I manage to understand how Web APIs work and I have to create a centralized secure authentication system for our intranet.
The problem is that i need to do this using Web API and LDAP and i cannot find any example with enough documentation to get a simple system up and running for testing
It should be simple in theory, Client sends username and password encrypted through json to web api, web api validates user against ldap and creates token with user data and sends it back.
System.DirectoryServices is available from .net core 2.1 , you can read more here. If using .Net 2.0 , you can use Windows Compatibility Pack for .NET Core or Novell.Directory.Ldap.NETStandard to validate the credential With AD . See code samples from here .
Now you can secure your ASP.NET Core API with JWT Authentication .The common process is your client collect user's credential and pass to web api , web api validate the credential ,issue JWT token and send back to client . Next time client will send JWT token to web api to perform operations based on token permissions(Scope claim) .
You can click here and here for tutorials .
Related
I have a Blazor Webassembly app (Asp Net Core hosted).
I secured my app using JWT Token. Client makes a request to Server and if the request is valid, server sends JWT Token to client and token is saved in local storage. Client reads the token in storage and this way authentication is handled.
I followed the following practice from Chris Sainty :
https://chrissainty.com/securing-your-blazor-apps-authentication-with-clientside-blazor-using-webapi-aspnet-core-identity/
Now I want to enable users to login app with their Google or Microsoft accounts. What would be the best approach for this?
I tried Google and Microsoft authentication on server-side but I couldn't pass the token to client. (because there is no request from client..)
Your response exist in these links:
Google Authentication by OIDC
Microsoft Account using MSAL
But the details requires studying related Service and js files.
You can study sources of Remote Authentication Service in Github for both oidc and msal in following sites:
Web Assembly Authentication Service
Personally I suggest you to use Microsoft Account which also allow authentication through Google and other providers too. Altough oidc provider is more oidc than msal approach. Microsot implemented Code Authorization flow in msal while Google uses implicit token flow (do not forget that these happen in client side). There is two different js files for implementing the underlying requests so I do not think even the combining them work in this way. May be it is better you code it your self by implementing an authentication state provider which uses JS Interop.
You also can see following example which may help you by DotNet guys:
Example of Web Assembly
I'm building a web application; the frontend is a SPA using Angular8 and the backend is an ASP.NET Core 3.1 Web API.
The application already has its own authentication scheme, setup using JWT Bearer tokens.
Now I need to add the ability for the backend to sync events on the Office365 calendar of the users. The requirements are:
Users should login to their Microsoft Office365 account on the frontend;
The frontend should "save" the results of the authentication on the backend, allowing the backend to periodically interact with the Micosoft Graph API.
In the (rare) case for some reasons the authentication must be renewed (for example different rights/scopes are required), the backend will notify the frontend that a new login is required.
I am currently able to perform a successful login in example applications using MSAL.NET and msal-angular, but what I cannot do is to pass the result of the authentication I get from msal-angular to .NET and use it to proceed with further calls and token renewals.
I am thinking about modifying/extending the msal-angular library to support the MSALv3 cache serialization scheme used in MSAL.NET and sending the cache to my web app, but it seem a very complicated and fragile (I see the internals of those libs are not stable across versions).
So, is this use case supported in some other way by MSAL? Should I use some different libraries?
You can go through the following docs to see if they are helpful in your scenario.
Acquire and cache tokens using the Microsoft Authentication Library (MSAL).
Single-page application: Acquire a token to call an API
Get a token from the token cache using MSAL.NET
Initialize client applications using MSAL.NET
I'm currently working on a Xamarin form that consumes data from the.net core API.
For API side, I use Abp framework.
By using this reference, I can consume data from API.
But in this example, the user needs to login using an administrator credential.
What I need to do is, I just need to consume data from API without login.
Is it correct way if I add [AllowAnonymous] attribute over the API method that I need to access ?
This is the example they show,
var accessToken = await _loginService.AuthenticateAsync();
var httpClient = GetHttpClient(accessToken);
Is there any example like just using clientId/secrets and without using accessToken?
What I need to do is, I just need to consume data from API without login.
This refers to Server-to-Server authentication; backend making request to an other backend without user interaction.
The authentication flow you are looking for, is named Client Credentials Flow.
It boils down to:
Add your api (abp app) as an api resource and api scope at authentication server.
Add your ui app (xamarin app) as a client at authentication server.
Declare a client secret for your xamarin app at authentication server.
Make an access_token request from xamarin app to authentication server with the api scope and client secret that you have already created above.
Its implementation can be varied on authentication server provider (namely your _loginService). It can be Identityserver4, Microsoft, Google etc etc.
If you are using ABP application backend (as authentication server), it handles most of the automated stuff in the background. You can check abp synchronous communication between microservices docs that has explanation about how client credentials is used between microservices.
I have a Web API written using asp.net core. This API will be used to communicate with several other services registered in AAD, which all could be made using different technologies like an MVC application written in asp.net core or a single page application written in Vue.JS. The latter is causing me issues as the SPA won't be run by an application web server and rather something like nginx or apache and therefor won't be able to use a client secret.
I have added API permissions for my API to my apps.
How would I achieve this? I'm currently sending an access token using the Authorization: Bearer access_token header from the client app to the API, but since the client app and the API aren't the same app in the AAD, it's causing issues.
Here's the flow I'm trying to achieve:
All of the requested apps require you to login to the AAD and when requesting data from the API, they'll send the JWT token, which then should validate the token before returning the requested resource back to the client application.
It seems you misunderstand something . You can register your each client as independent application in Azure AD , and assign access permission for your web api .
The latter is causing me issues as the SPA won't be run by an application web server and rather something like nginx or apache and therefor won't be able to use a client secret.
SPA application use Implicit grant flow , so that it doesn't need the client secret when acquiring token .SPA could be independent app , you should provide client id when making authentication with AAD. After getting access token , you could create http request with Authorization: Bearer access_tokenheader for accessing your web api .
Each client(web/spa/native) will acquire access token for accessing web api . On web api side , you just need to validate the token .Validate the claims(issuer,audience) and signature .
I've created a mvc web application that uses openid to authenticate with Azure Ad and get the claims along with the token. I'm interfacing with Web Api to do the business transactions. The web Api is configured to oauth bearer tokens.
I've created separate oauth clients in Azure Ad for the Web App and Web Api. I'm able to get a token for Web Api from the Mvc Controller using AuthenticationContext to send to request to Web Api. I need to know how I can send the current User Claims as well to the Web Api. The claims in the Web Api are not having the claims of the User from the Web App.
Let me provide a bit more context here. I've created a MVC Web Application and a Web Api layer. The MVC Web App is configured to use OpenID authentication using Azure AD and I've configured the Web Api layer to authorize using OAuth Bearer tokens. The actions in the Web Api layer will be called through ajax requests and the bearer token will be added to the header of each Ajax requests. When the User is authenticated in the Web App, additional claims are added to the User on top of the claims from Azure Ad. I'm able to create a token for the Web Api layer using AuthenticationContext.AcquireToken, but the token for Web Api does not have the User info from the Web App.
I'm taking a wild stab in the dark here, based on what I think is happening.
Claims are attached the user, so theoretically, any claim you add in one place should be available in the other, as long as both applications share the same user datastore. However, claims are loaded at the point of authentication and not dynamically updated. As a result, if you're already logged in to the web application and you add a claim with your Web Api, that claim will not be available on the web application side until the user is re-authenticated.