I have a website with some areas that require a login via forms-based authentication, using my own provider that connects to the database.
The website is in preview so I want to protect the entire site via basic auth to prevent unauthorized access before it goes live.
The problem is when basic and forms auth is on the pages that will be public go to the forms login instead.
How can I keep the forms based authentication for member login and portal access, but protect the entire site from public access before go-live by using basic auth?
I think you should be able to satisfy your use case in the following manner.
Within the site .Net Authorization Rules create a Deny rule for anonymous users.
At the site Authentication enable Basic and Forms authentication. Disable all other authentication types. This should require all users to be authenticated with basic authentication to use the base site and then require forms login to the parts of the site that requires your custom authentication.
Related
I'm using Laravel Passport password grant type to enable my mobile clients(Android, iOS ...) to generate an access token. My mobile clients cannot use oauth/token route to get access and refresh tokens themselves, because it uses web middleware (as I understand). My questions is,
Should I make request to oauth/token myself in server by passing data mobile clients posted? If I do this how do I bypass web middleware. (Manually creating a dummy user and using it to bypass web middleware is not that I want and weird solution)
In my particular case I always this by removing \Illuminate\Session\Middleware\AuthenticateSession::class from the web middlewareGroup on app/Kernel.php.
I'm also using laravel-cors to allow Cross-Origin Resource Sharing headers. My apps are API only and the clients are external (both mobile and web clients are external) and they all authenticate and renew tokens themselves interacting with the Passport routes.
I have the following setup:
1) WebAPI that accepts JWT Bearer tokens for auth.
2) Portal (WebApp) that puts a nice face on the json output from this WebAPI. It does OpenIdConnect authentication and uses Cookies to persist login information. It is an ASP.NET Core MVC app.
3) The WebAPI and WebApp are on different domains.
4) The WebAPI layer is designed to be called by any 3rd party who can present a valid token - either via App auth (client_credential flow, for eg) OR Delegated User auth (implicit flow, for eg). The WebAPI also does RBAC auth.
At this point, the problem I have is this:
1) I want to be able to make AJAX calls from the WebApp controller pages (cshtml) to my WebAPI so that the pages are responsive and there are no POSTs. So I integrated ADAL.JS into the page for that purpose. It works from a functionality pov.
2) HOWEVER, this results in multiple authentication dialogs (web page popups).
-- 1st auth popup. Upon navigation to the Portal homepage, I get challenged and have to enter my credentials on my company login page (federated AD auth).
-- 2nd auth popup. Then when I invoke anything on the Portal pages that involves ADAL.JS (namely the AJAX calls), it causes another login dialog because ADAL.JS cannot see the login cookie from ADAL.NET layer. This dialog comes up and goes away without any input needed tho (because the cookies from (1) are sent along to the server automatically by the browser). At this point, I have the ID_TOKEN and an ACCESSTOKEN for the PortalApp's client_id show up in the ADAL localStorage area.
-- 3rd auth popup. Then another dialog pops up; it uses a Hello pin login (I assume this is due to 2-factor auth requirement enforced by my tenant). At this point, I see the ACCESS TOKEN for the WebAPIApp's client_id show up in the ADAL LocalStorage area.
And now my AJAX calls start working.
Is there a better way to do this so that I can get the benefits of AJAX and not have to resort to serverside POSTs and have only 1 auth dialog instead of 3?
(I thought of may be switching ALL authentication to be done by ADAL.JS for the entire site, but I like the paradigm of using the [Authorize] flags and RBAC for the Controllers. OR is there a way to make my WebAPI accept both JWT and Cookie authentication?
Thanks!
I am trying to develop a VueJS SPA app with WebApi 2 as backend and would like to implement OWIN authentication.
The front end app should be accessible to intranet users (Windows authentication) and based on the roles (already existing table that is stored in the database- which I would like to add to claims), the corresponding pages should be accessible to user.
Most of the examples use Forms Authentication, which return token, which are not helpful in my situation
Follow the link http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/ for token based authentication.
I am using Spring Security to authenticate with SAML and Okta, generally it works, I am able to authenticate a user and access secured URLs within my application. So far so good.
Now I have a requirement for a special type of 'internal' users to use different authentication mechanism (those users will not be in AD nor Okta) - so if authentication fails using Okta I want to display different login page. Problem is that I am unable to redirect from Okta login page to my custom page after unsuccessful login, seems like Okta will not redirect even after many unsuccessful attempts.
Is there a way to implement such requirement?
You can't redirect Okta on a failed authentication. You will need to determine what type of authentication to use prior to validating the username and password. Okta supports application based custom login page and so when the user tries to access the application, Okta redirects to your login page. From there your login page will determine where to authenticate the user.
Okta configuration for custom login page
You can use Okta's Authentication APIs and SDKs to authenticate against AD and custom code.
I have a Single Page Application for non-/mobile html5 browsers getting data from a RESTful HTTP API with asp.net web api. We use OWIN self hosting running in a windows service.
I do not want cookie based authentication. I would like to authenticate the user and give him a json based access token with its claims/permissions to edit/create/delete/show certains things in the UI.
I do not need external login provider. Our user will authenticate with username and password not their google email...
Now I askmyself should I go in direction thinktecture and identyserver, or asp.net identity or...OWIN and ExternalBearer authentication, I am lost here.
What would be your recommendation basing on my information?
IdentityServer is suitable for scenarios where you have multiple applications and want them to authenticate against a single STS, basically if you want SSO. The scenario you described is achieved in IdentityServer by OAuth. That is you define an application you wish to use IdentityServer to authenticate, and then create an OAuth client to get access tokens for accessing that application. If that's not the case then you're probably better off avoiding the complexity of introducing a 3rd party component to do that work. We're using IdentityServer to authenticate users of 3 different apps 2 SPAs and an MVC application. Also, you realy can't seperate OWIN and ASP.NET identity in this case. The OWIN middleware will give you the tokens and it will be using ASP.NET Identity as a user repository to authenticate users, so OWIN is just doing the job of providing tokens and using ASP.NET Identity to authenticate users.