I'm trying to set up a simple Web API with ASP.NET Core. I'm working with a custom OAuth set up by the company. The Web API will not support web pages directly. The front end will call it from a separate website using a SPA.
So, I thought I would set up a middle ware component that get the Bearer Token from the API call. I then see if I have that user stored (for 5 minutes - stored in a singleton hopefully that is right too) and if not I send an HTTP request to the authentication server to determine if the user is valid. If they are I get the user information including roles, etc. But then, how do I set the Principal? I've done this in WebAPI 2.*, but haven't seen any tutorials for ASP.NET Core.
This seems like a fairly normal workflow so I don't understand why there aren't many tutorials on the subject. They seemed to be all geared toward when you have a web page - same for WebAPI 2.*.
Any help is much appreciated. If someone can just point me in the right direction that would be great!
Related
I have been working on authentication methods for my blazor app for some time now. I am currently developing as a standalone protected WebApi + Blazor Server, but will ultimately migrate to standalone protected WebApi + Hosted Blazor WASM so I need to be mindful of both server and client side authentication. The WebAPI will also serve an external OData feed and API for end users that also needs to be protected using the central authentication mechanism.
I would like to be able to sign on with Microsoft (ie. Microsoft.Identity.Web / MSAL), but want to configure some fairly complex roles and behaviours at the database level
(ie. ASP.NET Core Identity). To hopefully help someone else understand the different documentation sets, following are links to MS docs for the 2 options.
Introduction to Identity on ASP.NET Core
Microsoft Identity Platform Documentation
Don’t know about anyone else, but I have found it very difficult to navigate through the different documentation sets and tutorials to firstly understand how they work and secondly determine if it is best for me.
My question is, does anyone have any documentation on how they have integrated Microsoft.Identity.Web with the individual user accounts available in ASP.NET Core Identity for Blazor Server and/or WASM apps?, .
The following link shows how to do it all within ASP.NET Core Identity.
Integrate ASP.NET Core Identity with Microsoft account | BinaryIntellect Knowledge Base
If I was building an MVC web app, that’s what I would do. However, I really like the token handling capabilities of Microsoft.Identity.Web / MSAL (ie. ITokenAquisition etc.) for Blazor. It seems to be a real kludge to have to use the Razor pages for ASP.NET Core Identity and handling tokens securely becomes an issue – especially for Blazor WASM.
Chris Sainty has done some good work in porting some of the ASP.Net Razor pages to Blazor Components in the following link. However he does a lot of (very clever) manual processing of the token and I’m not sure I like the idea of storing the token in unprotected Local Storage of the blazor app. I haven’t gone into it in full detail yet, but I don’t think this method will be directly transferrable to Blazor WASM.
Authentication with client-side Blazor using WebAPI and ASP.NET Core Identity (chrissainty.com)
This SO post indicates that it is not possible to integrate Individual user accounts with Microsoft.Identity.Web.
c# - Microsoft Identity Plataform with asp.net Core Identity - Stack Overflow
I got a working solution going where I had both ASP.NET Core Identity and Microsoft.Identity.Web working side by side. However, I found this to be very difficult to implement and debug. Once you start mixing the various builder.Services.AddAuthetication(
) options (eg. .AddMicrosoftIdentityWebApp, . AddMicrosoftIdentityWebApi, .AddIdentityCore, .AddIdentity, .AddDefaultIdentity, .AddJWTBearer etc. etc.) I have found that you enter a world of pain and unpredictable behaviour. I basically had to go back to the source for each of them to work out what they were actually doing under the covers and work out how to blend them. I ended up going back to the raw OAuth / OpenId specifications and implementing everything manually – which is very unsatisfactory and I was unhappy with the risk I was taking in potentially introducing a security flaw – even though I got it to “work”.
EDIT: This SO post is similar to what I implemented. Microsoft Identity Local User Accounts and MSAL
I can’t believe how hard it has been to just get to this level of understanding, and still not have a solid working concept that does what I want it to do that is supported by documented acceptable techniques and not just my kludge at implementing everything manually.
Right now it appears to me that if I want to use as much out of the box / documented functionality as possible, I suspect that I should use ASP.NET Core Identity and work out how to integrate the ASP.net razor pages into my Web Api, Blazor Server and and Blazor WASM apps. However, this appears to be a backward step since Microsoft.Identity.Web / MSAL seems to be so much better suited to Blazor and seems to be the direction that MS is going.
If anyone can point me to some current examples of how this can be done, I would be very thankful.
I think I have found at least a partial answer to my question. The key problem I faced was how to capture the callback event from Microsoft.Identity.Web so that I can persist / retrieve info to/from the database during the authentication event. I was hung up on the ASP.NET Core Identity method of doing that.
I found the following SO post that provides information on how to respond to the OnTokenValidated event using Microsoft.Identity.Web. Microsoft.Identity.Web: OnTokenValidated event not triggered
Having access to this event means that I will be able to implement what I need to do at the database level and move on.
I have been trying for weeks to implement JWT authorisation in my .NET Core web app and have found myself following a lot of guides that I don't think are relevant to my use case. These guides talk a lot about scopes etc, and I don't think I need that level of complexity for my use case.
A lot of the guides talk about using things like OpenIddict or Identity Server to setup and configure something that the user can authorise against, but in these settings it seems like a seperate project is required to house the identity provider, and then my new asp net core application has to somehow hook into that for use. I'm also trying to get things like refresh tokens to work so the user doesn't have to log in over and over again.
The "client side" of my app will be Xamarin (for mobile) and Angular (for web).
In a single web application (a single .net core application) how can I use .NET Core Identity with JWT or OAuth? What is the minimum level of configuration required to achieve this?
ThisSimple JWT project
This is not asp.net core .This is just asp.net mvc project but this really simple and basic one. by watching this code, you will be clear how to implement JWT. Thanks
Background
I am currently working with an application that uses Web API. We he have implemented custom token based authentication. Our front end is primarily HTML5, CSS3, and Javascript. Although it is an MVC application we are only really using mvc for routing, because Web API handles much of everything else. We are evaluating SSRS as a possible reporting solution. We would like to keep our Website session-less as it currently stands.
Question
I have not been able to find a good implementation of SSRS with Web API. I basically want a simple Web API route that constructs the URL to the report server while passing parameters. I was able to find several resources on making a request and passing parameters via a URL. I am struggling with Authentication. How do I send the credentials to the report server via URL. In WebForms there is an interface called IReportServerCredentials that allows you to do this. Is there anything like this for WebAPI. Is there another solution for logging in via a URL? We want to either send the credentials directly with this call, or somehow tap into our current WebAPI Token Based Authentication.
On a side note if anyone knows a report viewer that will work on the client side I would appreciate it. Since our frontend is technically an MVC application I have been evaluating this one:
-https://github.com/ilich/MvcReportViewer
That being said it is not ideal for what we are currently trying to accomplish.
Any help is much appreicated! I am very new to SSRS, so please forgive my ignorance towards the subject.
I am using mvc 4 web api project template. i have USERMASTER table which contains usename and password for different users.
Now i dont know what authentication is for web api????
how to stop invalid users to access it? ?
Let's say i m using fiddler to call web api. at that moment how can i stop invalid user.( i mean using tool like fiddler we can call web api. so i can stop invalid call not made by the valid user)
Moreover, i wish that user A can access only 5 web apis and user B can access all web apis from my project.
Is it possible???
i know how to use web api.
but i dont know about authentication and authorization process.
please help me.
I m using angularjs to call web apis.
Yes all this is possible but you need to use ASP.NET Web API 2 (.NET framework 4.5) you can find detailed source code and blog posts starting here including AngularJS Authentication using Web API, it should makes things clearer for you.
I'm working on segregating the authentication part of my ASP.net MVC4 application using DotNetOAuth 2.0, Which will means that one project will do only authentication and send out response,based on response it will have access to other application.
The Idea is to get any application or project added later on use one common authentication process.
First thing came to my mind was building a service, in the process a read a lot about Web API and think it can help to achieve what I'm looking for.
Please suggest if you guys have implemented something like this or whats's the best practice.
Should i go with API or service, any link or sample to direct is appreciated
ASP.NET Web API is also a service - a RESTful service. The choice of using a "Service" although is good your underlying authentication platform will define what you should be using.
WCF is much more than a web service where as a Web API is pure HTTP service.
If you expect all your "applications" to be web based then there is no reason why this cannot be a Web API.
This article might be something that should help you decide on your authentication model: http://www.asp.net/web-api/overview/security/external-authentication-services