Morning,
I am attempting to create an auth provider that integrates with the Duende BFF framework. This framework manages all authentication tasks and communication with external apis. For example, starting the login process is as easy as redirecting the browser to "/bff/login". Getting user info client side is a call to "/bff/user".
My question is, how do I integrate with this system when it is all managed by the backend instead of the frontend?
Please help.
Related
I have a Blazor Webassembly app (Asp Net Core hosted).
I secured my app using JWT Token. Client makes a request to Server and if the request is valid, server sends JWT Token to client and token is saved in local storage. Client reads the token in storage and this way authentication is handled.
I followed the following practice from Chris Sainty :
https://chrissainty.com/securing-your-blazor-apps-authentication-with-clientside-blazor-using-webapi-aspnet-core-identity/
Now I want to enable users to login app with their Google or Microsoft accounts. What would be the best approach for this?
I tried Google and Microsoft authentication on server-side but I couldn't pass the token to client. (because there is no request from client..)
Your response exist in these links:
Google Authentication by OIDC
Microsoft Account using MSAL
But the details requires studying related Service and js files.
You can study sources of Remote Authentication Service in Github for both oidc and msal in following sites:
Web Assembly Authentication Service
Personally I suggest you to use Microsoft Account which also allow authentication through Google and other providers too. Altough oidc provider is more oidc than msal approach. Microsot implemented Code Authorization flow in msal while Google uses implicit token flow (do not forget that these happen in client side). There is two different js files for implementing the underlying requests so I do not think even the combining them work in this way. May be it is better you code it your self by implementing an authentication state provider which uses JS Interop.
You also can see following example which may help you by DotNet guys:
Example of Web Assembly
I'm building a web application; the frontend is a SPA using Angular8 and the backend is an ASP.NET Core 3.1 Web API.
The application already has its own authentication scheme, setup using JWT Bearer tokens.
Now I need to add the ability for the backend to sync events on the Office365 calendar of the users. The requirements are:
Users should login to their Microsoft Office365 account on the frontend;
The frontend should "save" the results of the authentication on the backend, allowing the backend to periodically interact with the Micosoft Graph API.
In the (rare) case for some reasons the authentication must be renewed (for example different rights/scopes are required), the backend will notify the frontend that a new login is required.
I am currently able to perform a successful login in example applications using MSAL.NET and msal-angular, but what I cannot do is to pass the result of the authentication I get from msal-angular to .NET and use it to proceed with further calls and token renewals.
I am thinking about modifying/extending the msal-angular library to support the MSALv3 cache serialization scheme used in MSAL.NET and sending the cache to my web app, but it seem a very complicated and fragile (I see the internals of those libs are not stable across versions).
So, is this use case supported in some other way by MSAL? Should I use some different libraries?
You can go through the following docs to see if they are helpful in your scenario.
Acquire and cache tokens using the Microsoft Authentication Library (MSAL).
Single-page application: Acquire a token to call an API
Get a token from the token cache using MSAL.NET
Initialize client applications using MSAL.NET
I want to login an user optional with Spotify (only) as identity provider in asp.net core from an Blazor WASM page.
I use that example to configure the server. I also searched in the Microsoft Docs, but I didn't found an example to start an authentication request. Currently I'm not redirected to Spotify OAuth login page.
I don't know how I start the login flow. Is there a "default" route to start the ASP.NET Core login flow? Or is there any good tutorial to start that?
The Application should have an login button and I need the token on server side and on client side. I would prefer to do the authentication on the server side, because i don't want to have the client secret on the client side.
Are there any best practices to solve this problem?
From you server controller you can call the ChallengeAsync method to start the configured authentication schema.
If you are requesting a token from a SPA application (like Blazor WASM), then use Authorization Code With PKCE. PKCE does not require a client secret so it is safe to request if from the client side application.
Otherwise I would use Authorization Code Flow and exchange the code for the token on the server application. Basically the sample you linked does this by utilizing a AspNet.Security.OAuth.Spotify nuget packege.
(Spotify uses oauth 2. I would recommend to pick the authentication flow that suits your use case. For example the client secret should not be in any SPA application.)
There is a good summary table on Spotify docs.
I am looking with Apache shrio framework. Looking at it authentication and authorization features can i build Identity server provider using shrio framework.
Is it possible to have features like,
Single Sign On
SAML support
Federation based on attributes
Do we need to write everything from scratch or shrio has some API's to handle such kind of features.
I read the documentation where they say about having SSO features based on Sharing of user session with multiple organizations . But i did not see any direct support API's to handle this.
To act as an IDP what shrio gives and what it does not support?
Please suggest.
Thanks,
Sohan
Shiro is a security layer that sits in front of your application. It is a security framework for a (SP) Service Provider that will issue an Authentication Request to your IdP (Identity Provider).
Open source IdP implementations that support SAML:
http://www.gluu.org/docs/
https://shibboleth.net/
This Stack Overflow question covers a way to use SAML to authenticate your user before they reach the application and provide the user's credentials as part of a http header.
Integrating Java Web App with SAML SSO
An alternative to installing and maintaining your own IdP.
https://stormpath.com/
The cost of developing, securing, and maintaining your own identity provider are likely much higher than paying a monthly fee.
What is the best way to architect the following solution for authentication?
I have a standalone (not integrated with MVC) ServiceStack REST service layer. This service is the entry point to all my data. No data is stored on the client.
I have multiple clients (ASP.Net MVC 4 site, MonoTouch app, MonoDroid app, Silverlight app, MonoMac app, etc).
I would like to provide authentication (Facebook, Twitter, etc) at the service level, including storing the users in the MongoDBAuthRepository, but allow the clients to provide the login UI (do I want this?). For example, for the MVC site, I'd like to integrate the remote ServiceStack authentication service (including Facebook, Twitter), with MVC's authentication system. It seems like the actual authentication should occur on the service side, but the client side needs to hold on to the authentication response.
I've read the wiki, looked at SocialBootstrap, and read the forum, but I'm still confused as to how this is supposed to work in a distributed way.
For OAuth options like Twitter + Facebook your authentication should happen in a browser as they each require redirections from their respected auth provider to capture trusted verification from each user. Some mobile apps do this by embedding a browser widget for Twitter + FB Auth.
Once a user is authenticated with Twitter + Facebook and Credentials in the same authenticated session, ServiceStack's AuthProviders automatically merges all Auth info into the same account. So later you will be able to login with 1 auth provider but get access to info available on all 3. The SocialBootstrapApi project provides an example of this.