Asp.net core Identity and Token Based Authetication - asp.net-core

I have following scenario. I write asp.net core web api which will be used by mobile and web (asp.net core mvc web app) apps.
I authenticate user using asp.net core identity framework class SignInManager (add account controller and related classes manually) and then generate oauth token which will be used by client applications. By doing so I have 2 identities associated with the user. one is created by after I login using SignInManager.PasswordSignInAsync and second is created by generating oauth JWT token.
Is this correct approach or not?
Thanks

https://blogs.msdn.microsoft.com/webdev/2016/10/27/bearer-token-authentication-in-asp-net-core/
that might shed some light on what direction to go. there is also another blog post about using IdentityServer4 (3rd party) works well.
https://blogs.msdn.microsoft.com/webdev/2017/01/23/asp-net-core-authentication-with-identityserver4/

Related

Confused about ASP.NET Core Identity and IdentityServer 4 in case of implementing an API for external access

I have a single ASP.NET Core 3.1.8 web application which uses ASP.NET Identity.
Now I've added some externally callable REST API.
I am stuck on how to add token(?) based authentication to my API.
It seems that ASP.NET Identity does not support API authentication. In my old .NET Framework Web App I used
app.UseOAuthBearerTokens(OAuthOptions);
so I had a token endpoint, where external client could ask for a valid token.
Now I read about to have API authentication I should use either AD or AD B2C or IdentityServer 4. I am OK with IdentityServer 4 option, but something is not clear
IdentityServer will completely replace my ASP.NET Identity? I still want to use the login UI and my existing interactive login logic and UI.
I've read about plug in ASP Identity to IdentityServer 4. So do I have to integrate my existing ASP Identity with IdentityServer 4?
Is it OK to host IdentityServer 4 within the very same Web App, where the UI, and the API is hosted?
I've tried to read the ASP.NET Core repo's source both the 3.1.8 and 5.0.0-rc.1, to get some direction. I would not like to go in some direction what will be considered as suboptimal in the next .NET 5 release. I know that there is a complete another way to solve this: AD or AD B2C, and I also have a solution template for that. As an alternative I would like to have a "self contained" solution too, so that's why I invested to ASP Identity. What would be the righ future direction in this track (self-contained) to implement external API authentication?
To protect the API itself you typically use the following:
services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
options.Authority = "https://localhost:5001";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false
};
});
I recommend that if you use IdentityServer, you should put it on its own service, because otherwise its really hard to figure out what's going on and who is doing what.
IdentityServer does not deal with users, so you need to implement the user database (signup/forgotten password...) by yourself. You can use ASP.NET Identity for that.
IdentityServer will completely replace my ASP.NET Identity?
I would say that it depends on your needs, in some cases IdentityServer replaces ASP.NET Identity, and in some cases not. If you just have a single service to protect, then IdentityServer is probably overkill, because there's a lot to learn.

Using Asp.Net Core Identity in Web Api application that uses JWT authentication

What is the proper way to configure and use Asp.Net Core Identity in Web Api application?
I've looked at the documentation, but looks like it demonstrates cookie based authentication in View-based MVC Web apps, not Web Apis. I know in Asp.Net Core the MVC Web Apps and the Web Api applications follow the same middleware pipeline, but what if I don't want cookie based authentication?
Does it make sense to use Identity at all if I want to use JWT bearer token for authentication? I've walked through a few tutorials which use JWT bearer token for authentication and also uses Identity. I've explored the sample codes, and looks like they are using Identity solely to take advantage of the built-in UserManager and RoleManager classes for the ease they provide with data access.
Do you use Asp.Net Core Identity in your Web Api application when you are using bearer token for authentication? If yes, what purposes does it serve in your application?

ASP.NET Core 2.1 Web-API Authentication for SPA and mobile. Where to start?

I want to create a SPA with Vue.js which consumes my ASP.NET Core Web-API. I need user authentication with username and password. The API will also be consumed by a mobile app (Android and iOS) later on.
I read this: ASP.NET Core Web API Authentication
I am wondering if there is nothing official available? Is Basic Auth even the right approach? I've read some documentation for ASP.NET Web-API using filters, didn't work for Core.
Then I though about implementing token based authentication myself.
I've also read that since ASP.NET Core 2.0 it's better to use services instead of middleware?
I am stuck and don't know where to start. Maybe the approach in the Question above is okay for my needs?! I am not quite sure.
You should consider Oauth and Identity. You can even use something such as Auth0.

.net core authentication with google with remote membership storage

I am implementing an application using microservices approach.
On my application there must be Google sign-in and basic sign-in.
I have 2 services: 1 for membership service and 1 for MVC gateway.
My membership service has db and standard asp.net core identity applied. So all users stored here.
My MVC gateway has login action that needs to challenge Google and get external login. And then get a user from Membership service for this login.
First my idea was to implement custom IUserStore class and call restful Api methods from Membership service. But there I faced the problem with syncing 2 Identities - on both services. Then I removed Identity from MVC Gateway, but now I cannot challenge Google Sign-in.
So what is the best solution for such approach?
I saw in MS example that there was IdentityServerr4 used, but I don't think that this is viable for my situation.
Implemented using IdentityServer4.

How to implement Authentication and Authorization in ASP.NET Web API Core?

We are building ASP.NET MVC core web app and accessing data through ASP.NET Core Web API.
We have to give authentication and authorization to both MVC Core and Web API Core side.
If user is authenticated in MVC core web app then while accessing the data on web API core it is should not again authenticate. If user is directly accessing the web API then it should not allow and ask for authentication.
We also want to give authentication through Google.
For WebAPI I suggest token based authentication, Google support OAuth.
I suggest you take a look at the following link:
https://stormpath.com/blog/token-authentication-asp-net-core
There are some community-led efforts to build rich token authentication functionality for ASP.NET Core:
AspNet.Security.OpenIdConnect.Server – Similar to the OAuth Authorization Server middleware for ASP.NET 4.x.
OpenIddict – Wraps OpenIdConnect.Server up into an easier-to-use package that plugs into ASP.NET Identity.
IdentityServer4 – A port of Thinktecture IdentityServer3 to .NET Core.
All of them have sample MVC and API apps. Enjoy.