I need to implement rfc7662 in Microsoft .Net Core 7 Web API. Is there a library/dependency from Microsoft that provides this functionality?
I found IdentityModel.AspNetCore.OAuth2Introspection but I'm having trouble getting it to work. I get 500 errors and I'm not able to identify the root cause.
Note: It's not JWT Authentication!
I found IdentityModel.AspNetCore.OAuth2Introspection but I'm having trouble getting it to work. I get 500 errors and I'm not able to identify the root cause.
Related
I have been working on authentication methods for my blazor app for some time now. I am currently developing as a standalone protected WebApi + Blazor Server, but will ultimately migrate to standalone protected WebApi + Hosted Blazor WASM so I need to be mindful of both server and client side authentication. The WebAPI will also serve an external OData feed and API for end users that also needs to be protected using the central authentication mechanism.
I would like to be able to sign on with Microsoft (ie. Microsoft.Identity.Web / MSAL), but want to configure some fairly complex roles and behaviours at the database level
(ie. ASP.NET Core Identity). To hopefully help someone else understand the different documentation sets, following are links to MS docs for the 2 options.
Introduction to Identity on ASP.NET Core
Microsoft Identity Platform Documentation
Don’t know about anyone else, but I have found it very difficult to navigate through the different documentation sets and tutorials to firstly understand how they work and secondly determine if it is best for me.
My question is, does anyone have any documentation on how they have integrated Microsoft.Identity.Web with the individual user accounts available in ASP.NET Core Identity for Blazor Server and/or WASM apps?, .
The following link shows how to do it all within ASP.NET Core Identity.
Integrate ASP.NET Core Identity with Microsoft account | BinaryIntellect Knowledge Base
If I was building an MVC web app, that’s what I would do. However, I really like the token handling capabilities of Microsoft.Identity.Web / MSAL (ie. ITokenAquisition etc.) for Blazor. It seems to be a real kludge to have to use the Razor pages for ASP.NET Core Identity and handling tokens securely becomes an issue – especially for Blazor WASM.
Chris Sainty has done some good work in porting some of the ASP.Net Razor pages to Blazor Components in the following link. However he does a lot of (very clever) manual processing of the token and I’m not sure I like the idea of storing the token in unprotected Local Storage of the blazor app. I haven’t gone into it in full detail yet, but I don’t think this method will be directly transferrable to Blazor WASM.
Authentication with client-side Blazor using WebAPI and ASP.NET Core Identity (chrissainty.com)
This SO post indicates that it is not possible to integrate Individual user accounts with Microsoft.Identity.Web.
c# - Microsoft Identity Plataform with asp.net Core Identity - Stack Overflow
I got a working solution going where I had both ASP.NET Core Identity and Microsoft.Identity.Web working side by side. However, I found this to be very difficult to implement and debug. Once you start mixing the various builder.Services.AddAuthetication(
) options (eg. .AddMicrosoftIdentityWebApp, . AddMicrosoftIdentityWebApi, .AddIdentityCore, .AddIdentity, .AddDefaultIdentity, .AddJWTBearer etc. etc.) I have found that you enter a world of pain and unpredictable behaviour. I basically had to go back to the source for each of them to work out what they were actually doing under the covers and work out how to blend them. I ended up going back to the raw OAuth / OpenId specifications and implementing everything manually – which is very unsatisfactory and I was unhappy with the risk I was taking in potentially introducing a security flaw – even though I got it to “work”.
EDIT: This SO post is similar to what I implemented. Microsoft Identity Local User Accounts and MSAL
I can’t believe how hard it has been to just get to this level of understanding, and still not have a solid working concept that does what I want it to do that is supported by documented acceptable techniques and not just my kludge at implementing everything manually.
Right now it appears to me that if I want to use as much out of the box / documented functionality as possible, I suspect that I should use ASP.NET Core Identity and work out how to integrate the ASP.net razor pages into my Web Api, Blazor Server and and Blazor WASM apps. However, this appears to be a backward step since Microsoft.Identity.Web / MSAL seems to be so much better suited to Blazor and seems to be the direction that MS is going.
If anyone can point me to some current examples of how this can be done, I would be very thankful.
I think I have found at least a partial answer to my question. The key problem I faced was how to capture the callback event from Microsoft.Identity.Web so that I can persist / retrieve info to/from the database during the authentication event. I was hung up on the ASP.NET Core Identity method of doing that.
I found the following SO post that provides information on how to respond to the OnTokenValidated event using Microsoft.Identity.Web. Microsoft.Identity.Web: OnTokenValidated event not triggered
Having access to this event means that I will be able to implement what I need to do at the database level and move on.
I have just upgraded my production database from build 2910 to build 3599 and it appears that the API Key authentication that was working previously is now broken.
Anonymous access is working when I go to studio without an API key because anonymous access is turned on. Before, if I attempted to connect to studio without an API key I'd get an Unauthorized error. Now, when I attempt to set AnonymousAccess to None then I get an "unauthorized" error although I'm passing the key that worked previously, before my upgrade.
In addition, other clients seem to be using the database fine (all CRUD operations) and it just seems to be studio.
Are there new settings I may be missing in the web.config (running in IIS mode)?
UPDATE
I am able to disable anonymous access and access the new Raven HTML 5 studio with my API key and a properly formatted URL. Is the Silverlight studio client broken in 3.0?
I am confused between Elmah and Elmah.Contrib.WebApi. And which one is best option for Web API. Iam already using Nlog for exception logging along with Tracing in Web API. So How Elmah is different from all of them. What is the exact need to going for Elmah??
Thanks in Advance
I find that it is useful for catching errors that you did not catch and log yourself. I am using it for a MVC application and it sends me an email when I have an issue that I need to resolve. I can be proactive and I am working on errors before I can hear from the user.
Elmah addresses your default application error logging. However when you're using Web API, for example ASP.NET MVC Web API, you need some extra logic to log your Web API errors within your Elmah data store.
There are a few ways to address this requirement, one being to use the Elmah.Contrib.WebApi package.
Once the package is imported to your project remember to follow any implementation requires, i.e. startup filter registry (as noted here)
I'm new to Orbeon 4.1 and I'm trying to query the Orbeon eXist DB from an external application.
When I query for a form instance I keep getting a "not authorized" error. For example:
GET request:
http://localhost:8080/orbeon/exist/rest/db/orbeon/fr/test-app/test-form/data/9b9b4f73af642fe042ec4cf7b4f03c64fa15fbd4/data.xml
Response:
HTTP Error 403 (Forbidden): The server refused to fulfill the request.
Any ideas what I might be doing wrong?
EDIT:
I ended up installing eXist-db as a stand-alone webapp. Now I can query the eXist-db REST API directly and everything seems to be working fine.
This is because since version 4, services are protected by default, as you most likely don't want your users to be able to access eXist or the persistence services. You can open those services again, but instead, it is better to setup an authorization service, and have whoever calls the services authenticate itself.
I'm trying to publish my website that contains references to servicestack rest APIs.
The Website is fine, but when it tries to access my REST services generated by ServiceStack, it returns 404 errors.
Does anyone know how to publish serviceStack REST services on IIS6?
Thanks
From the instructions on ServiceStack's Hello World tutorial:
Note: due to limitations in IIS 6 - the /custompath must end with
.ashx, e.g: path="servicestack.ashx"
The name can be anything, e.g. it can be api.ashx if you want.
The limitations of handler mappings in ASP.NET/IIS 6 and other possible solutions is explained in this answer.