In an ASP.NET Core 6 MVC web app, I'd like to integrate Servicestack's CredentialsAuthProvider and TOTP verification. My idea is to perform first authentication against Auth provider and only if it succeeds then do the TOTP verification.
I've seen this doc, but I think it can only be used only if I don't use ServiceStack’s Auth Provider..
How can I implement TOTP verification using Servicestack?
This document refers to Microsoft's Identity Auth, ServiceStack has 2 MVC Project Templates with integrated Identity Auth:
mvc-tailwind - MVC Identity Auth with Tailwind
mvcidentity - MVC Identity Auth with Bootstrap
Also see docs for MVC Identity Auth integration:
https://docs.servicestack.net/authentication-identity-aspnet
Related
I have a small web application to build on ASP.NET Core and it has both an UI and an API for external consumption.
I have some restrictions in terms of infrastruture so this would be hosted as a single app service in Azure if possible.
The thing is that the UI part must authenticate to an authentication provider with SAML, and the API part must authenticate/authorize with bearer tokens from Identity server.
My question is if this is possible under the same service, or if it is really necessary to have one project to the UI and other to the API?
ASP.NET Core supports multiple authentication handlers within the one application. The handlers are added through the builder.Services.AddAuthentication method.
If you're using IdentityServer4, it doesn't include native support for SAML SSO so you'll need to use something like the ComponentSpace SAML authentication handler. The following code adds support for SAML into IdentityServer4.
// Add SAML SSO services.
builder.Services.AddSaml(builder.Configuration.GetSection("SAML"));
// Add SAML authentication services.
builder.Services.AddAuthentication().AddSaml(options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.SignOutScheme= IdentityServerConstants.ExternalCookieAuthenticationScheme;
});
IdentityServer4 will delegate the SAML SSO to the SAML authentication handler which in turn will SSO to some external identity provider. IdentityServer4 will handle the issuance of bearer tokens.
This assumes that authentication has been delegated to IdentityServer4. Alternatively, you could handle the SAML SSO from within your application but it would be more involved to then have IdentityServer4 handle the issuance of bearer tokens.
I am trying to create an ASP.NET Core Web API project with role-based authorization, but there isn't any guide or article about it without using ASP.NET Core web app and razor pages which I don't want to use because I am making my own UI in angular. But also I want to do all logic behind authentication and authorization on BE.Is there any guide for step-by-step implementation of role-based authorization?
I have 3 roles: sysAdmin, employee, patient.
I have only one option for authentication and authorization and that is checking if session is expired for that account, but how do I hide content for that user?
When we have a web app, we can let users sign in and the request are all inside the server, so the cookie which contained user information can worked well for authorization. but when you have a SPA + web api, they usually use access token for authorization. and that's why I share the link with you, it showed how to authenticate the SPA.
I have Organization, UserType, AspNetUser,Department, Stock and SIM tables as the following schema
when the user call the endpoint api/sims/1
and the user type for the user is not super admin
and the organization of the user is not the same as the organization of the sim
i want to return unauthorized
so what is the best practice for doing this in asp.net core web api 3.1?
You could try to use Claims-based authorization or JWT authorization in the asp.net core web API application.
After user login successfully, you could add claims for the current user based on his organization. Then, according to the claims to add policy and configure the authorization. You could refer the following links:
Claim Based And Policy-Based Authorization With ASP.NET Core
Claims-based authorization in ASP.NET Core
Besides, you could also use the claims to generate a JwtSecurityToken, then protect the API application by implementing JWT authentication. Check the following tutorial:
Authentication And Authorization In ASP.NET Core Web API With JSON Web Tokens
JWT Authentication In ASP.NET Core
I already setup the MVC external login with my own OAuth2 provider. It seems the default "ASP.NET Identity" will still create the user locally (Using the default Entity Framework DB).
Is it possible to avoid this and completely leave the authentication to the external party? Like the Windows Authentication or JWT based WebAPI.
I tried to follow Use cookie authentication without ASP.NET Core Identity but it goes nowhere.
Does anyone have a complete example of using JWT bearer tokens with ASP.Net Core RC2 Identity? Preferably showing how to create the token also.
Thanks,
Paul
You may use OpenIdDict - a simple implementation of AspNet.Security.OpenIdConnect.Server.
Here and here is an example and article of using OpenIdDict.
Here is a discussion in Identity repo about JWT token authentication in ASP.Core
The official packages developed by Microsoft for ASP.NET Core only
support OAuth2 bearer token validation.
I'm personnaly using IdentityServer4 in ASP.NET core RC2 as an authentication app using JWT Bearer token. (very good Samples available) https://github.com/IdentityServer/IdentityServer4
For example : I have 3 projects (apps) in my solution
Login (IdentityServer4) that authenticate users and give them a JWT token when authenticated
API that is registered in IdentityServer4 as a consumer (Scope) for JWT tokens. Token attributes (Claims/Roles) are validated when accessing controller methods.
Web front end (Only HTML/AngularJS) that store the token and send it when sending a request (in the HTTP header) to the API. The front end is registered as "Client" in the Login
The big advantage to have an isolated Login app is that you can create as many API/front-end you want as long as you register them so they can communicate each other securely with the JWT token.
The samples available there https://github.com/IdentityServer/IdentityServer4.Samples are very straigtforward. If you have any question related to this project, feel free to ask.
I've ASP.NET Core 1.1 as backend and angular as front end solution with JWT bearer tokens. tokens can be easily created by lib.
https://github.com/Longfld/ASPNETcoreAngularJWT
I have a full example for ASP.NET Core with JWT auth: https://github.com/wilsonwu/netcoreauth
By the way, the database is SQL Server.