I'm developing an intranet application that will be hosted behind an appliance that performs user authentication, then adds a unique user identifier to the header each authorized request it passes through. Which is to say, all the hard stuff is already done.
How can I configure ASP.NET Core to utilize the supplied header? User accounts with the associated request header are accessible from Entity Framework, but it's an Oracle provider, with a nonstandard schema. I'm using .net 5.0.
I assume this is relatively simple to implement, but I've been digging through documentation for a couple days and so far I've only found things that don't quite do what I need.
I'm not looking for a complete solution, just hoping to be pointed in the right direction. I'm not confident that what I've written so far is correct, but the project I'm experimenting on is based off the dotnet new mvc --auth individual starting template. Any advice or examples would be greatly appreciated.
If i get the question right, all the hard stuff was gone and now we just need to pull related information based on a given userId.
If that's the case, I would recommend to define your own AuthenticationMiddleware, that would not doing anything related to validate the user, but rather to pull user information from some where and cache it(with a reasonable expiration and clear cache by key mechanism).
Then, every request came after, just took the info from cache then build our own User object that would stick to each HttpContext. This is the final result we should aiming to.
All the process that should make use of AuthenticationSchemeOptions and AuthenticationHandler to build our own authentication middleware. Take a look at this would be good for a starting point.
Related
I have an application with (nuxt js using nuxt-auth) with local authentication so far (later I want to add git and google auth).
Now I need to add authentication to invoke other services / API (like google cloud rest API, payment system, youtube API, etc...)
The question is: the user is authenticated only once (during login to the application.) but each of these 3rd party APIs has its own authentication.
How to implement multiple authentications. (I read the documentation and google for the entire day but there is no clear answer).
As of today, it looks like it is not doable (people are needed on this module): https://github.com/nuxt-community/auth-module/issues/889
So, you would need to make it manually by plugging the APIs yourself.
Answer to your latest question~comment
Nuxt is indeed nice with some of it's modules (but you can totally dislike it, no problem :D).
First thing that you need to know, is that this project (nuxt-auth) is not the biggest one, #pooya is doing his best but he is on a lot of projects, so he cannot give all of his love to it. Then, you also need to understand that it's working great but it's still in a decent beta state with a lot of missing features, needed documentation and a lot of small things to make it an all rounded solid top notch solution.
That do not mean that you should not use it, I'm just saying that this module do have some limitations. Hence, the fact that it is not supporting a whole lot of OAuth solutions in a clear + simple + flexible way. And some breaking changes may be introduced in future updates.
The module is aimed towards having an OAuth solution to block the content of your website behind it (in my opinion). It means that you will usually use a single login solution and then, being able to have access to your app. I don't think that it's a viable multi-OAuth solution (yet).
Some services don't even need to use a solution like this. Stripe for example, should not be handled on the frontend but communicate with a backend for sensitive variables and just send minimal info thanks to Stripe Elements.
That said, the most common solution is JWT or OAuth2, and you could totally have a backend service or service like Okta, Auth0 or alike, do the heavy lifting by allowing simple logins to providers (Github, Google etc...).
To sum up, you do connect to this backend/service thanks to nuxt-auth, the service itself does the provider connection and you get the best of both worlds while still connected in a secure way through your initial nuxt-auth entry point login.
Or you could try to reach the community on Discord, see if somebody knows how to do it. Or even try to read the source code to see if it is currently feasable.
And that's my 2cts.
When I started development of my current project I had no knowledge or prior experience of web development, ASP.Net (Core), C#, JS and so on.
With a lot of reading, excercising and testing I now have an ASP.Net Core 2.2 web application with multi-tenancy based on the database-per-tenant strategy hosted on Azure with Azure SQL as backend.
I have a solution with 2 projects:
the MVC web application that also has the .Net Core Identity from which I use the individual user accounts stored in ASPNet... tables (I did implement my custom UI, mainly so I could use the Localization middleware already used throughout the application)
a data layer that contains the db context's, the data models and the repository
Now I need at add an API.
The sole purpose of the API is cleary defined: give customers(tenants) the possibility to import and export data, most likely connected to other customer's application(s). This API will not be used by the UI. The API will not be hit with thousands of queries per second. It will be part of a business solution with 50 to 200 customers who will perform occassional import/export actions.
I have already implemented Identity and the authentication for the API should be done against the users setup in Identity but with a different authentication mechanism.
I have done a fair bit of searching and reading and found many tutorials/blogs on how to create a WebAPI with .Net Core but they all start from a new project and never go much more into depth. The once that really go in-depth are too complex for me ...
I have 3 questions unanswered at the moment although I know that there's probably more than 1 good answer to each of the questions but I think these are the likes of questions that many in my position, beyond the newbie/beginner but not yet a seasoned veteran, have and are searching for so I hope this post helps not just me but many others as well.
Question 1 - Architecture, where to create the API (project)?
There are 3 possibilities:
1 Add APIControllers to the MVC application (organize API-related classes in separate folders)
Benefits
quick and easy, everything else is already in place
deploys with the solution
Concerns
as it is part of the solution it becomes very monolithic, less flexible
Questions
can I implement a second authentication/authorization mechanism next to the implemented individual user accounts? (more detailed in the second question which is all about security)
2 Add a WebAPI project to the solution
Benefits
better separation but can still use/reference the resources of the other projects
probably gives benefits for scaling and tuning?
Questions
can I implement a second authentication/authorization mechanism next to the implemented individual user accounts leveraging the Identity of the MVC project? (more detailed in the second question which is all about security)
is this project separately published to Azure (or any cloud provider for that matter) using the www.example.com/api path (virtual directory) or is the solution published a whole?
3 Create a separate solution with the WebAPI project and include the data layer project
Benefits
full separation although sharing the use of the data layer project
completely independent with regards to deployment, scalability etc.
Concerns
maybe adds a layer of unnecessary complexity (the API will not handle thousands of requests per second)
Everything that is already configured/setup in the MVC project and that is required will need to be redone
Questions
can I include the data layer project in the solution (it is then part of 2 solutions) or should I reference it as a dll?
Question 2 - how to implement Authentication/Authorization that resides side-by-side with the Identity individual user account?
This is related only to the first 2 options of the architecture as in the third option the project would be on it's own.
The basic question is how to setup more than one authentication mechanism, one for UI users and another for API access.
First there is the choice of Authentication, most of tutorials blogs talk about JWT and Auth (OAuth?). I am not asking what the "best" solution is but which solution would be "preferred" by B2B customers who are the only ones that will use the API.
I am not sure how to redirect to the right authentication: when a request is sent to an API controller method with the Authorize attribute and the user hasn't been authenticated yet it needs to reply with an error.
Currently if a method with the Authorize attribute is executed by an unauthenticated user the user is redirected to the login page as configured in startup.cs:
public void ConfigureServices(IServiceCollection services)
{
...
services.PostConfigure<CookieAuthenticationOptions>(IdentityConstants.ApplicationScheme,
opt => {
opt.LoginPath = "/User/Login";
...
Do I need to configure this with something like the example I found below:
app.UseWhen(x => (x.Request.Path.StartsWithSegment("/api", StringComparison.OrdinalIgnoreCase)),
builder =>
{
builder.UseMiddleware<AuthenticationMiddleware>();
});
or is this configured in a different way?
In the case of creating the API as a separate project should I use the "Multiple startup projects" option? I guess this means that I need to create the whole startup.cs again?
Question 3 - if I want to offer my customers a REST API and an OData API, can I handle this through a single API or do I need to develop a second to support OData?
I know it is lengthy but I'm sure that others are looking for similar information and I'd appreciate any input.
Thanks
I want to make a quick, safe and nice application.
For many years I have been programming in PHP and regular ASP. But wanted to go on with .NET and vue.js.
So I have an idea, I wanted to create and plan to do it like this:
I was thinking of using hosting from an external service.
Then I would have three projects:
domain.com/index - Vue.js which will be a SPA, where the user can filter through a catalog, press like and send few api requests (mainly get-requests).
secure.domain.com - Here I will have a .net mvc project where I can use identity. This will make it simple to handle/register users. I will also give the correct session here for authenticated users. And it will affect domain.com/index, where they only are allowed to do some of the things if they are logged in
api.domain.com - This will be the webapi api. Only authenticated users will be allowed to send some of the requests.
I have used several weeks at looking into how to structure this.
But as I do not have much experience with this.
What pitfalls and bad consequences do you see in structuring it like this?
Are there any heads up you want to give me? Or any other recommendations?
I have been trying to melt all of this together in one project, but that has been difficult, because they operate in different ways. So now I have ended up with this, and look forward to
Size of project
It will be a relative small project.
People should be able to register/authenticate themselves (through facebook/google/server login).
Authenticated People should be able to add records(links) to a database. When adding this to the database they may also want to upload files, and choose some additional information.
All people should be able to filter through the catalog of records (5000+) ( Here I am using vue.js/vuex/axios). Here they should be able to comment too on links too.
Webapi will have 8 entities/tables and one view which will GET all the information. 3 tables should be able to have POST.
So it is more or less a catalog, where people should be able to add records and find new ones.
I was planning to use the identity from asp.net core 3.1. It is a "template" where I can easily add 3rd party logins. (https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity?view=aspnetcore-3.1&tabs=visual-studio)
Additional questions:
Can you tell me how request from SPA will be authenticated in your API? (Jwt or cookie)? Why would you like to have a separate identity service, also Why you would like to use asp.net identity (is it because of ease of setup)?
I have not been thinking about authenticating API requests. Was thinking to only have authenticated users who can send POST-requests. And the rest will be get requests. Limited only from the server. Should I have some additional authentication? Does JWT make web APIs safe enough for my use?
Was thinking of using .net identity because it is simple. And I don't want to use time on setting it up.
Since this is your first project of this type, I would recommend to keep it simple.
Just create one web site. Otherwise you might get issues with the cookies not working for subdomains and you will also get issues with CORS. That is, you will get all problems at the same to time (configuration issues, infrastructure issues and the pain from writing the application itself).
You can still have a clean separation by using sub folders (or Areas in MVC) and by using class libraries for the backend (API) business logic.
Once you have mastered the basics (i.e. writing the actual application) you can start looking at other means of separation etc.
Searching for oauth2 stuff seems to bring up dozens of Q&A's on client-side integration (like how to authorize with google/facebook apis) or using existing providers (like solutions for popular frameworks), but I am having a hard time finding info on building a solution on top of a pre-existing user/pw db.
Can someone please outline the bullet points of exactly what it needs to do in order to extend the existing system to provide oauth2 authorization? i.e. the existing system already provides registration, password recovery, login, forgot email - all that stuff without a framework (golang and password is hashed with first x bytes as salt, in case it matters). I don't want to toss it all out in place of an out-of-the-box solution which covers all that + oauth2. I want to add oauth2 by hand (or using minimal golang libraries) on top of the existing system.
I'm currently trying to reverse engineer and look at existing code, but it's a bit confusing and when it comes to authorization/security stuff I don't want to be making guesses, even educated ones. Could look at the spec too but I don't really need cover everything in there, just the bare minimum to let another site authenticate (by calling a "getprofile" API after authorized, maybe I'll make that compliant with openid connect but never mind that for now unless there's no increase in steps).
Sample code or libraries if any are preferred in go-lang since that's what I'm building in, but pseudo-code or vanilla code in other languages is fine too
I've been working on a web app in Clojure as a side project, and I'm trying to figure out how to do user authentication and autherization. From the googling I've done, I heard about sandbar, but after reading the two blogposts on sandbar (Part 1, Part 2), I left with more questions than answers. I've looked at the source code for 4clojure, and from what I can tell, they roll their own, the problem is that the code's not commented very well, if at all. I'm thinking I need to roll my own system and use either sandbar or noir.session to pass user information around. Could someone please point me in the right direction? I feel like I'm missing something simple.
Chas Emerick's Friend library is now available. It's still relatively new, but looks promising and quite well documented.
I had a look at the 4clojure login code and I think it is pretty clear how the implementation works. Basically it is the traditional HTTP authentication. Post user/pwd in form to a URL, check username and password and update the session with the user info that can be used for further requests to check whether this session is for a valid logged in user.
This is how most of the web app authentication works. Now this is "what to do" part of the situation, for "how to do" you can implement it your self using "primitive" features provided by the web framework or probably use some middle-ware that does this for you along with providing some hooks to customize the implementation a bit.
For authentication, apart from the obvious "rolling your own", I found https://github.com/mattrepl/clj-oauth to work well if you want to use OAUTH (e.g. via Twitter). Once you've acquired user information, storing it in some sort of session object (via ring-middleware-session or similar abstractions) seems to be the obvious thing to do.
For authorization, the way described in the blog post you linked to - wrapping certain routes with an authorization middleware (or whatever abstraction your preferred web stack offers - e.g. pre-route in Noir) works well.
There's also an alternative to Friend called Buddy.
What is the difference with Friend?
Buddy authorization/authentication facilities are more low level and less opinionated that friend and allow build over them easy other high level abstractions. Technically, friend abstraction can be build on top of buddy