With ASP.NET Core 5, Angular 10 and Identity Server 4 I created 4 applications:
Auth using Identity Server 4;
Asp.Net Core 5 API
Asp.Net Core 5 MVC
Angular 10 SPA
On the Angular application (4) I am using OIDC Client JS and Code Grant Type.
The Asp.Net Core 5 MVC application (3) also needs to access the API ...
I am using Identity Model but what Grant Type should I use in MVC application?
Code as in the Angular application (Is this possible?)? Client Credentials?
If you login the user on MVC application and you want to call the API on behalf of the user use the Code flow.
In this case only difference between MVC and angular apps is that Asp.Net Core 5 MVC is a confidential client and you can use Code flow. But Angular 10 SPA client is a public client and you should you Code + PKCE.
It is although recommended to use PKCE in both cases.
If you just call an API through MVC and as the app itself and not behalf of the user, you can use Client Credentials flow. This flow is for server to server scenarios and it is secure.
In this case you should do authorization for MVC app as well.
Related
What is the proper way to configure and use Asp.Net Core Identity in Web Api application?
I've looked at the documentation, but looks like it demonstrates cookie based authentication in View-based MVC Web apps, not Web Apis. I know in Asp.Net Core the MVC Web Apps and the Web Api applications follow the same middleware pipeline, but what if I don't want cookie based authentication?
Does it make sense to use Identity at all if I want to use JWT bearer token for authentication? I've walked through a few tutorials which use JWT bearer token for authentication and also uses Identity. I've explored the sample codes, and looks like they are using Identity solely to take advantage of the built-in UserManager and RoleManager classes for the ease they provide with data access.
Do you use Asp.Net Core Identity in your Web Api application when you are using bearer token for authentication? If yes, what purposes does it serve in your application?
I am developing an API using ASP.Net Core 2. To authenticate, the web app is passing the Bearer token in header of the request. I would like to know the best practice in ASP.Net Core 2 to authenticate by passing the token via request.
We used IAuthorizationService (Microsoft.AspNetCore.Authorization) in .Net core for authorizing access token comming from Idntity Server 4. Is it possible to use IAuthorizationService in MVC 5 for authorizing same token. If yes, what is the procedure to bootstrap IAuthorizationService in MVC 5 or not what will be the best approach ?
You are probably talking about the ASP.NET Core authorization framework
https://learn.microsoft.com/en-us/aspnet/core/security/authorization/introduction
This is just a general purpose framework and has nothing to do with access tokens. You'd still need some sort of library to validate the incoming token (e.g. middleware).
That said - the authorization library has been back-ported to MVC5/Web API2 here:
https://github.com/DavidParks8/Owin-Authorization
I have following scenario. I write asp.net core web api which will be used by mobile and web (asp.net core mvc web app) apps.
I authenticate user using asp.net core identity framework class SignInManager (add account controller and related classes manually) and then generate oauth token which will be used by client applications. By doing so I have 2 identities associated with the user. one is created by after I login using SignInManager.PasswordSignInAsync and second is created by generating oauth JWT token.
Is this correct approach or not?
Thanks
https://blogs.msdn.microsoft.com/webdev/2016/10/27/bearer-token-authentication-in-asp-net-core/
that might shed some light on what direction to go. there is also another blog post about using IdentityServer4 (3rd party) works well.
https://blogs.msdn.microsoft.com/webdev/2017/01/23/asp-net-core-authentication-with-identityserver4/
We are building ASP.NET MVC core web app and accessing data through ASP.NET Core Web API.
We have to give authentication and authorization to both MVC Core and Web API Core side.
If user is authenticated in MVC core web app then while accessing the data on web API core it is should not again authenticate. If user is directly accessing the web API then it should not allow and ask for authentication.
We also want to give authentication through Google.
For WebAPI I suggest token based authentication, Google support OAuth.
I suggest you take a look at the following link:
https://stormpath.com/blog/token-authentication-asp-net-core
There are some community-led efforts to build rich token authentication functionality for ASP.NET Core:
AspNet.Security.OpenIdConnect.Server – Similar to the OAuth Authorization Server middleware for ASP.NET 4.x.
OpenIddict – Wraps OpenIdConnect.Server up into an easier-to-use package that plugs into ASP.NET Identity.
IdentityServer4 – A port of Thinktecture IdentityServer3 to .NET Core.
All of them have sample MVC and API apps. Enjoy.