I'm currently working on a Xamarin form that consumes data from the.net core API.
For API side, I use Abp framework.
By using this reference, I can consume data from API.
But in this example, the user needs to login using an administrator credential.
What I need to do is, I just need to consume data from API without login.
Is it correct way if I add [AllowAnonymous] attribute over the API method that I need to access ?
This is the example they show,
var accessToken = await _loginService.AuthenticateAsync();
var httpClient = GetHttpClient(accessToken);
Is there any example like just using clientId/secrets and without using accessToken?
What I need to do is, I just need to consume data from API without login.
This refers to Server-to-Server authentication; backend making request to an other backend without user interaction.
The authentication flow you are looking for, is named Client Credentials Flow.
It boils down to:
Add your api (abp app) as an api resource and api scope at authentication server.
Add your ui app (xamarin app) as a client at authentication server.
Declare a client secret for your xamarin app at authentication server.
Make an access_token request from xamarin app to authentication server with the api scope and client secret that you have already created above.
Its implementation can be varied on authentication server provider (namely your _loginService). It can be Identityserver4, Microsoft, Google etc etc.
If you are using ABP application backend (as authentication server), it handles most of the automated stuff in the background. You can check abp synchronous communication between microservices docs that has explanation about how client credentials is used between microservices.
Related
I'm building a web application; the frontend is a SPA using Angular8 and the backend is an ASP.NET Core 3.1 Web API.
The application already has its own authentication scheme, setup using JWT Bearer tokens.
Now I need to add the ability for the backend to sync events on the Office365 calendar of the users. The requirements are:
Users should login to their Microsoft Office365 account on the frontend;
The frontend should "save" the results of the authentication on the backend, allowing the backend to periodically interact with the Micosoft Graph API.
In the (rare) case for some reasons the authentication must be renewed (for example different rights/scopes are required), the backend will notify the frontend that a new login is required.
I am currently able to perform a successful login in example applications using MSAL.NET and msal-angular, but what I cannot do is to pass the result of the authentication I get from msal-angular to .NET and use it to proceed with further calls and token renewals.
I am thinking about modifying/extending the msal-angular library to support the MSALv3 cache serialization scheme used in MSAL.NET and sending the cache to my web app, but it seem a very complicated and fragile (I see the internals of those libs are not stable across versions).
So, is this use case supported in some other way by MSAL? Should I use some different libraries?
You can go through the following docs to see if they are helpful in your scenario.
Acquire and cache tokens using the Microsoft Authentication Library (MSAL).
Single-page application: Acquire a token to call an API
Get a token from the token cache using MSAL.NET
Initialize client applications using MSAL.NET
Hello new to stack overflow and programming.
I have a simple ASP.NET Core web app and am using ngrok to host my app, and I want to be able to call to a company's identity server so that I have an access token to be able to access their API and create Webhooks to receive notifications for different events.
I already have a
clientID
Secret
URL (given by ngrok)
for the request body to receive the response.
How do I go about doing this?
You need to use Microsoft authentication libraries to achieve this.which is very easy to implement.
MSAL Library is just an implementation for enabling developers to acquire tokens from the Microsoft identity platform endpoint.
Since you already have ClientID, Secret and Redirect URL you can get a token as Acquire a token and call Microsoft Graph API.
However, I think what you really want is to integrate AAD. You can easily enable AAD authentication for your .NET web application. It uses OWIN middleware.
I have a requirement to authenticate ASP.NET Core App via Google Sign In, but a Web API between client app (i.e. ASP.NET Core app) and Google sign in... I know it sounds confusing, so let me explain it with diagrams.
Here is the typical way to include google sign-in button and get user authenticated via their google credentials, It works perfectly fine
Step 1: First, create a new app on google identity developer portal, generate ClientId, ClientSecret and specify redirect_url like : https://yoursite.com/signin-google.
Step 2: In the Startup.cs class of ASP.NET Core project, Use AddGoogle as authentication middleware and it works perfectly fine.
Including diagram below for your understanding:
And here is the proposed flow. With a REST API in between client and google sign in. Question is, how do I authenticate client ?
From what I understand, you want your Client Application to invoke the REST Service on behalf of the user. The REST service needs assurance that both the Client and the User are authenticated.
We have achieved this using the OpenID Connect Hybrid flow. The bad news is that we had to add another service to the solution to achieve this.
How this differs from your proposed solution is this:
You must have your own identity service, and this must know of the existence of the REST service, the Client Application, and the User Identity.
The Client Application redirects the user to authenticate with the Identity Service (which further on redirects the user to authenticate with Google)
Identity Server provides the client application with an ID token for the user, and also a code which can be exchange for an Access Token
The client application requests the Access Token. This Access Token will authenticate both the client and the user
The client application then authenticates using this access token when invoking the REST Service
The REST Service issues a one-off request to Identity Server for the signature keys, and uses these keys to validate the access token.
We happened to use IdentityServer4 when implementing the Identity Server, but the protocol exists independently of any one implementation.
I have a Web API written using asp.net core. This API will be used to communicate with several other services registered in AAD, which all could be made using different technologies like an MVC application written in asp.net core or a single page application written in Vue.JS. The latter is causing me issues as the SPA won't be run by an application web server and rather something like nginx or apache and therefor won't be able to use a client secret.
I have added API permissions for my API to my apps.
How would I achieve this? I'm currently sending an access token using the Authorization: Bearer access_token header from the client app to the API, but since the client app and the API aren't the same app in the AAD, it's causing issues.
Here's the flow I'm trying to achieve:
All of the requested apps require you to login to the AAD and when requesting data from the API, they'll send the JWT token, which then should validate the token before returning the requested resource back to the client application.
It seems you misunderstand something . You can register your each client as independent application in Azure AD , and assign access permission for your web api .
The latter is causing me issues as the SPA won't be run by an application web server and rather something like nginx or apache and therefor won't be able to use a client secret.
SPA application use Implicit grant flow , so that it doesn't need the client secret when acquiring token .SPA could be independent app , you should provide client id when making authentication with AAD. After getting access token , you could create http request with Authorization: Bearer access_tokenheader for accessing your web api .
Each client(web/spa/native) will acquire access token for accessing web api . On web api side , you just need to validate the token .Validate the claims(issuer,audience) and signature .
I've created a mvc web application that uses openid to authenticate with Azure Ad and get the claims along with the token. I'm interfacing with Web Api to do the business transactions. The web Api is configured to oauth bearer tokens.
I've created separate oauth clients in Azure Ad for the Web App and Web Api. I'm able to get a token for Web Api from the Mvc Controller using AuthenticationContext to send to request to Web Api. I need to know how I can send the current User Claims as well to the Web Api. The claims in the Web Api are not having the claims of the User from the Web App.
Let me provide a bit more context here. I've created a MVC Web Application and a Web Api layer. The MVC Web App is configured to use OpenID authentication using Azure AD and I've configured the Web Api layer to authorize using OAuth Bearer tokens. The actions in the Web Api layer will be called through ajax requests and the bearer token will be added to the header of each Ajax requests. When the User is authenticated in the Web App, additional claims are added to the User on top of the claims from Azure Ad. I'm able to create a token for the Web Api layer using AuthenticationContext.AcquireToken, but the token for Web Api does not have the User info from the Web App.
I'm taking a wild stab in the dark here, based on what I think is happening.
Claims are attached the user, so theoretically, any claim you add in one place should be available in the other, as long as both applications share the same user datastore. However, claims are loaded at the point of authentication and not dynamically updated. As a result, if you're already logged in to the web application and you add a claim with your Web Api, that claim will not be available on the web application side until the user is re-authenticated.