I am looking for a way to combine Windows Authentication and Identity/token based authentication. I have a Web API that currently uses OWIN to authenticate with Bearer tokens via the /token path and the ASP Membership database. The application that currently accesses this is external and will use a login form to log in.
The second administration application will be internal and I would like to utilize the same Web API RestFul service and allow windows authentication to it.
Is there a way to allow OWIN to allow both options for authentication? or do I need to do the Windows Authentication in another layer and have that layer call the WebAPI with a token?
Related
I have a Blazor Server app which wants to connect to a .Net Core WebApi. The app should send an authentication request and the WebApi returns a JWT containing user data. For any further communication with the WebApi the JWT should be used to authorize against it.
I'd like to ensure that only authenticated users can access the server app. If someone is not authenticated he or she should be redirected to a login page.
Up to now I've used a combination of default Identity with AzureAD authentication.
Is there any option to have a JWT authentication working the same way?
I'm developing a blazor web application that will use windows authentication. The web application requires data from another web service. Basic authentication is required on the web service. The web application and web service are in the same domain using the same domain for authentication. Is there a way to take the windows auth credential that the web application will possess and convert it to the basic auth required by the web service?
I am aware that the windows auth credential does not contain the password and basic auth needs a password. I cannot change the authentication scheme of the web service. I cannot spin up a new instance of the web service with a different authentication mechanism. I can't use basic authentication for the web application. The web service requires that the web application connects with it using the logged in users credentials for logging purposes ie. can't just use a service account to connect to the web service. I am open to using a different authentication mechanism for the web application with comparable security to windows auth if it will work, SSO preferred.
I believe this is technically infeasible but would welcome any evidence to the contrary.
I am having a web application which is using ADFS for authentication this application is done in .net framework. I have written services in ASP.NET Core as of now there is no authentication for web api requests i want to to add ADFS authentication to web api how can i access this web api? how do i talk to this api after configuring it to adfs? what is the best way to access web api as they both were ADFS applications
To issue the token for the web API, we need to make the ADFS to aware it by creating a relying party trust for the web API. And when we add a replying party we need to specify the identifiers for the replying party:
And then we can use this identifiers as the reosurce URI to acquire the token for this replying party.
Please ensure that the resource URI is correct as you config.
here is a very nice article about developing with ADFS using OAuth:
https://msdn.microsoft.com/en-us/library/dn633593.aspx
Check this thread too
https://www.scottbrady91.com/Identity-Server/Identity-Server-3-using-WS-Federation
Hope it helps.
I've created a mvc web application that uses openid to authenticate with Azure Ad and get the claims along with the token. I'm interfacing with Web Api to do the business transactions. The web Api is configured to oauth bearer tokens.
I've created separate oauth clients in Azure Ad for the Web App and Web Api. I'm able to get a token for Web Api from the Mvc Controller using AuthenticationContext to send to request to Web Api. I need to know how I can send the current User Claims as well to the Web Api. The claims in the Web Api are not having the claims of the User from the Web App.
Let me provide a bit more context here. I've created a MVC Web Application and a Web Api layer. The MVC Web App is configured to use OpenID authentication using Azure AD and I've configured the Web Api layer to authorize using OAuth Bearer tokens. The actions in the Web Api layer will be called through ajax requests and the bearer token will be added to the header of each Ajax requests. When the User is authenticated in the Web App, additional claims are added to the User on top of the claims from Azure Ad. I'm able to create a token for the Web Api layer using AuthenticationContext.AcquireToken, but the token for Web Api does not have the User info from the Web App.
I'm taking a wild stab in the dark here, based on what I think is happening.
Claims are attached the user, so theoretically, any claim you add in one place should be available in the other, as long as both applications share the same user datastore. However, claims are loaded at the point of authentication and not dynamically updated. As a result, if you're already logged in to the web application and you add a claim with your Web Api, that claim will not be available on the web application side until the user is re-authenticated.
Hello I have read and implemented these Vittorio Bertocci tutorials:
"Secure ASP.NET Web API with Windows Azure AD and Microsoft OWIN Components"
"Protecting a Self-Hosted API with Microsoft.Owin.Security.ActiveDirectory"
However unlike the tutorials my web application is comprised of the following OWIN components: NancyFx & ASP.NET Web API (following the architecture pattern set forth here)As I attempt to implement AAD authentication (as Mr. Bertocci does in his tutorials) into my NancyFx module (to authenticate a user who hits a route requiring authentication):
I get the following error
Additional information: Loading an assembly required for interactive user authentication failed. Make sure assembly 'Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' exists.
clearly the AAD dialog that pops up asking a user to login has a dependency on WindowsForms and shouldn't be invoked from a web application.
What AAD credential prompt should I be using instead?
How to I implement AAD auth in a web app client?
My understanding of the scenario you are trying to implement is that you have the following actors:
Browser -> Web Application -> Web API
Where the browser is authenticates a user to the Web Application and then the Web Application attempts to obtain a token that will allow it to access a resource at the Web API on behalf of the user.
That being the case, your Web Application will need to redirect the browser to the AAD OAuth 2.0 authorization endpoint. There the user will enter their credentials and be redirected back to the Web Application with an authorization code. You can then use that authorization code to obtain a token via the Active Directory Authentication Library (ADAL). Specifically you will use the AuthenticationContext.AcquireTokenByAuthorizationCode method. The following blog entry by Vittorio gives more detail on the code you will need to implement in the Web Application in order to obtain the token. It is not an OWIN specific implementation, but should be easy to translate into your NancyFx app.
Using ADAL’s AcquireTokenByAuthorizationCode to Call a Web API From a Web App
You should not have to change your ASP.NET Web API that you implemented per "Protecting a Self-Hosted API with Microsoft.Owin.Security.ActiveDirectory"
The version of AuthenticationContext.AcquireToken that is used in the client app example in the Protecting a Hosted API... blog entry is intended for a different scenario where no browser is involved. Instead the user is interacting with a desktop application that is then calling a Web API on the users behalf. In that case, the AcquireToken call must show a browser based dialog in order to allow the user to sign in and obtain an appropriate token.