I am implementing a WebApp in our company's intranet with Blazor WebAssembly. I need to make API-Calls to our DevOps Server hosted in our intranet and need to use Windows Authentication to access the API. In the former used WPF Client it was enough to just add the UseDefaultCredentials-Flag on the HttpClient, but that does not work in WebAssembly anymore since the App is running in the browser. The Microsoft Docs state We don't recommend using Windows Authentication with Blazor Webassembly, but not recommend does not mean not support, so it has to be possible somehow, to attach the current App-User's Windows Credentials(Token) to the API Call. Unfortunately there exists no example on the docs page on how to implement this and I have not found any code on how to tackle this, although on some forums people wrote that it is possible, but did not include the How in their comments.
I am using .NET5 for both Server and Client and need to make the Api-Call with Windows Authentication from the Client, not the Server as most examples are using it, as my Server-Project uses the same User for all Requests but I need the User of the Client-Project.
Any kind of help is appreciated.
Related
I am trying to figure out how can I call blazor wasm hosted application to my company's AD directory and get user.identity information.i am just running in circles.i don't want to use identity server or azure Ad.can someone please share code. The actual working code. Company policy is not allowing to use sticky sessions so can't use blazor server. Please any help.much appreciated.code would be much appreciated. I am surprised there is no such code out there. I am using .net 5
You'll really struggle to get this to work - from MS website:
We don't recommend using Windows Authentication with Blazor Webassembly or with any other SPA framework. We recommend using token-based protocols instead of Windows Authentication, such as OIDC with Active Directory Federation Services (ADFS).
Reference: https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/?view=aspnetcore-5.0#windows-authentication
I highly suggest switching to an OIDC implementation instead. ADFS supports this and your company might already have this setup on the network.
I am using new feature of Azure that enables the active directory authentication for your website without writing any code.
http://azure.microsoft.com/blog/2014/11/13/azure-websites-authentication-authorization/
But the problem is my web application is also hosting some Web APIs, which need to be called without any authentication.
Is there a way (some attributes?) so that I can call Web APIs without any authentication?
Tushar, I see that Byron also replied to your question on his post- and suggested creating another website as for APIs as a work around. However I suggest that you wire-up auth separately for your Web App and APIs following our samples here: https://github.com/AzureADSamples/WebApp-OpenIDConnect-DotNet, https://github.com/AzureADSamples/WebApp-WebAPI-OpenIDConnect-DotNet
Let me know if you run into any issues.
From the very same article you refer:
Current Limitations
There are some limitation to the current preview
release of this feature:
...
With the current release the whole site is placed behind login the
requirement.
Head less authentication/authorization for API scenarios
or service to service scenarios are not currently supported.
So, no, you cannot have partial APIs or pages anonymously available - all pages and API will be protected by the Azure Active Directory.
Currently I'm developing a WCF Service that act as inter-mediator between ASP application and AD FS 2.0, because the architech don't want that ASP app talk directly with AD FS 2.0.
He want that any app to use the WCF Service and this service will provide the information (Claims) without using the STS configuration of Visual Studio.
So, I found this code: https://stackoverflow.com/a/10992474/516715
This work fine to get claims, but I have questions about this:
How create Authentication, session and persistent cookies of ADFS in ASP app?
How close the session through the WCF service.
Exists more details to keep in mind about this case?
Exists security problems with this?
Could anybody have suggestions on this?
Thanks!
I would say you are opening yourself up to a whole world of pain.
There is an established, security reviewed, gold standard pattern for applications to communicate via a browser to ADFS using WIF.
So what you are essentially trying to do is re-invent the wheel by writing a web service that implements all the browser functionality e.g cookies. Your solution loses all the advantages that ADFS provides e.g. SSO, Federation, HRD etc.
And now you want to dig the hole deeper by writing your own STS.
The browser pattern is exactly what Microsoft use for Windows Live, Office 365 and Azure Active Directory.
So if it's good enough for Microsoft, why does your architect not want it?
I have an issue that I am seriously struggling with.
I have a website, and a separate WebAPI which I want to be able to authenticate against each other. I was thinking that forms authentication would be best here. However, on my website, how do I go about calling the forms authenticated webAPI via a jQuery AJAX call?
Does anyone have any links or suggestions?
There is a discussion in this blog post on mixing forms authentication and basic authentication in Web API. You may be able to leverage some the principles in this article although it was tested with the Web API's residing on the same server as the web application.
If you keep the Web API and web application on separate servers your web application will run into cross domain issues and will have to support JSONP in your Web API. A possible work around for your website is to create a Web API locally on your web server which is just a facade to the Web API on the remote server. You incorporate the standard security methods on the local Web API, using AuthorizeAttribute, which in turn just calls your the Web API on the remote server. You can incorporate whatever security method you want to have for external users on the remote Web API.
I have client apps that talk to my silverlight application and its web services. So the client app is running on the client machine and making calls directly to the silverlight app running on the machine and also making web service calls.
I want the usernames/password security to be handled by the 3rd party client app.
Any idea how I can do this?
I'd try the Application Scenario's, Guidelines and How Tos sections of this CodePlex Link. You should be able to find a scenario that matches closely to yours and follow the guidelines and configuration to get yourself going.
If I've understood this correctly, the client application would pass a username/password to your silverlight app which would require a wsHttpBinding that has clientCredentials="Username". You would need to be able to authenticate this against a user store configured on your server, for example you could configure a SQL Server provider.
I'm not sure how your 3rd party client app works, but you would require a seperate security configuration for that communication. You could use a less secure binding if the apps were on the same machine and possibly use clientCredentials="Windows"/"None"/"Basic".
Difficult to advise further without knowing your exact situation. What do you have so far?