I have a project structure which includes a Blazor server project and an api project.
Every things works fine, but I'm confused about how to handle security. I use JWT in the api, and in Blazor server I use scaffold identity.
How can I integrate the security between the two project?
Should I use JWT for both and override authentication state provider?
https://www.pragimtech.com/blog/contribute/article_images/1220200705121732/blazor-application-architecture.png
#edit
I don't want to use the Identityserver4 as the version 5(duendesoftware) will be paid , the support for identityserver4 will be terminate at Nov 2022 with the end of .net core 3 support, So that I need any replacement that's free
or a cimple way to do the authentication between the two layer
Thanks
Related
I am trying to figure out how can I call blazor wasm hosted application to my company's AD directory and get user.identity information.i am just running in circles.i don't want to use identity server or azure Ad.can someone please share code. The actual working code. Company policy is not allowing to use sticky sessions so can't use blazor server. Please any help.much appreciated.code would be much appreciated. I am surprised there is no such code out there. I am using .net 5
You'll really struggle to get this to work - from MS website:
We don't recommend using Windows Authentication with Blazor Webassembly or with any other SPA framework. We recommend using token-based protocols instead of Windows Authentication, such as OIDC with Active Directory Federation Services (ADFS).
Reference: https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/?view=aspnetcore-5.0#windows-authentication
I highly suggest switching to an OIDC implementation instead. ADFS supports this and your company might already have this setup on the network.
I want to build 2 apps.
Private API in .NET that takes care of database access / processing of data.
Blazor WebAssembly app which will connect to this API securely, to search data.
Since Blazor WebAssembly DLLs can be decompiled, I can't use any private/secret keys in the APP.
I don't want anyone being able to use the API if they discover the endpoints. Only the Blazor APP can use the API (and any other app I might build in the future).
How should I approach this? Is it even possible to do it securely or should I go Server Side?
Secure ASP.NET Core Blazor WebAssembly explains how to secure a Blazor WASM app
Blazor WebAssembly 3.2.0 Preview 2 release now available explains how to use IAccessTokenProvider to get the access token to authentify your applicaton on API.
I have been trying for weeks to implement JWT authorisation in my .NET Core web app and have found myself following a lot of guides that I don't think are relevant to my use case. These guides talk a lot about scopes etc, and I don't think I need that level of complexity for my use case.
A lot of the guides talk about using things like OpenIddict or Identity Server to setup and configure something that the user can authorise against, but in these settings it seems like a seperate project is required to house the identity provider, and then my new asp net core application has to somehow hook into that for use. I'm also trying to get things like refresh tokens to work so the user doesn't have to log in over and over again.
The "client side" of my app will be Xamarin (for mobile) and Angular (for web).
In a single web application (a single .net core application) how can I use .NET Core Identity with JWT or OAuth? What is the minimum level of configuration required to achieve this?
ThisSimple JWT project
This is not asp.net core .This is just asp.net mvc project but this really simple and basic one. by watching this code, you will be clear how to implement JWT. Thanks
I'm using angular2 as a front-end. My Back-end is ASP.NET Core and I am using it as a Restful Web API. How can I authenticate credentials from angular against a local active directory?
Depending on the version of ASP.NET you could implement the ASP.NET Membership or Identity which can connect to AD.
You should easily find various examples of these.
I have recently looked at Auth0, which means you can integrate a variety of ways, front or back-end.
see: https://auth0.com
(not affiliated)
Why it`s not possible to create Web API project with Individual User Accounts Authorization type?
UPDATE:
All version numbers are updated from v1.2 to v2.0.
Please find the ASP.NET Core Schedule and Roadmap:
Identity Application Services
A service layer will be added ASP.NET Core Identity and included in the project templates using Individual Authentication. This will allow authentication of users by way of JWT tokens such that Web APIs can be secured out of the box, and make it simpler to change authentication systems, e.g. from in-app Identity to Azure AD B2C, or 3rd-party solutions like Identity Server.
Daniel Roth from MS:
Support for individual user accounts with the Web API template in VS is not available yet. We are still looking at providing a supported on premise offering for token issuance in addition to providing integration with Azure AD B2C.
This statement can be found in the comment section under https://channel9.msdn.com/Events/dotnetConf/2016/Building-Secure-Web-APIs-with-ASPNET-Core
This is just disabled in core 1.1.please use core 2.0 to find all authentication.You can download core 2.0 from
here