Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 2 years ago.
Improve this question
I am working on a PoC Project to verify blazor to be the right technology for our company internal web frontend applications. We have an internal identity provider (IdentityServer4 impl.) which I want to authenticate with. In the older projects where angular is being used, we use the javascript oidc client with implicit flow. As far as I understand OIDC, implicit flow should be perfectly fine for a blazor WebAssembly single page application. We have no dedicated server application for that particular frontend, just a few microservices where the frontend fetches data and therefore needs to provide an access token.
An OIDC client library or some example code (ideally both) would be really helpful.
Thanks!
I was in a situation where I needed an extendable library for Blazor WebAssembly supporting OpenID Connect (OIDC) with Proof Key for Code Exchange (PKCE). Therefore, I have created the open source ITfoxtec.Identity.BlazorWebAssembly.OpenidConnect library which is JavaScript free and pure .NET.
I would recommend you to give a try to Blazor.Auth0 (author here).
Blazor.Auth0 is a library for using the Authorization Code Grant with Proof Key for Code Exchange (PKCE) with Auth0's Universal Login in Blazor SPAs.
If you're not interested in adding/using a third-party service then at least the source code would help to drive you in the correct path.
I hope this helps :)
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 1 year ago.
Improve this question
I am currently looking into splitting up a .Net Core project and I am not sure on which technologies to employ.
Lets say that I wanted to create a website where authenticated users could look op book titles:
I would like the project structured like this:
.Net Core web application using MVC (All UI in here)
.Net Core Wep api for authentication users (Authenticating users against database here)
.Net Core wep api for Book titles (return titles if user is validated)
Application flow would be the following:
User goes to UI web page and is met by login-screen. User enters username/password and then UI will send a login request to the Authentication-API. Authentication API should return some sort of data that the UI can store in the users session to verify that the user is validated for the next period of time.
When the user want's to get the book titles, the WEB UI should send the existing authentication data to Book Titles API. The book title api should then verify that the user is still authenticated and return the book titles if so.
My question is, what is "best practice" in regards to this setup. I have read a lot of different things about JWT tokens/JWE, Cookies and so forth, and I am having a bit of trouble finding my way in it.
Could my Authentication API use Identity framework, and could that information be passed around to other API's or should I use cookie authentication and how would do that?
In the project future I would like to be able to create an App that should also be able to access the Authentication and Book title API's not worrying about the .Core UI project.
Is there anyone out there who can point me in the correct direction here or have some good recent articles/references I could look into.
Best regards
I understand your thoughts around designing the solution. The things you have mentioned above looks appropriate and do not see any issues. But I would like to recommend few things when it comes to selecting the right authentication framework
If you are thinking to integrate your application with some IDP like google or okta etc then you need to define the protocol you will be using. One of most popular is OIDC.
Look for some of standard flows for you application. If you are having client-server architecture, you can opt for either implicit flow (less recommended due to security issues ) or authorization code flow
.Net has very nice support on using OIDC for application.
When using the OIDC, you are eligible for session store, access_toke which is Shot TTL token and can be used between application to communicate with each other.Know more about it here
The complete authentication process with right flow and integrated application will be taken care by IDP, you just need right configuration, library/framework support to do it.
Using OIDC also give you benefit to not fall into any OWASP issues.
On top of that you just need to deal with authorization logic which is very common and application specific
One of IDP you can try for free and on cloud is Okta
Another option if you are using your own authentication framework,
You can implement you own identity server framework
Check this articles Using .net core with identity server. You can host you identity server or expose API of same using your application.
Git hug link for IdentityServer4
You can find a ready made solution with sample projects using this solution on below git repository:
IdentityServer4 Implementation with ASP.NET Core
You can find there an auth server which authenticates the username/password and gives back token. That token is used to access an MVC app as well as a secure API.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
We are developing few micro-services using spring boot.These Rest API's will be consumed by mobile application. What is the best and recommended ways to secure these API's for mobile application using the spring boot framework itself. I'am not experienced with securing the api's for mobile applications.
Your advice's are highly appreciated here.
Need to consider these areas.
How to generate tokens
How to store token
How to refresh them and expire them.
When the mobile application should receive the token
Thank you
I suggest using ready-to-use solutions for Identity Management like an open-source Keycloak or paid providers like Auth0 instead of reimplementing the wheel of security on your own. There are simple Spring Security adapters for both named options.
The typical approach is to use OAuth2 with Authorization Code Grant Flow extended with PKCE (https://www.oauth.com/oauth2-servers/pkce/).
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 4 years ago.
Improve this question
I want to learn about the WSO2 UserAdmin interface, but did not find the relevant document describes this part.
I can get UserAdmin.wsdl, but there is no explanation about the parameters.
Who knows is there a detailed description documentation about UserAdmin interface?
If you need the User Management functionality for WSO2 Carbon product. It is exposed through following two web services APIs in WSO2 carbon.
Remote User Management API: this is recommended to be used by external client applications.
UserAdmin service: this is mainly to be used by carbon UI client.
Therefore it is better to use the RemoteUserStoreManagerService service. It is available with the WSO2IS and also can be install with any other WSO2 product. RemoteUserStoreManagerService service contains simple API. You can even identify by looking at the WSDL. I do not think there is a public doc on this. But you can even try this service using SOAPUI tool. Therefore you can get much idea about the methods.
https://localhost:9443/services/RemoteUserStoreManagerService?wsdl
Also make sure that when accessing AdminServices of carbon from an external client, you need to first authenticate as the admin user. Basically you need to send admin user/password in basic authentication header
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 4 years ago.
Improve this question
I currently created a native IOS application, and now I'm working on the grails backend.
I'm a little new to the API concept, so I'm looking for some some good tutorials which cover the following questions:
How does the authentication from an IOS application to an API works using JSON?
How can I push a post to the backend using JSON?
I understand how to write an API in grails which can sent a list of a.e. books, but in the mobile app, a user can define his own items (templates in this case). When the user uses his credentials on another phone, his items need to be transferred to the phone. I currently use spring security to authenticate users on the backend application
For implementing the rest API client in your IOS app i'll suggest you to look to this library.
The authentication method right for your app and your API is not a simple question and depends on what app do and how. The more standard way yo authenticate apps and with API is OAuth 2.0
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
I am currently developing an application that will have a regular web interface but also a RESTful API that will be used mostly on mobile phone apps. I am using the Rails OAuth-plugin here, so my API supports OAuth 1 and 2. This works all fine so far.
The only problem I have is with testing the API. I have found some tools that I can use to make requests to my API like RESTConsole for Chrome or RESTed and they all can test OAuth, but they don't provide an API themselves that I can use as the callback service. When I register an OAuth client in my application I have to enter some fake callback URL, do the authorization process and then get the OAuth token from the database and insert it into the console manually. Especially when testing the revocation of tokens this gets pretty cumberome.
Does anybody know of any test clients that can totally automate the testing process? That means that the test cleint includes some sort of callable endpoint that I can use as the callback URL for my app...
Thanks for your help in advance. I've been searching the internet for quite some time now and this is my last resort before starting to develop my own.
I will be going to accept Jon's answer, although I am not very pleased with the solution ... Whoever is interested, I'm going to roll my own little test client. If anybody is interested: https://github.com/klaustopher/knole
Apigee offers a free API Console that supports a large number of authorization schemes, including OAuth 1. Not sure if it supports 2-legged OAuth, but you can definitely define a callback within their service.