Example of External Identity Provider with openiddict - openiddict

Hi I'm new to web security, so please be gentle :)
I've been reading a huge amount about OAuth2/OIDC, JWT, openiddict, ASP.NET Core Identity, etc, but I keep going around in circles trying to understand how multiple-external id providers is supposed to work.
I'm looking to create an SPA application (React) with ASP.NET Core web api (I am primarlily a C# developer.)
Any examples on how to do the google/social login with openiddict issuing the auth&id tokens to my client would be great. (I know I'm supposed to use auth code+PKCE for SPA security - no client secret involved, etc.)
I'd like to offer signup/sign-in via user/pwd or any of the major social external provider (Gooble, Facebook, Twitter.)
Does opennidd even support this? i.e. multipe identity providers? If so, I can't see how to get it to return the required token, once the google oidc process has returned the tokens to me.
Many thanks.

Related

ASP.NET Core / Blazor / Web API : how to securely store user data?

I hope its possible someone can point me in the right direction. This is 100% a education issue.
Problem
I need to create a web application at the moment I would like to use with ASP.NET Core MVC or Blazor Server. But I would like to move this to either a Blazor Web Assembly or Angular application in the future.
I am creating what seems to be a very simple web application. Users can sign up and request a licence key. Users can have multiples of these keys. Once a form is filled in this is then awaiting authorization. This part isn't the problem.
I am finding it hard to work out how to and the best way to get this data stored in a database. The licences will be linked to the user stored in the Identity database. I have followed multiple tutorials and tech papers online on how to use authorisation and authentication but none seem to go into details about storing user data. Obviously only the logged in user can view/create their licences and will have no access to anyone else's.
I understand the process will be different for ASP.NET Core MVC/Blazor server and Angular/Blazor WA as these will require an API.
I hope that someone can point me in the right direction as I have been scanning online for 3 days now and kind of need to be put out of my misery.
Thanks in advance.
Below is one of the way to handle.
Create a table with UserId, license, Active, and any other required fields.
Expose a Web API Controller with the Authorize attribute. Only the users with valid JWT tokens will be able to access this Controller.
UserLicensesController will be talking to the table which stores the Licenses.
Use Blazor Web Assembly, OR Angular, OR React JS. Login with valid credentials.
Invoke the Get/Post/Put methods from UI to UserLicensesController Web API, and pass the JWT token.
Please let me know if you need any further assistance.
[19-May-2021] Here is a basic solution.
I have created a basic solution.
UserMgmtStore.sqlproj contains the Database Project.
UserMgmt.API.csproj contains the Web API with JWT authentication.
I am using Auth0 for the authentication and authorization platform.
UserMgmt.Web.csproj contains the Blazor Web Assembly Project.
I have used the Username and Password to retrieve the JWT token from Auth0.
As each individual project with have their own Identity/STS system. I have hard-coded the token just to complete the Proof Of Concept.
I have checked in the POC into my GitHub Repository.
URL: https://github.com/vishipayyallore/mini-projects-2021/tree/master/Projects/UserLicenses

With Web API 2, ASP.NET 4.7, to use its token service or IdentityServer, especially when considering refresh tokens?

I am "learning" about the development of ASP.NET Web APIs with security provided by OAUTH2 and OpenId. So I have started with the Web API Template. The Web API Template has its own "Individual Account" user management mechanism which can issue tokens via /Token. However getting Refresh Tokens with this mechanism is a little trickier.
This got me thinking, should I be really looking to provide this functionality by using IdentityServer instead. If so, as I understand it, as I am using ASP.NET 4.7/MVC5, and not ASP.Core, then I should use IdentityServer3 and not version 4.
Also there is all of the login functionality required when the Access Tokens and Refresh Tokens are expired.
It's unlikely that anyone will be able to definitively tell you whether to use Identity Server or not. You will need to make that decision yourself as you understand the problem domain the most.
If you do decide to offload authentication to a central authority provider (like Identity Server) then I can tell you that there is no hard dependencies that would force you to use Identity Server 3 or 4 as they both ultimately conform to oauth2/oidc protocol. If you have ability to host .Net Core apps then I can recommend you to use Identity Server 4 as that implementation is significantly more extensible and offers extreme flexibility.

.NET Core Identity vs IdentityServer4

The question: Should I use .Net Core Identity or IdentityServer 4 with Identity
I need to build app with login/register functionality and allow users to use APIs to import/export data from my software. I also want to have external logins like google, twitter, etc.
And I'm not able to understand why would I need Identity Server when all things can be done using only Identity.
Why would I need or want IdentityServer ? I just need to get work done right and as simple as possible.
You really can't compare the two.
ASP.NET Identity is a database API to manage users, roles, claims, email confirmation tokens etc. Something you can use for implementing signup, login, change password etc.
IdentityServer is an OpenID Connect and OAuth 2.0 implementation. It gives you features like single sign-on and API access control. This is useful if you want to share users between multiple client applications.
You can combine both though - use IdentityServer for the protocol work, and ASP.NET Identity for the user management on your central login page.
It depends.
IdentityServer will provide you with OAuth 2.0 and OpenID Connect implementation, and it will handle all details for you (providing you endpoints, token management, scopes, grants and so on). It runs independently so you can use it for multiple clients (SPA, mobile, web apps) and it is nicely isolated from rest of your app. If you wish so, you can use it together with ASP.NET Core Identity.
If you don't use IdentityServer, you will have to write some of these things yourself because ASP.NET Core Identity is a membership system and it does not provide any ready to use endpoints and neither token management or support for different ways how to authorize.
You need to evaluate whether it is better for you to write these things yourself but have a more straightforward setup because you probably don't need everything IdentityServer provides although it might limit you in future.
You can also have a look at OpenIddict that is less complicated than IdentityServer.

ASP .NET Core Identity default authentication vs JWT authentication

I am developing ASP NET Core Web API and I am confused by choosing the authentication method. I used to apply default Asp Net Identity authentication, but recently I've known about JWT. So I've implemented Authentication almost as it done in this article: https://stormpath.com/blog/token-authentication-asp-net-core.
But I can't understand the benefits of this JWT. With simple Asp Net Identity Authentication, I don't care about token storage etc. I only need to log in with signInManager and use authorized methods until logout. With JWT I need to think about the token store, expiration, and other difficulties. So, what're the benefits of this JWT? How can I store this JWT token after login? Furthermore, should I even use this JWT? In my case, I need simple authentication for simple WebApi which will be used by one or little bit more users. I've also heard about OpenIddict, Auth0, IdentityServer, so what's the difference between all of these authentication mechanisms?
This is the way I understand this, split in to 3 logical parts.
Authentication Server - this will authenticate and issue the JWT token, when the API need's to validate the token it will send the token to this server to validate it.
Client - this is what serves your web pages, or you app perhaps. This is what will need to request and store the the JWT token. The client will need to pass the token to the api every time it requests data.
API - this is what serves the information and needs to validate the token with the Authentication Server.
So, what're the benefits of this JWT?
JWT is issued to the client and stored on the client side. Having JWT allows multiple client's (App's or Websites) use the same authentication server which distributes JWT and states which API's the client's can use and how.
How can I store this JWT token after login?
I only tried to store it in an Ionic 2 app which uses angular 2 which has a storage module. But i'm pretty sure numerous people have done this already and asked this question:
Simple JWT authentication in ASP.NET Core 1.0 Web API
Token Based Authentication in ASP.NET Core (refreshed)
Update
If your front end is made purely html/js/css and doesn't have a back end to accommodate it you would store your token in local storage, there a multiple npm packages that help you with this like this one. You want to look for Implicit flow.
Otherwise if you do have a back end that comes with your front end you want to store the token in a session/database your pick, there are 3rd party providers to do this like IdentityServer4. You want to use Hybrid flow
Furthermore, should I even use this JWT? In my case, I need simple
authentication for simple WebApi which will be used by one or little
bit more users.
The reason for the whole separation of concerns is performance so you don't really need it since it's just one or a little more users. Do it because it's a learning experience, JWT is not easy to setup from the beginning and will require you to do a lot of reading and you will fail and you will be frustrated but at the end you will know how to set it up and how it works
I've also heard about OpenIddict, Auth0, IdentityServer, so what's the difference between all of these authentication mechanisms?
So what you did in the Stormpath tutorial is NOT production ready. That is just a little demo, to help you understand what JWT is and how it works. The above mentioned are complete libraries that tackle all the heavy lifting and do not require you to built the whole thing from scratch. And the main difference between them is the scope that they cover.
I personally used IS4 and it had me crying no more than 2 times (It was simpler than I thought):
http://identityserver4.readthedocs.io/en/release/
https://github.com/openiddict/openiddict-core
https://auth0.com/docs/quickstart/webapp/aspnet-core/00-intro
Use tokens (JWT) if you have multiple applications or services (web, mobile, other services) connection to your API. Benefits: Stateless, Scalability, No cookie, no CORS problems (if you allow it).
If your API will be used by only one web application use the default ASP default authentication system. Its easier to set up.
If you webapi and user interface are hosted in the same web application, token bases security does not buy you anything over the cookie based authentication provided by the built in authentication. That's because the authentication cookie gets sent back to the keep application on every HTTP request. When you make calls to a website other than the one you signed in on those cookies do not get sent. So JSON Web Tokens (JWT) provide a standard format for browser to send identity information to a website when a cookie isn't an option.
If your Web Api is to be accessed by AJAX calls then JWT may be a desired choice, but not mandatory. judging by the description of your app,it seems to me that the default authentication system can serve you well.
Auth2 is the authentication mechanism that enable external login such as Facebook. It is part of the default authentication system, and you need not do much in order to employ it in your app.
OpenIddict sits on top of Auth2. It is part of the default authentication system, and you need not do much in order to employ it in your app. It is the authentication mechanism that enable external login such as Google+
IdentityServer may be used for large Wep Api that is accessed by Ajax calls. As for instance, you can use IdentityServer to authenticate users longing to a front end Angular app.
Once again, the default authentication system can serve you well.
Hope this helps...

Rest API authentication mechanism, what to do

I've been reading a lot lately about WEB API authentication mechanisms and I'm a little bit confused regarding how to implement my Web API authentication mechanism, I'm thinking on using Token based authentication but I'm not sure if it is the right choice.
Basically my Web API will manage all the operations needed and it will store the users of my website as well the API users(in case they have to be separated).
I want to support the following
User can register on my website and apps using their G+ or Facebook account or an already created username from my service, as well they will be to login using their social account.
If the user is not logged in they won't be able to post Items but they will be able to see the Items, think something like Craiglist.
Let's say the user is a developer and they want to post the items through some software they created instead of going through the website and posting one item at a time, how do I allow this?
Now, my questions are: 1) When a user registers on my website, do I have to create a (public key/ secret key) for it subsequent access token , so I can use my API from the website as the user checking if they have access to certain endpoints?
2) Do I have to assign a (public key / secret key) for my website so I can consume the API when the user is not logged in?
3) The same as above for mobile apps
4) How do I allow users to (sign up / sign in) using G+ or Facebook?, if they log in using any social network how am I going to secure my api?
Please, any answer will be really appreciated.
Thanks
For ASP.NET Web API 2, I would recommend you to use the default Owin OAuth2 authentication. It's a standard form of authentication well documented enough. If you do not have enough knowledge about OAuth2, read the RFC.
With Web API 2, ASP.NET moved to a new security model, called ASP.NET Identity. There is this really good video that explains the basics. The point is that starts from scratch, ignoring traditional basic, forms, or windows authentication.
A lot of learning material is on the ASP.NET website.
For local, individual accounts (questions #1, #2, and #3), look through this tutorial - here basically your own server will act as an OAuth authorization server, and the Owin OAuth2 implementation will take care of generating access token and authenticating them. Since you'll be using the OAuth 2 standard, it will be basically the same for mobile as well.
For external accounts (question #4), read through this tutorial. There are official libraries for third-party authentication for the major providers:
Microsoft.Owin.Security.Facebook
Microsoft.Owin.Security.Google
Microsoft.Owin.Security.Twitter
Microsoft.Owin.Security.MicrosoftAccount
It would helpful to also learn more and understand the new OWIN specification, that describes how web apps need to created for the .NET framework, and the Katana project (Microsoft's OWIN implementation).
Follow this tutorial for most of your requirements http://bitoftech.net/2015/01/21/asp-net-identity-2-with-asp-net-web-api-2-accounts-management/ Logging in via facebook/G+ MVC already has the helpers commented out. You would get the credentials by setting up key's via the third party apps and then store the identity.