Is it possible to integrate FIDO2 WebAuthn with Blazor Web Assembly authorization and Identity Server? I am able to use FIDO2 to log in directly to Identity, but I cannot see how to use FIDO2 with my Blazor OIDC connection logic.
Yes, I have gotten everything working well. Basically I use the ASP.NET Core Identity pages - login, Enable2FA, etc. - to manage the registration and login processes. The final step in the login process, once the FIDO2 biometric login has completed successfully, is to from within the FIDO2 controller MakeAssertion call complete the sign-on with SignInManager's SignInAsync.
Biometric login is now working well from iOS, Android, Windows Hello, and using a Yubikey security key.
Related
I need to make my new ASP.NET Core Blazor WASM application authenticate with our on-prem ADFS/WSFederation servers. Specifically, it needs to automatically log-in users that are already logged into our AD domain, without making them go to a login page. Basic single sign on behavior. (This is how ASP.NET worked by default with ADFS/WSFederation)
I can get SSO to work without using Identity, and I get get Identity to use a log-in screen that will allow you to choose a WSFederation server as an external log-in provider, but that still begins at a log-in screen.
Can ASP.NET Core Identity work in an SSO configuration (no login screens appear for domain users), or is Identity built on the assumption that Log-in screens will be used? If it can be done, how is that set up? If I can't use Identity, can I still use other middleware like Authorization?
I want to login an user optional with Spotify (only) as identity provider in asp.net core from an Blazor WASM page.
I use that example to configure the server. I also searched in the Microsoft Docs, but I didn't found an example to start an authentication request. Currently I'm not redirected to Spotify OAuth login page.
I don't know how I start the login flow. Is there a "default" route to start the ASP.NET Core login flow? Or is there any good tutorial to start that?
The Application should have an login button and I need the token on server side and on client side. I would prefer to do the authentication on the server side, because i don't want to have the client secret on the client side.
Are there any best practices to solve this problem?
From you server controller you can call the ChallengeAsync method to start the configured authentication schema.
If you are requesting a token from a SPA application (like Blazor WASM), then use Authorization Code With PKCE. PKCE does not require a client secret so it is safe to request if from the client side application.
Otherwise I would use Authorization Code Flow and exchange the code for the token on the server application. Basically the sample you linked does this by utilizing a AspNet.Security.OAuth.Spotify nuget packege.
(Spotify uses oauth 2. I would recommend to pick the authentication flow that suits your use case. For example the client secret should not be in any SPA application.)
There is a good summary table on Spotify docs.
I have an ASP.NET Core 2.1 App using Identity to manage users. Now the requirement is to also support Windows Authentication. If a Windows user has an account in Identity an automatic login should take place. I think I need to generate an Identity cookie in this situations but don't know how.
You cannot use both Identity and Windows Auth at the same time. The best you can do is attempt to auth the user via an LDAP connection to your AD server. In short, the user would still need to explicitly sign in, but they could use their domain credentials to do so.
The situation is a little better if you implement IdentityServer. This is a bit more effort, but it can pay dividends in the future from having a centralized auth service (allowing you service APIs, mobile apps, etc.). IdentityServer can handle Windows Auth, but it treats it as an external sign in provider, like Google, Facebook, etc. You'd have a button or whatever to login via Windows, and then it would seamlessly authorize the user. See the IdentityServer docs for more information on that setup.
I have created a MVC custom web application with ASP.Net Identity provider and it worked fine. Now I want to enable that single sign on authentication in Cortana skill using the connected account (similar to Expedia Skill). Do you have any suggestions?
Here are the steps that I followed for enabling the custom Authenticaiton
ASP.Net Identity provider
I have Tried the steps given here, but somehow the token is not getting back to Cortana skill. Is there any way to troubleshoot the cortana authentication flow.
Cortana External Auth
I am developing some angular 2.x based application with Identity Server 4 (in asp.net core) as authentication server. Server setup, application authentication is done but now requirement is to support SSO to avoid login in each application.
To do so I am storing authentication token in local storage and trying to reuse in different angular 2 application but it does not work.
What is the standard way to do SSO here with Identity server 4 and any types of clients with any browser?
Thanks in advance.
You should not reuse same authentication token(access token) from both apps. You need to configure two clients(implicit flow will be suitable for this) in identity server and use those clients in your angular apps(one client for each). Both apps will redirect users to same identity server log-in page. When you signed into identity server(from any app) you do not require to sign-in again from the other app.