I've implemented an ASP.NET Web API application having one regular controller (HomeController) and several other Web API controllers. I have already the handled authentication for the API controllers (using anonymous authentication together with custom authorization attributes), but i want to restrict the access to the MVC controller and all its actions using Windows Authentication, without affecting the rest of the controllers.
Is it possible to achieve this? Can Windows and Anonymous authentication be mixed is such a way in a Web API application?
Note: the application will be hosted in IIS.
Related
Which is the best way to use OKTA SSO, for my asp.net MVC web application(C#) and I need to integrate outlook to my web application where I need to access user address book(Outlook).
I am working with a project where frontend is Angular 4. It consumes Asp.Net WEB API services. I have implemented token based authentication for accessing restricted api calls along with refresh token implementation.
Now i want to implement additional authentication mechanism like Native AD, ADFS and other third party services like OKTA using SAML 2 authentication.
I want to understand flow how it will work with web api along with Angular SPA.
These are the flows you could use. https://developer.okta.com/authentication-guide/implementing-authentication/ and Okta already have SDKs that can help you https://developer.okta.com/quickstart/#/angular/nodejs/generic. <- uses Implicit flow.
I'm trying to search for an answer since yesterday and until now no luck unfortunately.
We have a WebApi backend with frontEnd written in Angular2.
Authentication is created with the use of JWT Tokens.
So basically user makes a call to WebApi and obtains the Authentication token that stores some other info like Roles in Claims.
In the same project there are other things we'd like to include with very limited functionality so there is no need to separate them to another project like: small MVC app, HangFire, Elmah etc.
How can we authorize those apps ? Is it possible to use the JWT token obtained from WebApi ? If I understand correctly MVC and WebApi exist in different contexts.
I'm trying to integrate WSFederation into my asp.net web api. I have 2 azure hosted app services one is for webapp and one webApi. Users can access WebApi from WebApp or can make direct calls from the browser.
I looked at azure samples https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect and https://github.com/Azure-Samples/active-directory-dotnet-webapp-wsfederation
I am unable to integrate both the samples to have what I need i.e. use WSFederation for web application and webApi.
P.S. I'm getting back SAML token from IdP and we are not using ADFS but Ping.
I am developing a web app which will consist on two different deployments: one containing the service layer (services, database access, etc.) with a REST endpoint, and on the other hand a UI layer that only has a presentation layer based on the data retrieved by consuming the REST endpoint of the service layer.
I am using Spring to develop both apps, so the natural idea would be to secure the application using Spring Security.
But how would I go to achieve that? I guess the login page should be on the UI layer but how do I share security concerns through both apps? Is there any bibliography on a similar case?
Note that these two deployments do not necessarily reside in the same container.
usually the REST service layer runs on a separate server with a notion of authentication, for example Basic or Digest authentication that spring security supports out of the box.
Clients of the REST service will either use a REST login service to authenticate themselves and make further requests by passing a session token alongside the request, or more frequently sign each request with a REST API key, that was pre-assigned to each client.
In this case the client of the REST service is the frontend server that serves the login page and any other pages of the web application, as well as replies to the pages ajax requests, that cannot go directly to the REST server due to the same origin policy.
This way there are two separate setups of spring security: Basic Authentication/Digest/custom authentication on the REST side, and form-login authentication on the frontend server side.
The user identifies itself to the frontend server, and the frontend server identifies itself to the REST server. The data served to a page might be a combination of several REST calls.