We are building ASP.NET MVC core web app and accessing data through ASP.NET Core Web API.
We have to give authentication and authorization to both MVC Core and Web API Core side.
If user is authenticated in MVC core web app then while accessing the data on web API core it is should not again authenticate. If user is directly accessing the web API then it should not allow and ask for authentication.
We also want to give authentication through Google.
For WebAPI I suggest token based authentication, Google support OAuth.
I suggest you take a look at the following link:
https://stormpath.com/blog/token-authentication-asp-net-core
There are some community-led efforts to build rich token authentication functionality for ASP.NET Core:
AspNet.Security.OpenIdConnect.Server – Similar to the OAuth Authorization Server middleware for ASP.NET 4.x.
OpenIddict – Wraps OpenIdConnect.Server up into an easier-to-use package that plugs into ASP.NET Identity.
IdentityServer4 – A port of Thinktecture IdentityServer3 to .NET Core.
All of them have sample MVC and API apps. Enjoy.
Related
Is there anyway to disable basic authentication in ASP.NET Core Web API? I have a requirement to disable it, considering it is a very weak authentication strategy.
What is the proper way to configure and use Asp.Net Core Identity in Web Api application?
I've looked at the documentation, but looks like it demonstrates cookie based authentication in View-based MVC Web apps, not Web Apis. I know in Asp.Net Core the MVC Web Apps and the Web Api applications follow the same middleware pipeline, but what if I don't want cookie based authentication?
Does it make sense to use Identity at all if I want to use JWT bearer token for authentication? I've walked through a few tutorials which use JWT bearer token for authentication and also uses Identity. I've explored the sample codes, and looks like they are using Identity solely to take advantage of the built-in UserManager and RoleManager classes for the ease they provide with data access.
Do you use Asp.Net Core Identity in your Web Api application when you are using bearer token for authentication? If yes, what purposes does it serve in your application?
I am making a token authentication Web API in .Net Core 2.2, haven't decided if I should use OWIN or identityserver4 yet.
On our intranet we have many applications made in .Net 4.5 and some recent ones in .Net Core 2.2.
Is it possible to authenticate them all on .Net Core 2.2 Web API?
You can use IdentityServer4 running in a .NET Core 2.2 application, which can provide your token authentication for all your applications. This uses OAuth2 which will give you a token which can be set in HTTP Request Authorization header on subsequent HTTP requests to your API. You don't need to use cookies at all.
https://identityserver4.readthedocs.io/en/latest/intro/big_picture.html
I have following scenario. I write asp.net core web api which will be used by mobile and web (asp.net core mvc web app) apps.
I authenticate user using asp.net core identity framework class SignInManager (add account controller and related classes manually) and then generate oauth token which will be used by client applications. By doing so I have 2 identities associated with the user. one is created by after I login using SignInManager.PasswordSignInAsync and second is created by generating oauth JWT token.
Is this correct approach or not?
Thanks
https://blogs.msdn.microsoft.com/webdev/2016/10/27/bearer-token-authentication-in-asp-net-core/
that might shed some light on what direction to go. there is also another blog post about using IdentityServer4 (3rd party) works well.
https://blogs.msdn.microsoft.com/webdev/2017/01/23/asp-net-core-authentication-with-identityserver4/
I'm searching for bestpractices for auth in the given Internet Application scenario.
I've an ASP MVC 4 Webpage and an ASP4 WebApi.
Both are hosted on the same server but as independent applications.
The ASP MVC4 Application consumes via RestSharp the WebApi. Also there are some 3rd Party Desktoptools planed which will use the web api.
Now I'm thinking about how to authenticate the users.
My Idea is to use Forms Authentication for the ASP MVC 4 Site and Basic Authentication for the WebApi.
Is this an good idea ?
Or should i use a token based approach for the webapi ?
What are bestpractices / concerncs for this scenario ?
Many thanks in advance
Look at IdentityModel 4.0.
This is a security framework for ASP.NET Web API written by security experts.