Can you Windows Auth to Basic Auth? - authentication

I'm developing a blazor web application that will use windows authentication. The web application requires data from another web service. Basic authentication is required on the web service. The web application and web service are in the same domain using the same domain for authentication. Is there a way to take the windows auth credential that the web application will possess and convert it to the basic auth required by the web service?
I am aware that the windows auth credential does not contain the password and basic auth needs a password. I cannot change the authentication scheme of the web service. I cannot spin up a new instance of the web service with a different authentication mechanism. I can't use basic authentication for the web application. The web service requires that the web application connects with it using the logged in users credentials for logging purposes ie. can't just use a service account to connect to the web service. I am open to using a different authentication mechanism for the web application with comparable security to windows auth if it will work, SSO preferred.
I believe this is technically infeasible but would welcome any evidence to the contrary.

Related

WebAPI mixed authentication with OWIN Tokens and windows authentication

I am looking for a way to combine Windows Authentication and Identity/token based authentication. I have a Web API that currently uses OWIN to authenticate with Bearer tokens via the /token path and the ASP Membership database. The application that currently accesses this is external and will use a login form to log in.
The second administration application will be internal and I would like to utilize the same Web API RestFul service and allow windows authentication to it.
Is there a way to allow OWIN to allow both options for authentication? or do I need to do the Windows Authentication in another layer and have that layer call the WebAPI with a token?

Deploy Azure AD WebAPI to IIS, with Windows Authentication enabled, skips Azure AD Authentication

I have a WebAPI that I have successfully secured with Azure AD. When I run it locally (through Visual Studio), trying to access the WebAPI end point via a browser gives me
Authorization has been denied for this request.
Which is what I would expect. Accessing the WebAPI through a client with ADAL library works as it should. A forms login screen pops up, and authenticates me and passes back a token, which I can then use in my WebAPI requests.
Something I wouldn't expect happens if I deploy the WebAPI to an IIS server, and have Windows Authentication enabled for the site. When I try to hit it the IIS WebAPI end point through a browser, I get a Windows Authentication prompt. If I successfully authenticate the Windows Authentication, the WebAPI serves the response.
I guess I would expect that the WebAPI would return the same "Authorization has been denied for this request". Windows Authentication shouldn't authenticate me to the WebAPI if I've configured the WebAPI to use Azure AD authentication.
My question is, is this expected behaviour, and if so, why?
I can see from one perspective that the WebAPI can accept authentication from any method that I've configured. But part of me thinks that since the Azure AD authentication is configured in the WebAPI application, and not IIS, it should take precedence.

Implementing Azure Active Directory Authentication in a client OWIN Web Application

Hello I have read and implemented these Vittorio Bertocci tutorials:
"Secure ASP.NET Web API with Windows Azure AD and Microsoft OWIN Components"
"Protecting a Self-Hosted API with Microsoft.Owin.Security.ActiveDirectory"
However unlike the tutorials my web application is comprised of the following OWIN components: NancyFx & ASP.NET Web API (following the architecture pattern set forth here)As I attempt to implement AAD authentication (as Mr. Bertocci does in his tutorials) into my NancyFx module (to authenticate a user who hits a route requiring authentication):
I get the following error
Additional information: Loading an assembly required for interactive user authentication failed. Make sure assembly 'Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' exists.
clearly the AAD dialog that pops up asking a user to login has a dependency on WindowsForms and shouldn't be invoked from a web application.
What AAD credential prompt should I be using instead?
How to I implement AAD auth in a web app client?
My understanding of the scenario you are trying to implement is that you have the following actors:
Browser -> Web Application -> Web API
Where the browser is authenticates a user to the Web Application and then the Web Application attempts to obtain a token that will allow it to access a resource at the Web API on behalf of the user.
That being the case, your Web Application will need to redirect the browser to the AAD OAuth 2.0 authorization endpoint. There the user will enter their credentials and be redirected back to the Web Application with an authorization code. You can then use that authorization code to obtain a token via the Active Directory Authentication Library (ADAL). Specifically you will use the AuthenticationContext.AcquireTokenByAuthorizationCode method. The following blog entry by Vittorio gives more detail on the code you will need to implement in the Web Application in order to obtain the token. It is not an OWIN specific implementation, but should be easy to translate into your NancyFx app.
Using ADAL’s AcquireTokenByAuthorizationCode to Call a Web API From a Web App
You should not have to change your ASP.NET Web API that you implemented per "Protecting a Self-Hosted API with Microsoft.Owin.Security.ActiveDirectory"
The version of AuthenticationContext.AcquireToken that is used in the client app example in the Protecting a Hosted API... blog entry is intended for a different scenario where no browser is involved. Instead the user is interacting with a desktop application that is then calling a Web API on the users behalf. In that case, the AcquireToken call must show a browser based dialog in order to allow the user to sign in and obtain an appropriate token.

Is there a way to grab the password using windows authentication with webhttpbinding in WCF?

I'm currently have a selfhosted WCF REST service. Using WebHttpBinding and Windows authentication, is it possible at all to get the password or do I have to use Basic authentication?
You can't get the user password using Windows auth - since the authentication is done via a third party (usually the active directory), no passwords are exchanged between the client and the service, only a token which is issued by the AD.
Being able to get the password using Windows auth would also be a huge security risk - in intranets clients (such as browsers) usually don't prompt the user for credentials when authenticating themselves to a server which requires that kind of authentication. You wouldn't want your password to be handed over to a service which you happen to visit that uses that kind of authentication.

Architecture. WCF+SHAREPOINT services

I have separate layer with WCF services.
And I have sharepoint website.
The aim to allow login for mobile devices to WCF layer and in the same time to sharepoint web site.
Sharepoint will be used like secured database.
I need somehow to check user when he will login to WCF layer and the hard part to authenticate him in SharePoint website.
I need any help because I really don’t know a lot about this topic. Will appreciate any answers
Your WCF service will not connect to the web pages of the SharePoint site, it will connect SharePoint's web services.
Mobile devices are limited in the authentication they support. Windows authentication may not be supported. So basichttpbinding using basic authentication over SSL is probably the best option. Send the username and password as part of the call, then you can use this username and password in the web service call to the SharePoint web services.