I am using JSON Web Token (Bearer) as my default Authentication. I'm then using (Cookies) as my Authentication for Google.
I am using the default Google Authentication in Asp.Net Core API to get the AccessToken. I then pass that AccessToken to my Angular application in the Url, using a redirect. This is similar to how the ASP.Net MVC 5 Web API works. From there, I'm making a call back to my Asp.Net Core API to try and get the remaining claims. I'm making the call using the AccessToken.
Does anyone know how to access the external claims using the Google AccessToken? I know how to do this in the Asp.Net MVC 5 Web API, but Asp.Net Core is much different.
I can see external claims here. This happens during the OAuth process after the User Authenticates with Google. This is in my ExternalLoginCallback method.
var result = await HttpContext.AuthenticateAsync(CookieAuthenticationDefaults.AuthenticationScheme);
Here is some information that seems to be useful, but it doesn't specifically address third party Auth.
https://learn.microsoft.com/en-us/aspnet/core/migration/claimsprincipal-current?view=aspnetcore-2.2
If I call the API using the AccecssToken, in the header, and use HttpContext.AuthenticateAsync like so....
var result = await HttpContext.AuthenticateAsync(JwtBearerDefaults.AuthenticationScheme);
I get this.
{System.Exception: No SecurityTokenValidator available for token: ya29.Glt5B_thgPhe8-FcR
Thanks in advance! Any help is much appreciated.
Here is what I ended up doing. Since I'm able to get the claims from the Cookie in my ExternalLoginCallback method, I went ahead and created a new JSON Web Token (JWT), added the extracted claims to it and then passed that over to my Angular application. Now, when I make the call back to my API, I'm able to read that Token and extract the claims using this line of code in my GetUserInfo method.
HttpContext.AuthenticateAsync(JwtBearerDefaults.AuthenticationScheme);
Bottom line, since I could not read the Google AccessToken like I could in my ASP.Net MVC 5 Web API, I just went ahead and created a new JWT Token, added in the claims and used that.
By the way, I'm having to do all of this because I can not call my ExternalLogin method directly from Angular because of a known Cors policy issue.
Related
I have created a small .NET 5.0 Web API where a users can register/login to create/add/delete notes. The API is working fine, after the login I receive the JWT token in the response back.
Now I want to create a Blazor Webassembly website which will communicate with the API.
The problem I have is that I don't know where to start and what do I need to get the web page take the Token from the response and how to work with it to be authorized when doing API calls.
In the API i have used the IHttppAccesor to get access to the user data from the JWT token, is it similar to work with the token for the authorization.
Any suggestions what to use or where to start would be greatly appreciated!
I have created a dot net core web app and secured it with my B2C active directory by following this example:
https://github.com/Azure-Samples/active-directory-b2c-dotnetcore-webapp
I have also set up a dot net core API project to use jwt bearer token authentication similar to what is described here:
https://blogs.msdn.microsoft.com/hmahrt/2017/03/06/azure-active-directory-b2c-build-an-asp-net-core-mvc-web-api/
But where and how in the sign in process on the website do I get the token to use for calling the API, and how do I store it and retrieve it later?
I have found an example that seems to do what I'm aiming for but it is based on .net (not .net core), I tried to follow it but haven't been able to get it working:
https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi
I believe I need to attach to the OnAuthorizationCodeReceived event and from here call an endpoint to get the token, cache it and use that for calling my API, but in my website this event is never even called?
Any help would be appreciated.
Edit: Having just looked again at the sample I based my website on (first link) I see it has been updated to cover this functionality, I will look at this and hopefully it should solve my problem.
I'm trying to secure a small dot net core mvc and api application and I've gotten turned around and need a little direction.
I've got to use ADFS 3.0 Server2012 R2 as the source of login/password.
I have to use versioning in the API. (Microsft.aspnetcore.mvc.versioning)
I don't want to send a login/password to API, just a bearer token.
I configured cookieauthentication and OAuth against the ADFS endpoint and it works fine for the mvc ui, but I don't know how/what to do to get the API to work with httpclient from the mvc ui controller to the API.
Long ago I used IdentityServer 1 or maybe 2 and used bearer tokens but I couldn't figure out how to create a token in the OnCreatingTicket in the OAuth event and not sure where to store it. I tried a claim, but it didn't work so it might be malformed or simply wrong.
I am unsure if my issue warrants using something like IdentityServer since the site is small and i don't need a user store, everything is in LDAP / ADFS.
Can I register three middleware peices, build a token from the oauth authentication, store it somewhere like a claim and pass it through the httpclient where its verified?
app.UseCookieAuthentication(option);
app.UseJwtBearerAuthentication(bearer); //api
app.UseOAuthAuthentication(adfsOption); //mvc ui
inside the adfsOption build a token...
Everything I try gets
Message "A security error occurred"
The answer to my question is yes, its very straight forward. I'll post a gist later. My primary problem which was high jacking me was the httpclient didn't like my dev cert for ssl.
I'm still unsure if putting the token in a claim is ok. The cookie and oauth invalidate it every 15 minutes and refresh it, but randomly getting a refresh token would be very difficult.
adding this very bad code allowed it to check my token and it worked as expected.
handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return true; };
I am using JWT authentication tokens in an ASP .NET Core Web API application. The tokens are generated by the API itself, not by a third party.
I added SignalR sucessfully to the stack, but now I need to authenticate the users that are trying to execute server (Hub) methods.
Someone suggested to pass the token in the "qs" property in JavaScript. This will not work for me as our tokens are really large (they contain lots of claims).
I tried writing a custom middleware for reading the token from the payload and auto-authenticating the user. The problem is that, when using WebSockets, the middleware is not executed.
Any ideas will help.
Have a look at article that suggests to use query string Authenticate against a ASP.NET Core 1.0 (vNext) SignalR application using JWT. I know that your token is too long, but author explains how to use middleware to authenticate the request.
Here is the summary from the article:
SignalR does not have any special authentication mechanism built in, it is using the standard ASP.NET authentication.
JWT is typically sent in the Authorization header of a request
The SignalR JavaScript client library does not include the means to send headers in the requests, it does however allow you to pass a query string
If we pass the token in the query string we can write a middleware that adds a authorization header with the token as its value. This must be done before the Jwt middleware in the pipeline
Be aware of the “Bearer ” format
I have highlighted the key point that your custom middleware should be registered before Jwt middleware.
From this answer you can create a WebSocket connection and pass your token as basic auth parameter:
var ws = new WebSocket($"ws://{token}#example.com/service");
We use the excellent Thinktecture IdentityServer v2 to manage our authentication. This works with an underlying SqlMembershipProvider architecture. I'd like to manage an ASP.NET MVC4 web application connection with the informations (claims) returned in the token by Identity Server. For now, I just set the authorization cookie with the username when the OAuth2Client.RequestResourceOwnerPasswordAsync() returns an AccessToken. I don't even validate it (which would set the ClaimsPrincipal.Current) because it's purpose is to be used on another web API I call later, so it's validated in this web API.
If I validate the token and set ClaimsPrincipal.Current.Identity to the the one I get, what is the mechanism to retreive it on every call ? Do I have to cache the token and valide it again on every request to get it ?
The purpose of all this would be to get my claims on the wep app side so I could apply authorization filters based on them.
Brock Allen from Thinktecture pointed me 2 great posts of his that answer all of my concerns !
http://brockallen.com/2013/01/26/replacing-forms-authentication-with-wifs-session-authentication-module-sam-to-enable-claims-aware-identity/
OR
http://brockallen.com/2013/10/24/a-primer-on-owin-cookie-authentication-middleware-for-the-asp-net-developer/