right direction: you can notice it looking at this pr and its subsequent discussion
Actually Apiary has some sort of private-beta OAuth 2 support but it is enabled on request and it's definitely not a feature of APIBlueprint itself (yet).
I hope this clarifies the issue.
I'm looking for suggestions regarding methods of hosting a 'custom STS' within a self-hosted OWIN pipeline.
It seems that the current documentation on custom claims providers has changed very little in the few years since I created a custom-STS with WIF 3.5, and I'd like to bring the implementation up-to-date for use with ADFS 3.1 (Windows Server 2012 R2).
I'm aware that the SecurityTokenService has moved to the System.IdentityModel namespace in 4.5, and ideally I'd like to encapsulate an STS within an OWIN-self hosted WebAPI, but I would be happy to use something like Nancy instead if necessary (since MVC does not appear to run in OWIN owing to it's reliance on System.Web), but I am struggling to find a way to utilise my implementation of SecurityTokenService from my WebAPI's DelegatingHandler since the wrapper functions in System.IdentityModel.Service.FederatedPassiveSecurityTokenServiceOperations also appear to be reliant on System.web, and hence IIS.
I plan on presenting the required input form elements to the user by manually crafting the response stream and parsing the POST - I realise this is a terrible idea compared to using ASP.Net or MVC, but at this stage this is really just a proof of concept for me, I'll be letting ADFS handle the cookies, since this will just be registered as a custom claims provider.
Should I drop the SecurityTokenService class in favour of a better token-generation implementation, or should I drop the wrapper class and manage requests to the STS manually using the IOwinContext's Request and Response objects, but if so, how?
Many thanks
I am in the middle of building a PhoneGap (Cordova) app which I would like to be able to talk to a Django site of mine. The steps needed to get the app working are:
Authenticate the user (stay logged-in across app restarts) (e.g. get session cookie from Django for communication with the service - where to store?). Note: The Django endpoint uses https.
When app receives push notification load some data from my django site.
Make selection on data and submit response back to my django site (will need the csrf token?)
I was able to sort out the push notifications but now I am wondering which solution would work best for the communication with Django.
As I understand there are two possible approaches:
Either to implement a REST service with something like tastypie or
try to setup the communication via ajax (e.g. jQuery)
At the moment I am thinking that going simply ajax might be the best approach since the app is fairly small and there are no additional requirement for a REST API.
It would be great if anyone could give me any pointers on how to solve this or share some experiece / code. Especially the steps of the authentication process are unclear to me.
I am not sure if this is still an open question but it is sure an interesting one.
I would strongly suggest on using the django-tastypie and you could start by using the docs which are indeed a great point of reference.
My experience until now has shown that I should always start by making my api clear(and rest) than choosing an easier faster solution(e.g. ajax) because if your app is a successful one, frameworks like tastypie help you scale.
The authentication process is pretty straightforward if you choose the basic one.
You just ask for the user credentials and there are many clients implementing the client side basic auth.
Fortunately, tastypie supports more than this. For example, the api authentication and you could read more here.
If you need anything else, please let me know.
Regards,
Michael.
I see that the goauth and go-oauth OAuth libraries have been written for the Go Programming Language, but a couple of hours of searching online turns up nothing for SAML.
I would like to use Go to implement SSO support using SAML for a web service, but without a SAML library for Go it looks like I will have to "wrap" the SAML logic in a separate service, implemented in another language.
Does anyone know of a Go-friendly SAML library, or maybe some some trick for using a Java, C, or PHP library from a Go program?
I have used gosaml and it works pretty good but there is also go-saml from robots and pencils.
I figured after a year, it would be good to answer this question because it would still be good to have some sort of answer here for people looking for SAML libraries for Go.
I haven't seen a SAML implementation for Go, but you could use a server that already implements it in front of your app.
One of the best supported SAML implementations is Shibboleth. The apache module is the most mature, and is probably the easiest method to use, since you just put your app behind a reverse proxy in apache. There's also a fastcgi authenticator, which uses the same backend, but I can't speak for it's ease of implementation.
If you just need a service-provider, the simplest SAML binding is HTTP-POST-SimpleSign. I made a proof-of-concept implementation in python, to try and demonstrate the simplest SP I could. I make no claims to the robustness of this module, but you can see that it could be done with not too much code. That's assuming the Identity Providers you're working with support this binding. And as always, be wary when deploying any custom security-related code.
If you want to validate SAML replies from AWS IdP in your assertion consumer endpoint then you better go with https://github.com/crewjam/saml as it does not rely on libxmlsec1 system library.
For some reason libxmlsec1 does not validate SAML replies from some IdP (AWS) successfully (supposedly because of some undefined namespaces).
I need to use ASIHTTPRequest , but it is not support oauth2 protocol .If there is a way to make ASIHTTPRequest to support oauth2?
You should take a look at What's the best iOS OAuth2 framework question here on StackOverflow. There MattDiPasquale mentioned the FROAuth2Request project on github which does exactly what you're looking for. It adds OAuth2 support to ASIHTTPRequest.
OAuth is not a protocol as, for example, HTTP or FTP, but builds ontop of HTTP and adds authentication. So what you're looking for is a implementation of OAuth (like https://github.com/thekarladam/MPOAuth) ontop of ASIHTTPRequest.
A short googling brought me to this project on github: https://github.com/mdales/asi-http-request . Maybe it's that what you're looking for? I don't know it, so I can't tell if it's good.