Implement Web API with OAuth and a Single Page Application - asp.net-web-api

We're developing an API and a single page application (that is one of more possible future consumers of it).
We already started on the web API, and basically implemented a system very similar to the one John Papa made in his course on pluralsight, named "Building Single Page Apps (SPA) with HTML5, ASP.NET Web API, Knockout and jQuery".
We now need to implement authentication and user managing in this application and need to find the easy way out to implement this in as little time as possible as we are in a hurry.
We realized the SPA template included in the ASP.NET update had very similar features to our needs, but we wonder what the best approach to implement a similar feature in our existing code.
We are novice developers, as you might figure.
Is it possible nstall some packages using the package manager, and voila, a simple membership and OAuth auth option be readily available?
Our use case is that we need to protect some resources on our API based on roles, and that one should be able to log in using a username and password, but also log in using ones facebook, google, or twitter account.

Found an interesting talk regarding the subject here: https://vimeo.com/43603474 named Dominick Baier - Securing ASP.NET Web APIs.
Synopsis: Microsoft’s new framework for writing RESTful web services and web APIs is appropriately enough called ASP.NET Web API. As the name applies, this technology is part of ASP.NET and also inherits its well-known security architecture. But in addition it also supports a number of new extensibility points and a flexible hosting infrastructure outside of IIS. There are a number of ways how to do authentication and authorization in Web API - from Windows to usernames and passwords up to token based authentication and everything in between. This talk explores the various options, and puts special focus on technologies like claims, SAML, OAuth2, Simple Web Tokens and delegation.

We eventually went with the SPA template, doing authentication on the API (separate MVC part).
Then the API would generate a unique token and redirect the user to the front-end with the token in url parameters.
The front-end then needs to send this token on every subsequent request.

Have a look here - Identity Server done by the security experts. This is all you need in one package.
In terms of OAuth, you would need to use Client-Side Web Application flow which the access token is issue immediately to the client and can be used.

Related

Xamarin Authenticate and Authorize Users with my Web Api

I've been searching for a solution that makes sense for the past few days, so forgive me if I overlooked something or am ignorant to the correct path.
I have an existing Website built with asp.net framework MVC where users register for Individual Accounts and are stored in a MSSQL Database. I'm creating a Xamarin.Forms app where we want users to login with their website credentials.
I've been looking at Microsoft docs to try and accomplish this. In the past I created an Apache Cordova app (2014) that communicated in a similar fashion successfully (potentially in an insecure way) that called the /Token endpoint and Authenticated the user with 'grant_password' flow and returned the user data to the app.
So I landed on this documentation: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
However, from what I can gather it basically says this should be avoided moving forward and a MSAL approach should be used if possible.
After reading through hours and hours of documentation trying to make sense of it all, I can't seem to grasp what my options are. It seems to me that in any MSAL flow, users will have to login with Microsoft accounts or other social accounts (facebook, google).
Am I missing something?
Am I going to have to go against Microsoft's advice and end up storing the client_id and client_secret within the Xamarin app source code? Which from everything I've read is a big security concern, especially with Android apps.
References: 1. Restrict API requests to only my own mobile app 2. How to secure an API REST for mobile app? (if sniffing requests gives you the "key")
Any help or direction would be really appreciated. Thank you
Your focus should be on requirements + understanding preferred designs rather than jumping to a technology.
DIRECTION
Standard modern systems look like this:
Mobile apps use OpenID Connect to sign users in
Authorization Server issues access tokens to the mobile app
APIs authorize requests via JWTs containing scopes and claims
Aim to make iterative steps towards this type of architecture.
PATTERNS
Plug in an Authorization Server, which uses your existing database as a credential store
Mobile app uses AppAuth Libraries to sign users in and receives access tokens
Back end can handle JWTs without data security risks
DIFFICULT AREAS
Your existing back end may have no support for mobile clients, and be too web focused - eg requiring cookies to access data, so may need to be split in be into 2 entry points.
Choosing an Authorization Server (while you are learning) is difficult, because you may not know what you want yet.
The mobile app will spin up the system browser and present a login page from the Authorization Server, so the login UX could be unexpected.
STEP 1
Ensure that you can authenticate from the mobile app, then make API calls with JWTs and ensure that requests for data are properly authorized. This could use ropc and involve a temporary API. But the deliverable should be that your back end now supports calls from mobile apps.
STEP 2
Integrate AppAuth into the mobile app, which is tricky but there are resources online such as Curity Mobile Guides. Update the mobile app to use the Code Flow and integrate an Authorization Server, then deal with connecting to credential stores.
SUMMARY
This stuff is hard and reflects the cost of modernising architectures. It requires people agreement as well as the technical stuff. Happy to answer follow up questions if it helps.

Multi Domain with single login,

I have been planning to create a laravel+vuejs apps stretching across subdomains (presentation creator, forms creator, polls creator etc.,each in a subdomain) and will have 2 version of the same web app (indian version with different languages and content and international with different language and content) in 2 different domain say domain.in and domain.com but I want users from any app or domain to login with the single user login say from passport.domain.com we have WAP versions of the websites served from wap.domain.in and wap.domain.com and also mobile apps for both.
Now, normal users based on the userid and password, the user from .com domain will
be able to access apps and content only from .com domain and .in
will be able to access only from .in
Users will be able to login using facebook, linkedin, google, etc.,
We will have only a single app for iOS and Android and based on the username and password the apps will be able to access corresponding domain.
wap sites will login using the same passport.domain.com
mobile app will be able to access data from the domain through an appID and Key.
others will be able to embed the presentations and forms into their website using an api key and secret.
certain users will be able to transfer data created in one domain to another user in the other domain
admin users will be able to transfer data from both domains.
other platforms may be able to login using the user id from this platform.
is all this part of SSO (Single sign on) ?
is this achievable in laravel ?
is it advisable to write the sign in server in a different framework ?
different tech like SAML Outh2.0 and Open ID with terms like Authorization, authentication and id provider make it all confusing and baffling for a start up.
can some one tell me what tech are involved in the above process. and what one should be aware before jumping in to start development.
That's a lot of questions :)
IS IT POSSIBLE?
OAuth 2.0 based technologies will give you the best options, since:
It has the most up to date app security options
It is designed to be web, mobile and API friendly
Access tokens are designed to cross domains
WILL OAUTH DO EVERYTHING?
No it will not - you will need to build most of the above behaviour yourself, and implement a software architecture, as for any other security technology.
An Authorization Server will externalise logins / passwords and issue tokens. Your apps will then need to implement 'flows' including:
Web token based security and session management
Mobile token based security and session management
API token validation and claims handling
Integrating third party security libraries
GUIDANCE
When new to OAuth tech the best choices and design patterns are not clear, as you indicate. If it helps, my blog has some details you may find useful, but it is not a simple journey:
Step by step tutorials and code samples
Design posts on the tricky areas
Blog Index
This is not a Solution but an article I stumbled upon which explain the terminologies involved in user authentication and SSO.
Laravel authentication an overview
Hope this helps others who are looking for an answer like me now or in future.

Choose best authentication and authorization option for Web API

We have our own existing we portal in ASP.NET MVC, now our one of the customer do not want to use our portal as separate tool, instead they want to consume our feature via WEB API and consume it on their side.
Now I want to implement authentication and authorization in web API, I did google to find my question's answer, but didn't get it.
I am confused in below points.
Is it best choice to OWIN the default implementation which Microsoft provide? or some custom implementation?
What are the advantage and disadvantage to use OWIN in terms of security?
When to Use JWT (Json Web token) and OWIN?
Or any other implementation which help to create more secured web API?
Looking for all expert's valuable to input to help me to decide.
I implemented something similar. This is how we work: we have our application (MVC app) which permits us to login. Logging in uses a separate mvc project (our STS) which handles all user authentication. When our login and password is posted correctly, we generate a JWT which is returned to the MVC app. Back on the application side, we decode our token and build up the claims in it in an asp.net application cookie.
We also have a separate project containing our WebApi REST methods. Those can only be called by using the JWT generated by our STS. We elaborated this more with a custom attribute so we can set permissions on specific permission or role claims that are in the token.
For creating all of this, i was helped very much using these series of articles: http://bitoftech.net/2014/10/27/json-web-token-asp-net-web-api-2-jwt-owin-authorization-server/
In terms of architecture this is in my opinion 'how it should be' but i am not an expert in this.
So summary:
Web Application - application cookie to authenticate/authorize
Calling WebApi Rest methods - using the JWT to authenticate/authorize
Separate STS which takes in POSTS to authenticate and generate JWTs

How to authorize asp net app with web api server

I need to authorize my web client asp net mvc app with asp net web api. How to authenticate?
i have a wep api server an have access to database, but my asp net mvc app don't access to the database.
Assuming here Web API does all database related operation, MVC project is for UI purpose which calls Web API through JavaScript or HTTPClient.
Implement Identity Management(Authentication API) using Identity 2.1/ Web API. Use this Identity Management. Implement Token based authentication so that you can use "Authorize" for point 2
Use this Identity management along with Web Api which talks to database. Use appropriate web api methods with "Authorize" attribute.
Let MVC application authenticate users by accessing this newly created Identity Management, on success keep hold of tokens, call web api(database) with token in headers which will look for authorize and gives proper access to web api methods.
Using this approach will give web api(database) strong authentication layer, plus api's will work with different clients MVC, WPF, mobile apps. Some additional efforts are involved but its worth in long term.
Have a look at this, actually it is a big article and it has a lot of things that you might.
To have fast look at the authentication part search for GenericAuthenticationFilter in the article.
The another thing which related to call it from mvc, it is already answered:
How to call an ApiController from another .net project?
I hope this helps.

ASP.NET Web Api security using Active Directory

I've searched the posts and have not found exactly what I'm looking for pertaining to my question. For example Security ... through AD asks more the question is it wise? My question is this:
We are implementing WCF applications and we are now putting WCF ... I mean ASP.NET Web Api ;)
into our server stack. I want to secure the services by requiring that the user log on to ADS, but if they already have logged on (via network login or other means) then I don't request a login. Rolebased authorization then occurs within the services.
I cannot find good discussions or examples of how I handle ADS authorization especilly through all of the future endpoints (tablet and phone).
My one thought was that the user does a login to ADS and the token then becomes what gets handled for security and rights. So now I'm a little bit concerned about how much coding has to be done to accomplish this. We are looking at FederatedServices to handle this in WCF but there is no such control in this weak API.
So I'm interested in any input or direct me to a great article on this. So far all I see is self-rolled security which our old server has and I do NOT want that crap again.
Oh yes, did I mention our target is single signon throughout our web services??? :)
Best place to start is Dominick's Thinktecture Identity for Web API. It is the de-facto security framework for Web API and supports token based identity.

Resources