We need to build a Grpc service, which must feature users, external login, sign-in/sign-out, roles, etc. We plan to use EF Core for our database, so we consider using ASP.NET Core Identity for all that "user stuff".
Will Grpc work nicely with ASP.NET Core Identity? I just found out that Microsoft suggests not to use their Identity framework for web APIs (mentioned here: https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity). So did I misunderstand them, or are there pitfalls in that approach?
Related
I have been trying for weeks to implement JWT authorisation in my .NET Core web app and have found myself following a lot of guides that I don't think are relevant to my use case. These guides talk a lot about scopes etc, and I don't think I need that level of complexity for my use case.
A lot of the guides talk about using things like OpenIddict or Identity Server to setup and configure something that the user can authorise against, but in these settings it seems like a seperate project is required to house the identity provider, and then my new asp net core application has to somehow hook into that for use. I'm also trying to get things like refresh tokens to work so the user doesn't have to log in over and over again.
The "client side" of my app will be Xamarin (for mobile) and Angular (for web).
In a single web application (a single .net core application) how can I use .NET Core Identity with JWT or OAuth? What is the minimum level of configuration required to achieve this?
ThisSimple JWT project
This is not asp.net core .This is just asp.net mvc project but this really simple and basic one. by watching this code, you will be clear how to implement JWT. Thanks
We have an ASP.net Web Forms application running on the .NET 4.61 framework, and an Asp.NET Core application running on the same .NET 4.61 framework.
The Web Forms application uses a session cookie and SQL Server to store the session information.
Is there a way to configure the Asp.NET Core application to read and use that session data?
Thanks.
No. It is not possible to share session state between ASP.NET apps and ASP.NET Core apps. This is because of two main reasons:
ASP.NET and ASP.NET Core handle session stores differently. In ASP.NET, you had session providers, whereas in ASP.NET Core, it uses IDistributedCache for session sate. While you can use something like SQL Server for both, the mechanism of actually storing the state is not the same in each case, and therefore, one couldn't read what the other is doing.
Session data is encrypted and the mechanism of encryption in ASP.NET is different from that of ASP.NET Core. In ASP.NET, the machine key is used to encrypt/decrypt, but in ASP.NET Core, there is no concept of a machine key. Instead, ASP.NET Core uses an instance of IDataProtectionProvider to encrypt/decrypt. As a result, even if you could get both to see the same session store and be able to read it, neither would be capable of decrypting the data stored by the other.
Our University has migrated to a SAML based authentication/authorization method using Shibboleth.
I have been researching for at least a day on how to use SAML with .net core web applications. I can't use Identity server 4 because it is for OaTH/Open ID. I found some documentation on msdn which points to a commercial implementation. I came across this SO answer from a year ago saying Kentor may support it in the future but couldn't find anything on the github page about support for .net core or a .net core sample web app. As of January it was still planned but no date.
The University has the identity provider running. What I don't understand is the following:
How do I set my web application to use that identity provider?
How do I check if that identity provider has already been authenticated for another application, so SSO use?
Also, any sample applications that use SAML without commercial plugins would be greatly appreciated.
ITfoxtec has a ASP.NET MVC Core 1.0 SAML2 plugin, but it requires the .NET Full Framework, and won't run on linux. There's some missing APIs that are preventing full .NET Core support right now for SAML2 (around Crypto XML namespace). https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2
Not exactly what you're looking for I know, but it's an interim solution until probably .NET Standard 2.0, which will probably bring the missing API's to .NET Core.
ITfoxtec Identity Saml2 support .NET Core 2.1 (without the .NET Framework) from version 3.0.0. Project: https://itfoxtec.com/IdentitySaml2
ITfoxtec Identity Saml2 MVC Core support ASP.NET MVC Core 2.1. NuGet package: https://www.nuget.org/packages/ITfoxtec.Identity.Saml2.MvcCore/
indeed you can't use third-party tools such as OData, Thinktecture Identity Server, ... in asp.net core application.
So, how we can use these features in asp.net core apps ?
is there any way to implement Owin pipeline beside asp core and have all these facilities too ?
easily you can use Owin pipeline beside Asp.net core, not as an alternative solution.
in this article there is a simple way to implement this architecture using Owin and asp.net core
Implement Owin pipeline using Asp.net Core
Why it`s not possible to create Web API project with Individual User Accounts Authorization type?
UPDATE:
All version numbers are updated from v1.2 to v2.0.
Please find the ASP.NET Core Schedule and Roadmap:
Identity Application Services
A service layer will be added ASP.NET Core Identity and included in the project templates using Individual Authentication. This will allow authentication of users by way of JWT tokens such that Web APIs can be secured out of the box, and make it simpler to change authentication systems, e.g. from in-app Identity to Azure AD B2C, or 3rd-party solutions like Identity Server.
Daniel Roth from MS:
Support for individual user accounts with the Web API template in VS is not available yet. We are still looking at providing a supported on premise offering for token issuance in addition to providing integration with Azure AD B2C.
This statement can be found in the comment section under https://channel9.msdn.com/Events/dotnetConf/2016/Building-Secure-Web-APIs-with-ASPNET-Core
This is just disabled in core 1.1.please use core 2.0 to find all authentication.You can download core 2.0 from
here