I'm currently stuck in a situation where by I have created a ASP Web API project and deployed in separately from my main MVC application, which uses the Thinktecture identity server for federated authentication.
The problem that i'm facing has to do with the web api cors support. More specifically, i authenticate my self in the mvc application but then when it sends requests to the web api i get the following error:
XMLHttpRequest cannot load XXX. The request was redirected to 'https://localhost/idsrv/issue/wsfed?wa=wsignin1.0&wtrealm=http%3a%2f%2floca…assive%2..., which is disallowed for cross-origin requests that require preflight.
The error makes sense, because the request doesn't contain the Http headers that are needed by the WSFederationAuthenticatioModule to verify that i'm already logged on.
Is there any possible workaround that I'm not aware of?
As far as I see you have 3 issues here:
1. How to enable WIF authentication with the Web API.
For this you should use Thinktecture.IdentityModel.45 (or the one for MVC 5 - Thinktecture.IdentityModel) that exists as a NuGet package. See the sample here: Web Api security sample
After that you'll have to send the token in a security header in the Ajax request.
If your MVC site and your Web Api are not on the same domain then you'll have to handle CORS issues
For issues 2 & 3 see: Dog fooding our api authentication
This Should also give you a good idea of how to use the security token received in your MVC site to authenticate with your Web API.
Related
I am buiding an app using svelteKit and django rest framework. SvelteKit is responsible for rendering HTML page(SSR) and django rest framework is responsible for providing restful API.
Both App server and browser will fetch my restful API. I want protect my restful api by add Authorization. After reading some documents, I plan to use OAuth2(django-oauth2-tookit) and I draw the following chart:
My auth flow chart
But I was confused by following problems:
I can use Authorization Code grant flow auth APP server, but how about the browser?
Can I separate the auth server and restful server, If so, how auth server protect restful server?
I can use Authorization Code grant flow auth APP server, but how about
the browser?
In fact the authorization code based flow is the one that is suitable & meant for web client. While using this flow server will redirect the intermediate code (oauth code) to the redirect uri passed in the request so client can capture that code and make another request to exchange it with access_token.
Can I separate the auth server and restful server, If so, how auth
server protect restful server?
Blockquote
Yes, you can. The resource server should talk to auth server to get the authentication/token object verified.
I have an angular 2 app, a Web API with OWIN Pipeline (.NET 4.6) and an ADFS 3.0. Every user who uses the angular 2 app needs to be authenticated and authorized via ADFS and if he's already logged in the domain he should be logged in to the Application automatically (Single Sign On)
Something like that:
I read tons of links and code on how to achieve that but I fail to put the pieces together.
As far as I understand ADFS 3.0 only supports OAuth 2 Authorization Code Flow which is either not supported or advised with a JS Application respectively on the Web per se.
I'm not quite sure which it is but the fact is I can't/shouldn't use it.
I understood that therefore I have to implement somekind of Authentication server on my Webserver where my Web API is (maybe IdentityServer 3 or something "homemade").
This lead me to think that I should use ADFS as an external login like google, or facebook which would lead to the following workflow
User requests token
Web API checks if user is already logged in to the domain
Logged in?
forward request to ADFS and verify.
ADFS returns OAuth Token to WebAPI
not logged in?
show login mask to user
forward request to ADFS and verify.
ADFS returns OAuth Token to WebAPI
Web API return OAuth Token to user
Is this even correct or am I completly off?
Anyway I fail to put the pieces to together.
I saw a lot of code which creates JWT Tokens in Web API (but doesn't communicate with ADFS) or communicates with ADFS via WS-Federation.
Additionally ADFS' OAuth 2 implementation seems to a bit special which adds another layer of complexity.
so my question would be:
How can I provide OAuth tokens to the user while authenticating against ADFS?
If you need any additional information I happily provide it
You will need ADFS 2016 which supports Single Page Apps that use Angular.JS. See https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/development/single-page-application-with-ad-fs for the flow and sample code.
You are right that ADFS 2012R2 only support authorization code flow which is only meant for native apps which are public clients to talk to a web api.
Thanks
//Sam (Twitter: #MrADFS)
Currently I have created a WebAPI Project using identity framework and I have setup tokens to be returned when authenticating with the API.
So now I am looking at creating a standalone MVC application that will allow the user to make calls to the WebAPI to get back end data.
The goal is to separate functionality so that other applications can also start interacting with back end data through web calls.
So the confusion now is how do I setup my MVC project so that I can use the Authorize attributes on controllers with the token received from the WebAPI. I think I need to enable bearer tokens in the ConfigureAuth method in Startup.Auth.cs. However will that be sufficient enough? Or do I also need to enable the cookie authentication?
MVC and Web Api are fundamentally different when it comes to authentication. With Web Api, the bearer token has to be set in the header of the request, but this is not an issue as all API requests are done programmatically by the client, i.e. there's human-intervention involved in setting up the client to authenticate the request properly.
MVC is a different beast in that the actions are accessed generally via a web browser, which will not automatically affix a bearer token to the request header. What it will do is pass cookies set by the server back to the server. That's why cookie auth is used most typically for MVC web applications.
What you should do is enable cookie auth for the MVC site and then set up your sign in action to authenticate via the Web Api. When you get back a valid auth from the Web Api, then you can manually sign in the user via the Identity API:
await SignInManager.SignInAsync(user);
In previous versions of ASP.NET you got authorization and authentication out of the box from the default template.
I have a Web API application and three or four well defined clients that will consume it and I need to secure it.
I read about OpenID and OAuth but they seem like an overkill for my problem.
What's the simplest way to achieve that?
These would be the 3 best solutions if you require security:
WEB API browser client: Implicit OAuth 2 flow
WEB API Application client: OAuth2 code flow
(With OpenId)
OR: Cookie Authentication with Cross-site request forgery protection. (Default template MVC 6 website template)
If your application is public, I would use at least one of these, otherwise it depends on how secure your data must be.
Well, it depends on your scenario. If you don't need authentication (because it's a server-to-server scenario), use a security token as described below. If you need authentication of the user, you may use Basic or Digest security combined with HTTPS.
In a security token scenario, the client simply has to add the token to the request headers and the server needs to validate the token. Make sure the requests transit as HTTPS to make sure the token is encrypted. Remember, this method is only valid if you know the applications that will access your API will be in a secure environment (another server, for example). Otherwise, I would go for another solution.
Ok, the situation is this.
We already have an existing ASP.NET MVC 5 site with Custom Forms Authentication, Logon, Registration etc with a custom database for roles and profiles already implemented.
We now are adding some new functionality to the MVC site and we decided to use Web Api 2 OData 3 endpoint which lives in another domain. The Web Api currently doesn't include any authentication but we need to be able to map the requests to a certain user to get his roles etc from the backend. The MVC and API sites use the same backend.
What we would like to accomplish is, that when the user logs on in the MVC site, the MVC site calls the Web Api server-to-server with the user's credentials and receives a token that the client can then use to call the web service with.
When API receives a request with the token, it can then map the request with the user in backend and do authorization.
As far as I understand it, Simple Web Token (SWT) could pull it through. But considering the environment, .NET 4.5.1 / Web Api 2 / OData 3 with Entity Framework in Azure Web Role, I started thinking is this SWT something I should really use or if there is any NEW technologies recently published that could easily pull this through. I don't want to add any unnecessary 3rd party dependencies to the project if the .NET stack already contains something like it.
So, what would be the simplest way of pulling this kind of authentication through without adding unnecessary dependencier to the project.
The solution we are looking for, is only temporary meanwhile we redesign our authentication scheme. So we are looking for something really simple to implement that works with least dependencies that need to be removed later on.
I'm using this in a project I'm currently working on. I use the OAuth 2.0 OWIN Middleware component that ships with Web API 2.0 (if you add a new Web API project with Authentication enabled, it includes the base infrastructure).
You would use the Resource Owner Password Flow as defined in the OAuth 2.0 specification. Basically you request a Token from the Web API OWIN Middleware sending:
client_id - identifies your MVC endpoint
client_secret - identifier your MVC endpoint
username
password
And in response you get a bearer token. The token generating is based upon a claims principal, the OAuth middleware component has predefined hooks for adding claims. This token now needs to be added as authorisation header to each response. On the MVC side you might add this to session so that it's always available to make backend API calls in the context of the user associated with an incoming HTTP request. If you're using WCF Data Services Client, you'll need an authorisation service/manager or similar that you can hook into OnRequestSending and OnResponseReceived events, so that you can insert that bearer token into the HTTP headers.
You can customise the OAuth Middleware component as you need to quite easily, it took a bit of time to figure it out as it's not too well documented, but downloading the Katana source code did help a bit as the source code does have some good documentation.
The nice thing about it all is that you simply need to enable HostAuthenticationFilter and add Authorize attributes on the Web API side and it's ready to go. You can get access to the claims principal object and use claims as identifying pieces of information for your user - e.g. identity, roles, other attributes etc.
To get started, look at http://www.asp.net/vnext/overview/authentication/individual-accounts-in-aspnet-web-api
Also as a wrap, I did consider the use of JSON Web Tokens (JWTs) as there is an OWIN library available for generating and parsing these. The use case here would be that you authenticate, get a JWT back, and then use the JWT to get an OAuth 2.0 bearer token. The JWT is useful if you want to move authentication elsewhere, or if you want to get additional information about the user at the MVC side of things.