I know it isn't a specific issue, but can you give me any guideline how to create Facebook or Google login for Blazor Client (Webassembly) app?
I emphasize Client (so not Server!) because it is exist and working well.
Or just tell me that it is possible? And need I use the server (asp.net core web api) or the client would be enough itself?
I appreciate any hint.
I've found docs on MS page regarding 3rd login providers. And this article describes OIDC auth process. The Blazor wasm authentication uses oidc-client.js library, which is capable of oauth2 and oidc. Therefore, it is possible and client should be enough(see the quote below).
The server hosting the app doesn't play a role.
However, I haven't found any examples of this.
Related
I'm pretty new to mobile app development, with some experience regarding ASP.NET Core. In the past, I've used Firebase's Authentication module for its simplicity, but until now there hasn't been a case where I had to design and develop the authentication completely from scratch, especially not in mobile apps. Yesterday I've been googling and reading documentation all day long, just to find myself with even more questions than I had before...
The main idea is to create a cross-platform mobile app with:
React Native (Expo managed workflow)
ASP.NET Core 3.1 Web API with protected endpoints through validation of a JWT token in the request header
Identity Server: Azure AD B2C
Authorization Code flow with PKCE, as recommended by various docs
Yesterday I started looking at the AuthSession API of Expo (https://docs.expo.dev/versions/latest/sdk/auth-session), with which I managed to get an access token from the Azure AD B2C server after logging in with an existing user through the mobile app. This is all done through a webbrowser popping up when a user clicks 'Sign In' in the mobile app.
This made me think however: how do I implement the validation of this JWT token which comes from the Azure AD B2C server in the Web API? Many guides & tutorials regarding this topic simply configure a JWT key in the appsettings and use this key to both generate the JWT token and validate it afterwards. Is this where claims might come in handy?
I honestly feel a bit lost as the possibilities seem endless on one hand (hence the 50+ tabs currently open in my browser), but on the other I find it a bit suspicious to not find any decent example of my use case which makes me think I'm doing something completely wrong or overly complex. All I'm basically looking for is a clean and secure solution to authenticate users with my current app setup, without having to reinvent the wheel all over again. So far I've probably looked at every single library/nuget package/stackoverflow post out there...
Any guidance towards the usage of 1 or more specific libraries/guides/packages would therefore be greatly appreciated!
Have you looked at the B2C MSAL samples?
In terms of validating the JWT, there are many samples here. Also B2C.
we have a website which is accessible after azure AD authentication with Open ID connect.
So now the requirement is, we need to develop a .net core web api and need to access this web api from above website.
Need some guidance on developing this web api and how can we access this web api from website securely. Can we use the token method or the JWT or any other way instead of secret key and api key.
Please share any useful link if possible.
Much Thanks
Anuraj
For dotnet core web API project sample you can see here which build on using openID connect.
Once you have build API you need to register it on azure portal. Beside you have assign permission on your application which you are looking forward to access from out side.
Here you can have a look on how to register app on azure portal
After successful registration make sure you have allowed API permission you need like below screen shot:
Here is same thread for API permission guide line you can have a look on.
This is also helpful for you to test it on postman example.
IF you have any complexities regarding implementation let me know. Thanks
You can rely on Microsoft documentation to understand how to properly create a .NET Core Web API with MVC.
Also yes you can use token or JWT or OAuth2 or any authentication method. Here's an useful link: https://auth0.com/blog/securing-asp-dot-net-core-2-applications-with-jwts/
You can then try to code something and eventually ask a more specific problem about coding here in SO.
Be warned possibly noob question ahead.
I'm a little unsure where exactly Azure AD or IdentityServer is supposed to fit in in the overall communication flow.
Here is a scenario that I often face.
Some "dumb" client (e.g. a Windows App that can't use external assemblies or some JavaScript in a web app) has to contact my Web API which will then contact other APIs or other resources.
If I want to try and implement either Azure AD or IdentityServer as a means of authentication and authorization in the Web API, I don't see that this can be done in any other way, than it has to be the Web API that communicates with Azure AD or IdentityServer as the client doesn't have the ability to do so due to the lack of required assemblies.
If this assumption is not correct, then how would I do this?
If it is correct however, then what means of security is there between the client and the Web API other than communicating over HTTPS when the client has to send it's credentials to the Web API, so the Web API can authenticate and authorize the user against either Azure AD or IdentityServer?
If I understand your requirements correctly, then you are able to change the client Windows app, but unable to add external assemblies to it? So you would not be able to add the ADAL NuGet package to it.
You can still use Azure AD authentication - it is possible, but not trivial, to implement the client code yourself.
Or you can, as you already mentioned, pass the user's credentials to the Web API somehow, and then use that to have the Web API do authentication towards Azure AD on behalf of the user. There is a sample app which shows how to use username/password credentials.
This however, goes against the whole OAuth/OpenIdConnect mindset, where your app should never know the user's credentials.
Here:
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory/develop/active-directory-v2-protocols-oidc.md
Be careful with trying to use the most recent version of the Azure AD endpoint (just don't use version 2.0, they shot themselves in the foot by excluding all Azure AD webapp registrations & by "securing" web APIs by making them only available to apps with the same appid - as far as I'm concerned, it's unusable until they fix those two issues) - see the "[!NOTE]" near the top of that linked page for the v2.0 limitations.
I've been reading a lot lately about WEB API authentication mechanisms and I'm a little bit confused regarding how to implement my Web API authentication mechanism, I'm thinking on using Token based authentication but I'm not sure if it is the right choice.
Basically my Web API will manage all the operations needed and it will store the users of my website as well the API users(in case they have to be separated).
I want to support the following
User can register on my website and apps using their G+ or Facebook account or an already created username from my service, as well they will be to login using their social account.
If the user is not logged in they won't be able to post Items but they will be able to see the Items, think something like Craiglist.
Let's say the user is a developer and they want to post the items through some software they created instead of going through the website and posting one item at a time, how do I allow this?
Now, my questions are: 1) When a user registers on my website, do I have to create a (public key/ secret key) for it subsequent access token , so I can use my API from the website as the user checking if they have access to certain endpoints?
2) Do I have to assign a (public key / secret key) for my website so I can consume the API when the user is not logged in?
3) The same as above for mobile apps
4) How do I allow users to (sign up / sign in) using G+ or Facebook?, if they log in using any social network how am I going to secure my api?
Please, any answer will be really appreciated.
Thanks
For ASP.NET Web API 2, I would recommend you to use the default Owin OAuth2 authentication. It's a standard form of authentication well documented enough. If you do not have enough knowledge about OAuth2, read the RFC.
With Web API 2, ASP.NET moved to a new security model, called ASP.NET Identity. There is this really good video that explains the basics. The point is that starts from scratch, ignoring traditional basic, forms, or windows authentication.
A lot of learning material is on the ASP.NET website.
For local, individual accounts (questions #1, #2, and #3), look through this tutorial - here basically your own server will act as an OAuth authorization server, and the Owin OAuth2 implementation will take care of generating access token and authenticating them. Since you'll be using the OAuth 2 standard, it will be basically the same for mobile as well.
For external accounts (question #4), read through this tutorial. There are official libraries for third-party authentication for the major providers:
Microsoft.Owin.Security.Facebook
Microsoft.Owin.Security.Google
Microsoft.Owin.Security.Twitter
Microsoft.Owin.Security.MicrosoftAccount
It would helpful to also learn more and understand the new OWIN specification, that describes how web apps need to created for the .NET framework, and the Katana project (Microsoft's OWIN implementation).
Follow this tutorial for most of your requirements http://bitoftech.net/2015/01/21/asp-net-identity-2-with-asp-net-web-api-2-accounts-management/ Logging in via facebook/G+ MVC already has the helpers commented out. You would get the credentials by setting up key's via the third party apps and then store the identity.
I am building a social website that will expose REST API (WCF WebAPI) to the world so any developer would be able to create a client application for the website, integrate it with other services, etc.
I would like to implement Facebook/Twitter-style access control mechanism for the API. So that developers will register their apps on the developer section on the site, create a key and use that app key in OAuth workflow to get access to the API.
Since I use Azure in this project, I consider leveraging Azure ACS to facilitate OAuth processes. However, I am unable to find any code sample or manual for app authorization with ACS.
Can someone share such example or at least give me a direction for my own research? If I can achieve Facebook/Twitter behavior with another OAuth library (e.g. DotNetOpenAuth), that would be cool, too.
Thank you in advance.
ACS is a good choice for this sort of thing. Your scenario is pretty much OAuth Delegation, which ACS supports.
You should look into ACS with OAuth 2 Delegation sample in:
https://connect.microsoft.com/site1168/Downloads (It is called Wif Oauth CTP version)
Note that in this sample custom authentication is used for autheticating the user. Since ACS provides Single Sign On with Idps, you can instead use ACS here (e.g with Facebook).
If you go this path, you can find more information on how to use a custom home realm discovery page in the following sample:
http://msdn.microsoft.com/en-us/library/hh127794.aspx
Finally, you will neeed to have a web page where your client apps will manage their settings. For this you will be required to use ACS management service. You can find detailed information on using ACS management service in:
http://msdn.microsoft.com/en-us/library/gg185970.aspx